diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 1e6299a8e..dabfd285c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.10-20230821 ISO image released on 2023/08/21 +### 2.4.20-20231006 ISO image released on 2023/10/06 ### Download and Verify -2.4.10-20230821 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso +2.4.20-20231006 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso -MD5: 353EB36F807DC947F08F79B3DCFA420E -SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56 -SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC +MD5: 269F00308C53976BF0EAE788D1DB29DB +SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27 +SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso +gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013 +gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/HOTFIX b/HOTFIX index 2fd1e16d4..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20230821 + diff --git a/VERSION b/VERSION index b0f6bf0cd..a3ab5389f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.10 +2.4.20 diff --git a/pillar/top.sls b/pillar/top.sls index 4893c44f9..53ec8a330 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -4,14 +4,9 @@ base: - global.adv_global - docker.soc_docker - docker.adv_docker - - firewall.soc_firewall - - firewall.adv_firewall - influxdb.token - logrotate.soc_logrotate - logrotate.adv_logrotate - - nginx.soc_nginx - - nginx.adv_nginx - - node_data.ips - ntp.soc_ntp - ntp.adv_ntp - patch.needs_restarting @@ -22,6 +17,13 @@ base: - telegraf.soc_telegraf - telegraf.adv_telegraf + '* and not *_desktop': + - firewall.soc_firewall + - firewall.adv_firewall + - nginx.soc_nginx + - nginx.adv_nginx + - node_data.ips + '*_manager or *_managersearch': - match: compound {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a3c5c75ab..4e3e57f9c 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -188,6 +188,9 @@ 'docker_clean' ], 'so-desktop': [ + 'ssl', + 'docker_clean', + 'telegraf' ], }, grain='role') %} diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 5f4a348e7..c5d2729fd 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -21,7 +21,6 @@ commonpkgs: - python3-dateutil - python3-docker - python3-packaging - - python3-watchdog - python3-lxml - git - rsync @@ -47,10 +46,16 @@ python-rich: {% endif %} {% if GLOBALS.os_family == 'RedHat' %} + +remove_mariadb: + pkg.removed: + - name: mariadb-devel + commonpkgs: pkg.installed: - skip_suggestions: True - pkgs: + - python3-dnf-plugin-versionlock - curl - device-mapper-persistent-data - fuse @@ -63,26 +68,19 @@ commonpkgs: - httpd-tools - jq - lvm2 - {% if GLOBALS.os == 'CentOS Stream' %} - - MariaDB-devel - {% else %} - - mariadb-devel - {% endif %} - net-tools - nmap-ncat - - openssl - procps-ng - - python3-dnf-plugin-versionlock - python3-docker - python3-m2crypto - python3-packaging - python3-pyyaml - python3-rich - - python3-watchdog - rsync - sqlite - tcpdump - unzip - wget - yum-utils + {% endif %} diff --git a/salt/common/soup_scripts.sls b/salt/common/soup_scripts.sls index 8dff85ddb..041649200 100644 --- a/salt/common/soup_scripts.sls +++ b/salt/common/soup_scripts.sls @@ -19,4 +19,5 @@ soup_manager_scripts: - source: salt://manager/tools/sbin - include_pat: - so-firewall - - soup \ No newline at end of file + - so-repo-sync + - soup diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index a76aab1f1..f754b34ef 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -154,13 +154,11 @@ check_salt_minion_status() { return $status } - - copy_new_files() { # Copy new files over to the salt dir cd $UPDATE_DIR - rsync -a salt $DEFAULT_SALT_DIR/ - rsync -a pillar $DEFAULT_SALT_DIR/ + rsync -a salt $DEFAULT_SALT_DIR/ --delete + rsync -a pillar $DEFAULT_SALT_DIR/ --delete chown -R socore:socore $DEFAULT_SALT_DIR/ chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh cd /tmp @@ -242,7 +240,7 @@ gpg_rpm_import() { else local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys" fi - RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY') + RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY echo "Imported $RPMKEY" @@ -446,6 +444,10 @@ set_os() { OS=centos OSVER=9 is_centos=true + elif grep -q "Oracle Linux Server release 9" /etc/system-release; then + OS=oel + OSVER=9 + is_oracle=true fi cron_service_name="crond" else diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check new file mode 100755 index 000000000..c2d16fd86 --- /dev/null +++ b/salt/common/tools/sbin/so-log-check @@ -0,0 +1,233 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +RECENT_LOG_LINES=200 +EXCLUDE_STARTUP_ERRORS=N +EXCLUDE_FALSE_POSITIVE_ERRORS=N +EXCLUDE_KNOWN_ERRORS=N + +while [[ $# -gt 0 ]]; do + case $1 in + --exclude-connection-errors) + EXCLUDE_STARTUP_ERRORS=Y + ;; + --exclude-false-positives) + EXCLUDE_FALSE_POSITIVE_ERRORS=Y + ;; + --exclude-known-errors) + EXCLUDE_KNOWN_ERRORS=Y + ;; + --unknown) + EXCLUDE_STARTUP_ERRORS=Y + EXCLUDE_FALSE_POSITIVE_ERRORS=Y + EXCLUDE_KNOWN_ERRORS=Y + ;; + --recent-log-lines) + shift + RECENT_LOG_LINES=$1 + ;; + *) + echo "Usage: $0 [options]" + echo "" + echo "where options are:" + echo " --recent-log-lines N looks at the most recent N log lines per file or container; defaults to 200" + echo " --exclude-connection-errors exclude errors caused by a recent server or container restart" + echo " --exclude-false-positives exclude logs that are known false positives" + echo " --exclude-known-errors exclude errors that are known and non-critical issues" + echo " --unknown exclude everything mentioned above; only show unknown errors" + echo "" + echo "A non-zero return value indicates errors were found" + exit 1 + ;; + esac + shift +done + +echo "Security Onion Log Check - $(date)" +echo "-------------------------------------------" +echo "" +echo "- RECENT_LOG_LINES: $RECENT_LOG_LINES" +echo "- EXCLUDE_STARTUP_ERRORS: $EXCLUDE_STARTUP_ERRORS" +echo "- EXCLUDE_FALSE_POSITIVE_ERRORS: $EXCLUDE_FALSE_POSITIVE_ERRORS" +echo "- EXCLUDE_KNOWN_ERRORS: $EXCLUDE_KNOWN_ERRORS" +echo "" + +function status() { + header "$1" +} + +function exclude_container() { + name=$1 + + exclude_id=$(docker ps | grep "$name" | awk '{print $1}') + if [[ -n "$exclude_id" ]]; then + CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g") + return $? + fi + return $? +} + +function exclude_log() { + name=$1 + + cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new + mv /tmp/log_check_files.new /tmp/log_check_files +} + +function check_for_errors() { + if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then + RESULT=1 + fi +} + +EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__" + +if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py" # server not yet ready (python stack output) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502" # server not yet ready (nginx waiting on upstream) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded" # server not yet ready (telegraf waiting on elasticsearch) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes" # server not yet ready (telegraf waiting on influx) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at" # server not yet ready (telegraf waiting on health data) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key" # server not yet ready (salt minion waiting on key acceptance) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll" # server not yet ready (sensoroni waiting on soc) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non" # server not yet ready (salt waiting on minions) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term" # server not yet ready (influxdb not yet setup) +fi + +if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror" # false positive (elastic command line) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template" # false positive (elastic security) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template" # false positive (elastic security) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors" # false positive (suricata stats) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template" # false positive (elastic templates) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h" # false positive (zeek test data) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules" # false positive (error in rulename) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input" # false positive (Invalid user input in hunt query) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example" # false positive (example test data) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200" # false positive (request successful, contained error string in content) +fi + +if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise" # redis/python generic stack line, rely on other lines for actual error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)" # redis/python generic stack line, rely on other lines for actual error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror" # idstools connection timeout + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror" # idstools connection timeout + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden" # playbook + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml" # Elastic ML errors + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled" # elastic agent during shutdown + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128" # soctopus errors during forced restart by highstate + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update" # airgap can't update GeoIP DB + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror" # bug in 2.4.10 filecheck salt state caused duplicate cronjobs + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check" # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord" # playbook expected error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics" # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf" # known issue with reposync on pre-2.4.20 + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record" # stenographer corrupt index + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field." # known ingest type collisions issue with earlier versions of SO + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip" # known issue in GH + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail" # zeek + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded" +fi + +RESULT=0 + +# Check Security Onion container stdout/stderr logs +CONTAINER_IDS=$(docker ps -q) +exclude_container so-kibana # kibana error logs are too verbose with large varieties of errors most of which are temporary +exclude_container so-idstools # ignore due to known issues and noisy logging +exclude_container so-playbook # ignore due to several playbook known issues + +for container_id in $CONTAINER_IDS; do + container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names") + status "Checking container $container_name" + docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1 + check_for_errors +done + +# Check Security Onion related log files +find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files +if [[ -f /var/log/cron ]]; then + echo "/var/log/cron" >> /tmp/log_check_files +fi +exclude_log "kibana.log" # kibana error logs are too verbose with large varieties of errors most of which are temporary +exclude_log "spool" # disregard zeek analyze logs as this is data specific +exclude_log "import" # disregard imported test data the contains error strings +exclude_log "update.log" # ignore playbook updates due to several known issues +exclude_log "playbook.log" # ignore due to several playbook known issues + +for log_file in $(cat /tmp/log_check_files); do + status "Checking log file $log_file" + tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check + check_for_errors +done + +# Cleanup temp files +rm -f /tmp/log_check_files +rm -f /tmp/log_check + +if [[ $RESULT -eq 0 ]]; then + echo -e "\nResult: No errors found" +else + echo -e "\nResult: One or more errors found" +fi + +exit $RESULT \ No newline at end of file diff --git a/salt/common/tools/sbin/so-test b/salt/common/tools/sbin/so-test index 8d6bcf4e1..01b4da637 100755 --- a/salt/common/tools/sbin/so-test +++ b/salt/common/tools/sbin/so-test @@ -5,4 +5,14 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common + +set -e + +# Playback live sample data onto monitor interface so-tcpreplay /opt/samples/* 2> /dev/null + +# Ingest sample pfsense log entry +if is_sensor_node; then + echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1 +fi diff --git a/salt/common/tools/sbin_jinja/so-import-evtx b/salt/common/tools/sbin_jinja/so-import-evtx index 59a13612c..d12f34593 100755 --- a/salt/common/tools/sbin_jinja/so-import-evtx +++ b/salt/common/tools/sbin_jinja/so-import-evtx @@ -80,8 +80,8 @@ function evtx2es() { -e "SHIFTTS=$SHIFTDATE" \ -v "$EVTX:/tmp/data.evtx" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ - -v "/nsm/import/evtx-end_newest:/tmp/newest" \ - -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ + -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \ + -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \ --entrypoint "/evtx_calc_timestamps.sh" \ {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 } @@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0 VALID_EVTXS_COUNT=0 SKIPPED_EVTXS_COUNT=0 -touch /nsm/import/evtx-start_oldest -touch /nsm/import/evtx-end_newest - -echo $START_OLDEST > /nsm/import/evtx-start_oldest -echo $END_NEWEST > /nsm/import/evtx-end_newest - # paths must be quoted in case they include spaces for EVTX in $INPUT_FILES; do EVTX=$(/usr/bin/realpath "$EVTX") @@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do status "- this EVTX has already been imported; skipping" SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1)) else + # create EVTX directory EVTX_DIR=$HASH_DIR/evtx mkdir -p $EVTX_DIR + # create import timestamp files + for i in evtx-start_oldest evtx-end_newest; do + if ! [ -f "$i" ]; then + touch /nsm/import/$HASH/$i + fi + done # import evtx and write them to import ingest pipeline status "- importing logs to Elasticsearch..." @@ -154,28 +155,37 @@ for EVTX in $INPUT_FILES; do VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1)) fi - # compare $START to $START_OLDEST - START=$(cat /nsm/import/evtx-start_oldest) - START_COMPARE=$(date -d $START +%s) - START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) - if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then - START_OLDEST=$START - fi - - # compare $ENDNEXT to $END_NEWEST - END=$(cat /nsm/import/evtx-end_newest) - ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` - ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) - END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) - if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then - END_NEWEST=$ENDNEXT - fi - cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx chmod 644 "${EVTX_DIR}"/data.evtx fi # end of valid evtx + # determine start and end and make sure they aren't reversed + START=$(cat /nsm/import/$HASH/evtx-start_oldest) + END=$(cat /nsm/import/$HASH/evtx-end_newest) + START_EPOCH=`date -d "$START" +"%s"` + END_EPOCH=`date -d "$END" +"%s"` + if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then + TEMP=$START + START=$END + END=$TEMP + fi + + # compare $START to $START_OLDEST + START_COMPARE=$(date -d $START +%s) + START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) + if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then + START_OLDEST=$START + fi + + # compare $ENDNEXT to $END_NEWEST + ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` + ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) + END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) + if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then + END_NEWEST=$ENDNEXT + fi + status done # end of for-loop processing evtx files diff --git a/salt/common/tools/sbin/so-salt-minion-check b/salt/common/tools/sbin_jinja/so-salt-minion-check similarity index 100% rename from salt/common/tools/sbin/so-salt-minion-check rename to salt/common/tools/sbin_jinja/so-salt-minion-check diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls index 524c2c266..3817f2e80 100644 --- a/salt/desktop/packages.sls +++ b/salt/desktop/packages.sls @@ -1,7 +1,5 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'OEL' %} +{% if grains.os == 'OEL' %} desktop_packages: pkg.installed: diff --git a/salt/desktop/remove_gui.sls b/salt/desktop/remove_gui.sls index 53d927cbe..d8de07a9a 100644 --- a/salt/desktop/remove_gui.sls +++ b/salt/desktop/remove_gui.sls @@ -1,7 +1,5 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'OEL' %} +{% if grains.os == 'OEL' %} remove_graphical_target: file.symlink: diff --git a/salt/desktop/scripts/convert-gnome-classic.sh b/salt/desktop/scripts/convert-gnome-classic.sh deleted file mode 100644 index e69a43b2d..000000000 --- a/salt/desktop/scripts/convert-gnome-classic.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -echo "Setting default session to gnome-classic" -cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/ -sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard diff --git a/salt/desktop/xwindows.sls b/salt/desktop/xwindows.sls index b18109d45..85da0590c 100644 --- a/salt/desktop/xwindows.sls +++ b/salt/desktop/xwindows.sls @@ -1,7 +1,5 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'OEL' %} +{% if grains.os == 'OEL' %} include: - desktop.packages @@ -14,10 +12,7 @@ graphical_target: - require: - desktop_packages -convert_gnome_classic: - cmd.script: - - name: salt://desktop/scripts/convert-gnome-classic.sh - +{# set users to use gnome-classic #} {% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %} {% set username = username.split('/')[2] %} {% if username != 'zeek' %} diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index e39feaf06..a5d6c5d6d 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -178,6 +178,9 @@ docker: extra_env: [] 'so-elastic-agent': final_octet: 46 + port_bindings: + - 0.0.0.0:514:514/tcp + - 0.0.0.0:514:514/udp custom_bind_mounts: [] extra_hosts: [] extra_env: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index 82f59e4dc..d227a3e85 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -8,7 +8,7 @@ docker: helpLink: docker.html advanced: True containers: - so-curator: &dockerOptions + so-dockerregistry: &dockerOptions final_octet: description: Last octet of the container IP address. helpLink: docker.html @@ -20,6 +20,7 @@ docker: helpLink: docker.html advanced: True multiline: True + forcedType: "[]string" custom_bind_mounts: description: List of custom local volume bindings. advanced: True @@ -38,12 +39,8 @@ docker: helpLink: docker.html multiline: True forcedType: "[]string" - so-dockerregistry: *dockerOptions - so-elastalert: *dockerOptions - so-elastic-fleet-package-registry: *dockerOptions so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions - so-idh: *dockerOptions so-idstools: *dockerOptions so-influxdb: *dockerOptions so-kibana: *dockerOptions @@ -53,11 +50,21 @@ docker: so-nginx: *dockerOptions so-playbook: *dockerOptions so-redis: *dockerOptions + so-sensoroni: *dockerOptions so-soc: *dockerOptions so-soctopus: *dockerOptions so-strelka-backend: *dockerOptions - so-strelka-coordinator: *dockerOptions so-strelka-filestream: *dockerOptions so-strelka-frontend: *dockerOptions - so-strelka-gatekeeper: *dockerOptions so-strelka-manager: *dockerOptions + so-strelka-gatekeeper: *dockerOptions + so-strelka-coordinator: *dockerOptions + so-elastalert: *dockerOptions + so-curator: *dockerOptions + so-elastic-fleet-package-registry: *dockerOptions + so-idh: *dockerOptions + so-elastic-agent: *dockerOptions + so-telegraf: *dockerOptions + so-steno: *dockerOptions + so-suricata: *dockerOptions + so-zeek: *dockerOptions diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index c11af4f56..ee60f5591 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -9,6 +9,7 @@ prune_images: cmd.run: - name: so-docker-prune + - order: last {% else %} diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 963b8549b..7d0f401e9 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -31,6 +31,10 @@ so-elastic-agent: - {{ XTRAHOST }} {% endfor %} {% endif %} + - port_bindings: + {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %} + - {{ BINDING }} + {% endfor %} - binds: - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs diff --git a/salt/elasticagent/files/elastic-agent.yml.jinja b/salt/elasticagent/files/elastic-agent.yml.jinja index 92aacfa44..7d0b93344 100644 --- a/salt/elasticagent/files/elastic-agent.yml.jinja +++ b/salt/elasticagent/files/elastic-agent.yml.jinja @@ -430,3 +430,54 @@ inputs: exclude_files: - >- broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$ + - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60 + name: syslog-udp-514 + revision: 3 + type: udp + use_output: default + meta: + package: + name: udp + version: 1.10.0 + data_stream: + namespace: so + package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60 + streams: + - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60 + data_stream: + dataset: syslog + pipeline: syslog + host: '0.0.0.0:514' + max_message_size: 10KiB + processors: + - add_fields: + fields: + module: syslog + target: event + tags: + - syslog + - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60 + name: syslog-tcp-514 + revision: 3 + type: tcp + use_output: default + meta: + package: + name: tcp + version: 1.10.0 + data_stream: + namespace: so + package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60 + streams: + - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60 + data_stream: + dataset: syslog + pipeline: syslog + host: '0.0.0.0:514' + processors: + - add_fields: + fields: + module: syslog + target: event + tags: + - syslog diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 902b5eb4c..d2e357c91 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -37,6 +37,8 @@ elasticfleet_sbin_jinja: - group: 939 - file_mode: 755 - template: jinja + - exclude_pat: + - so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes eaconfdir: file.directory: @@ -59,6 +61,14 @@ eastatedir: - group: 939 - makedirs: True +eapackageupgrade: + file.managed: + - name: /usr/sbin/so-elastic-fleet-package-upgrade + - source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade + - user: 947 + - group: 939 + - template: jinja + {% if GLOBALS.role != "so-fleet" %} eaintegrationsdir: file.directory: @@ -88,6 +98,7 @@ ea-integrations-load: - onchanges: - file: eaintegration - file: eadynamicintegration + - file: eapackageupgrade {% endif %} {% else %} diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index cb282aade..a4862623d 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -13,7 +13,10 @@ elasticfleet: - broker - capture_loss - cluster + - conn-summary + - console - ecat_arp_info + - known_certs - known_hosts - known_services - loaded_scripts @@ -25,20 +28,53 @@ elasticfleet: - stderr - stdout packages: + - apache + - auditd - aws - azure + - barracuda + - cisco_asa - cloudflare + - crowdstrike + - darktrace - elasticsearch - endpoint + - f5_bigip - fleet_server - fim + - fortinet + - fortinet_fortigate + - gcp - github - google_workspace + - http_endpoint + - httpjson + - juniper + - juniper_srx + - kafka_log + - lastpass - log + - m365_defender + - microsoft_defender_endpoint + - microsoft_dhcp + - netflow + - o365 + - okta - osquery_manager + - panw + - pfsense - redis + - sentinel_one + - sonicwall_firewall + - symantec_endpoint - system - tcp + - ti_abusech + - ti_misp + - ti_otx + - ti_recordedfuture - udp - windows + - zscaler_zia + - zscaler_zpa - 1password diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 82c7735db..320b6d6b6 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -68,11 +68,6 @@ so-elastic-fleet: - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - {% if GLOBALS.os_family == 'Debian' %} - - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro - - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro - - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro - {% endif %} - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} @@ -87,13 +82,8 @@ so-elastic-fleet: - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }} - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key - {% if GLOBALS.os_family == 'Debian' %} - - FLEET_CA=/etc/ssl/certs/intca.crt - - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt - {% else %} - - FLEET_CA=/etc/pki/tls/certs/intca.crt + - FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - {% endif %} - LOGS_PATH=logs {% if DOCKER.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index d7d6458c9..275bc6a11 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -46,7 +46,7 @@ do done printf "\n### Stripping out unused components" -find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete +find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete printf "\n### Tarring everything up again" for OS in "${OSARCH[@]}" @@ -65,7 +65,7 @@ do if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi printf "\n\n### Generating $GOOS/$GOARCH Installer...\n" docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \ - --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ + --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade index 2fb3f7798..a092e3ecb 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade @@ -15,3 +15,4 @@ elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" echo {%- endfor %} echo +/usr/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index ac0ce4db9..83a155ae6 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -6,11 +6,7 @@ # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.os_family == 'Debian' %} -INTCA=/etc/ssl/certs/intca.crt -{% else %} INTCA=/etc/pki/tls/certs/intca.crt -{% endif %} . /usr/sbin/so-elastic-fleet-common diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index ed4a5033f..37447cabb 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -21,7 +21,7 @@ {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% endfor %} {% if grains.id.split('_') | last == 'manager' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %} + {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client','transform']}) %} {% else %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %} {% endif %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 579197040..91e5191f6 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -58,6 +58,12 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: + global_overrides: + index_template: + template: + settings: + index: + number_of_replicas: default_placeholder so-logs: index_sorting: False index_template: @@ -280,6 +286,60 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-apache_x_access: + index_sorting: False + index_template: + index_patterns: + - "logs-apache.access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-apache.access@package" + - "logs-apache.access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-apache_x_error: + index_sorting: False + index_template: + index_patterns: + - "logs-apache.error-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-apache.error@package" + - "logs-apache.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-auditd_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-auditd.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-auditd.log@package" + - "logs-auditd.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-aws_x_cloudtrail: index_sorting: False index_template: @@ -640,6 +700,42 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-barracuda_x_waf: + index_sorting: False + index_template: + index_patterns: + - "logs-barracuda.waf-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-barracuda.waf@package" + - "logs-barracuda.waf@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-cisco_asa_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-cisco_asa.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cisco_asa.log@package" + - "logs-cisco_asa.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-cloudflare_x_audit: index_sorting: False index_template: @@ -676,6 +772,114 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-crowdstrike_x_falcon: + index_sorting: False + index_template: + index_patterns: + - "logs-crowdstrike.falcon-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-crowdstrike.falcon@package" + - "logs-crowdstrike.falcon@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-crowdstrike_x_fdr: + index_sorting: False + index_template: + index_patterns: + - "logs-crowdstrike.fdr-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-crowdstrike.fdr@package" + - "logs-crowdstrike.fdr@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_ai_analyst_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.ai_analyst_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.ai_analyst_alert@package" + - "logs-darktrace.ai_analyst_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_model_breach_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.model_breach_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.model_breach_alert@package" + - "logs-darktrace.model_breach_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_system_status_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.system_status_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.system_status_alert@package" + - "logs-darktrace.system_status_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-f5_bigip_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-f5_bigip.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-f5_bigip.log@package" + - "logs-f5_bigip.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-fim_x_event: index_sorting: False index_template: @@ -694,6 +898,186 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-fortinet_x_clientendpoint: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.clientendpoint-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.clientendpoint@package" + - "logs-fortinet.clientendpoint@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.firewall@package" + - "logs-fortinet.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortimail: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortimail-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortimail@package" + - "logs-fortinet.fortimail@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortimanager: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortimanager-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortimanager@package" + - "logs-fortinet.fortimanager@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_fortigate_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet_fortigate.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet_fortigate.log@package" + - "logs-fortinet_fortigate.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.audit@package" + - "logs-gcp.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_dns: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.dns-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.dns@package" + - "logs-gcp.dns@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.firewall@package" + - "logs-gcp.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_loadbalancing_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.loadbalancing_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.loadbalancing_logs@package" + - "logs-gcp.loadbalancing_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_vpcflow: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.vpcflow-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.vpcflow@package" + - "logs-gcp.vpcflow@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-github_x_audit: index_sorting: False index_template: @@ -1036,6 +1420,834 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-http_endpoint_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-http_endpoint.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-http_endpoint.generic@package" + - "logs-http_endpoint.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-httpjson_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-httpjson.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-httpjson.generic@package" + - "logs-httpjson.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_junos: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.junos-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.junos@package" + - "logs-juniper.junos@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_netscreen: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.netscreen-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.netscreen@package" + - "logs-juniper.netscreen@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_srx: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.srx-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.srx@package" + - "logs-juniper.srx@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_srx_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper_srx.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper_srx.log@package" + - "logs-juniper_srx.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-kafka_log_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-kafka_log.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-kafka_log.generic@package" + - "logs-kafka_log.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_detailed_shared_folder: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.detailed_shared_folder-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.detailed_shared_folder@package" + - "logs-lastpass.detailed_shared_folder@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_event_report: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.event_report-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.event_report@package" + - "logs-lastpass.event_report@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_user: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.user-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.user@package" + - "logs-lastpass.user@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_event: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.event-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.event@package" + - "logs-m365_defender.event@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_incident: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.incident-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.incident@package" + - "logs-m365_defender.incident@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.log@package" + - "logs-m365_defender.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-microsoft_defender_endpoint_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_defender_endpoint.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-microsoft_defender_endpoint.log@package" + - "logs-microsoft_defender_endpoint.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-microsoft_dhcp_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_dhcp.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-microsoft_dhcp.log@package" + - "logs-microsoft_dhcp.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-netflow_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-netflow.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-netflow.log@package" + - "logs-netflow.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-o365_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-o365.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-o365.audit@package" + - "logs-o365.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-okta_x_system: + index_sorting: False + index_template: + index_patterns: + - "logs-okta.system-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-okta.system@package" + - "logs-okta.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-panw_x_panos: + index_sorting: False + index_template: + index_patterns: + - "logs-panw.panos-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-panw.panos@package" + - "logs-panw.panos@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-pfsense_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-pfsense.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-pfsense.log@package" + - "logs-pfsense.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_activity: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.activity-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.activity@package" + - "logs-sentinel_one.activity@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_agent: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.agent-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.agent@package" + - "logs-sentinel_one.agent@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.alert@package" + - "logs-sentinel_one.alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_group: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.group-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.group@package" + - "logs-sentinel_one.group@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.threat@package" + - "logs-sentinel_one.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sonicwall_firewall_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-sonicwall_firewall.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sonicwall_firewall.log@package" + - "logs-sonicwall_firewall.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-symantec_endpoint_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-symantec_endpoint.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-symantec_endpoint.log@package" + - "logs-symantec_endpoint.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_malware: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.malware-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.malware@package" + - "logs-ti_abusech.malware@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_malwarebazaar: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.malwarebazaar-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.malwarebazaar@package" + - "logs-ti_abusech.malwarebazaar@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_threatfox: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.threatfox-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.threatfox@package" + - "logs-ti_abusech.threatfox@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_url: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.url-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.url@package" + - "logs-ti_abusech.url@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_misp_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_misp.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_misp.threat@package" + - "logs-ti_misp.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_misp_x_threat_attributes: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_misp.threat_attributes-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_misp.threat_attributes@package" + - "logs-ti_misp.threat_attributes@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_otx_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_otx.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_otx.threat@package" + - "logs-ti_otx.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_recordedfuture_x_latest_ioc-template: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_recordedfuture.latest_ioc-template-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_recordedfuture.latest_ioc-template@package" + - "logs-ti_recordedfuture.latest_ioc-template@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_recordedfuture_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_recordedfuture.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_recordedfuture.threat@package" + - "logs-ti_recordedfuture.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_alerts: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.alerts-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.alerts@package" + - "logs-zscaler_zia.alerts@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_dns: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.dns-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.dns@package" + - "logs-zscaler_zia.dns@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.firewall@package" + - "logs-zscaler_zia.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_tunnel: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.tunnel-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.tunnel@package" + - "logs-zscaler_zia.tunnel@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_web: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.web-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.web@package" + - "logs-zscaler_zia.web@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_app_connector_status: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.app_connector_status-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.app_connector_status@package" + - "logs-zscaler_zpa.app_connector_status@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.audit@package" + - "logs-zscaler_zpa.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_browser_access: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.browser_access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.browser_access@package" + - "logs-zscaler_zpa.browser_access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_user_activity: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.user_activity-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.user_activity@package" + - "logs-zscaler_zpa.user_activity@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_user_status: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.user_status-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.user_status@package" + - "logs-zscaler_zpa.user_status@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-1password_x_item_usages: index_sorting: False index_template: @@ -2477,6 +3689,7 @@ elasticsearch: refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 + final_pipeline: ".fleet_final_pipeline-1" composed_of: - agent-mappings - dtc-agent-mappings @@ -2975,6 +4188,7 @@ elasticsearch: so-syslog: index_sorting: False index_template: + data_stream: {} index_patterns: - logs-syslog-so* template: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index e28ca5fdf..fa0f824b4 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -59,7 +59,7 @@ so-elasticsearch: {% if GLOBALS.is_manager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% endif %} - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro @@ -108,6 +108,7 @@ escomponenttemplates: - source: salt://elasticsearch/templates/component - user: 930 - group: 939 + - clean: True - onchanges_in: - cmd: so-elasticsearch-templates diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index 688000fb7..52b6bae7a 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -80,6 +80,7 @@ { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } }, { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } }, + { "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } }, { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index 741e20aa1..a74a7c622 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -63,8 +63,8 @@ { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } }, - { "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } }, - { "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } }, + { "set": { "if": "ctx.scan?.entropy?.entropy == '0'", "field": "scan.entropy.entropy", "value": "0.0", "override": true } }, + { "set": { "if": "ctx.scan?.pe?.image_version == '0'", "field": "scan.pe.image_version", "value": "0.0", "override": true } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" }}, { "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }}, { "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } }, diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 889e9f6a4..e4de29e00 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -47,6 +47,16 @@ elasticsearch: global: True helpLink: elasticsearch.html index_settings: + global_overrides: + index_template: + template: + settings: + index: + number_of_replicas: + description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices. + forcedType: int + global: True + helpLink: elasticsearch.html so-logs: &indexSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. @@ -64,6 +74,7 @@ elasticsearch: index: number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. + forcedType: int global: True helpLink: elasticsearch.html mapping: @@ -190,6 +201,9 @@ elasticsearch: so-logs-windows_x_powershell: *indexSettings so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings + so-logs-apache_x_access: *indexSettings + so-logs-apache_x_error: *indexSettings + so-logs-auditd_x_log: *indexSettings so-logs-aws_x_cloudtrail: *indexSettings so-logs-aws_x_cloudwatch_logs: *indexSettings so-logs-aws_x_ec2_logs: *indexSettings @@ -210,9 +224,27 @@ elasticsearch: so-logs-azure_x_provisioning: *indexSettings so-logs-azure_x_signinlogs: *indexSettings so-logs-azure_x_springcloudlogs: *indexSettings + so-logs-barracuda_x_waf: *indexSettings + so-logs-cisco_asa_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings + so-logs-crowdstrike_x_falcon: *indexSettings + so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-darktrace_x_ai_analyst_alert: *indexSettings + so-logs-darktrace_x_model_breach_alert: *indexSettings + so-logs-darktrace_x_system_status_alert: *indexSettings + so-logs-f5_bigip_x_log: *indexSettings so-logs-fim_x_event: *indexSettings + so-logs-fortinet_x_clientendpoint: *indexSettings + so-logs-fortinet_x_firewall: *indexSettings + so-logs-fortinet_x_fortimail: *indexSettings + so-logs-fortinet_x_fortimanager: *indexSettings + so-logs-fortinet_x_fortigate: *indexSettings + so-logs-gcp_x_audit: *indexSettings + so-logs-gcp_x_dns: *indexSettings + so-logs-gcp_x_firewall: *indexSettings + so-logs-gcp_x_loadbalancing_logs: *indexSettings + so-logs-gcp_x_vpcflow: *indexSettings so-logs-github_x_audit: *indexSettings so-logs-github_x_code_scanning: *indexSettings so-logs-github_x_dependabot: *indexSettings @@ -232,6 +264,52 @@ elasticsearch: so-logs-google_workspace_x_saml: *indexSettings so-logs-google_workspace_x_token: *indexSettings so-logs-google_workspace_x_user_accounts: *indexSettings + so-logs-http_endpoint_x_generic: *indexSettings + so-logs-httpjson_x_generic: *indexSettings + so-logs-juniper_x_junos: *indexSettings + so-logs-juniper_x_netscreen: *indexSettings + so-logs-juniper_x_srx: *indexSettings + so-logs-juniper_srx_x_log: *indexSettings + so-logs-kafka_log_x_generic: *indexSettings + so-logs-lastpass_x_detailed_shared_folder: *indexSettings + so-logs-lastpass_x_event_report: *indexSettings + so-logs-lastpass_x_user: *indexSettings + so-logs-m365_defender_x_event: *indexSettings + so-logs-m365_defender_x_incident: *indexSettings + so-logs-m365_defender_x_log: *indexSettings + so-logs-microsoft_defender_endpoint_x_log: *indexSettings + so-logs-microsoft_dhcp_x_log: *indexSettings + so-logs-netflow_x_log: *indexSettings + so-logs-o365_x_audit: *indexSettings + so-logs-okta_x_system: *indexSettings + so-logs-panw_x_panos: *indexSettings + so-logs-pfsense_x_log: *indexSettings + so-logs-sentinel_one_x_activity: *indexSettings + so-logs-sentinel_one_x_agent: *indexSettings + so-logs-sentinel_one_x_alert: *indexSettings + so-logs-sentinel_one_x_group: *indexSettings + so-logs-sentinel_one_x_threat: *indexSettings + so-logs-sonicwall_firewall_x_log: *indexSettings + so-logs-symantec_endpoint_x_log: *indexSettings + so-logs-ti_abusech_x_malware: *indexSettings + so-logs-ti_abusech_x_malwarebazaar: *indexSettings + so-logs-ti_abusech_x_threatfox: *indexSettings + so-logs-ti_abusech_x_url: *indexSettings + so-logs-ti_misp_x_threat: *indexSettings + so-logs-ti_misp_x_threat_attributes: *indexSettings + so-logs-ti_otx_x_threat: *indexSettings + so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings + so-logs-ti_recordedfuture_x_threat: *indexSettings + so-logs-zscaler_zia_x_alerts: *indexSettings + so-logs-zscaler_zia_x_dns: *indexSettings + so-logs-zscaler_zia_x_firewall: *indexSettings + so-logs-zscaler_zia_x_tunnel: *indexSettings + so-logs-zscaler_zia_x_web: *indexSettings + so-logs-zscaler_zpa_x_app_connector_status: *indexSettings + so-logs-zscaler_zpa_x_audit: *indexSettings + so-logs-zscaler_zpa_x_browser_access: *indexSettings + so-logs-zscaler_zpa_x_user_activity: *indexSettings + so-logs-zscaler_zpa_x_user_status: *indexSettings so-logs-1password_x_item_usages: *indexSettings so-logs-1password_x_signin_attempts: *indexSettings so-logs-osquery-manager-actions: *indexSettings diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index 5fe0ed303..f5a124a9a 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -1,11 +1,28 @@ -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %} -{%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %} -{% set ES_INDEX_SETTINGS = {} %} -{% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %} - {% if settings.index_template is defined %} - {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %} - {% do settings.index_template.template.settings.index.pop('sort') %} - {% endif %} - {% endif %} - {% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} +{% set DEFAULT_GLOBAL_OVERRIDES = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings.pop('global_overrides') %} + +{% set PILLAR_GLOBAL_OVERRIDES = {} %} +{% if salt['pillar.get']('elasticsearch:index_settings') is defined %} +{% set ES_INDEX_PILLAR = salt['pillar.get']('elasticsearch:index_settings') %} +{% if ES_INDEX_PILLAR.global_overrides is defined %} +{% set PILLAR_GLOBAL_OVERRIDES = ES_INDEX_PILLAR.pop('global_overrides') %} +{% endif %} +{% endif %} + +{% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} + +{% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %} +{% for index in ES_INDEX_SETTINGS_ORIG.keys() %} +{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %} +{% endfor %} + +{% set ES_INDEX_SETTINGS = {} %} +{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update(salt['defaults.merge'](ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %} +{% for index, settings in ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.items() %} +{% if settings.index_template is defined %} +{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %} +{% do settings.index_template.template.settings.index.pop('sort') %} +{% endif %} +{% endif %} +{% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index]}) %} {% endfor %} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json deleted file mode 100644 index 919763caa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.apm_server-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json deleted file mode 100644 index 175ad4431..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json deleted file mode 100644 index a96480471..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ /dev/null @@ -1,339 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "decision_id", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "match_only_text" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "result": { - "type": "object" - }, - "input": { - "type": "object" - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "decision_id": { - "type": "text" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json deleted file mode 100644 index 5f16d18de..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json deleted file mode 100644 index f5b1ab12a..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.filebeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json deleted file mode 100644 index a61d9f7a9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json deleted file mode 100644 index d7e244dc2..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json deleted file mode 100644 index 7b0c81283..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json deleted file mode 100644 index 2a6780e69..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json deleted file mode 100644 index 973427be1..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ /dev/null @@ -1,322 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json deleted file mode 100644 index 05741a4f0..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json +++ /dev/null @@ -1,952 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.application-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.code", - "event.original", - "error.message", - "message", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.application" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json deleted file mode 100644 index 51e707850..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json +++ /dev/null @@ -1,530 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.auth-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.os.full", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "ecs.version", - "error.message", - "group.id", - "group.name", - "message", - "process.name", - "related.hosts", - "related.user", - "source.as.organization.name", - "source.geo.city_name", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.region_iso_code", - "source.geo.region_name", - "user.effective.name", - "user.id", - "user.name", - "system.auth.ssh.method", - "system.auth.ssh.signature", - "system.auth.ssh.event", - "system.auth.sudo.error", - "system.auth.sudo.tty", - "system.auth.sudo.pwd", - "system.auth.sudo.user", - "system.auth.sudo.command", - "system.auth.useradd.home", - "system.auth.useradd.shell", - "version" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "source": { - "properties": { - "geo": { - "properties": { - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "port": { - "type": "long" - }, - "ip": { - "type": "ip" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "@timestamp": { - "type": "date" - }, - "system": { - "properties": { - "auth": { - "properties": { - "ssh": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_ip": { - "type": "ip" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sudo": { - "properties": { - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "pwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "useradd": { - "properties": { - "shell": { - "ignore_above": 1024, - "type": "keyword" - }, - "home": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.auth" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json deleted file mode 100644 index a74cd4a70..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json +++ /dev/null @@ -1,1840 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.security-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "ecs.version", - "group.domain", - "group.id", - "group.name", - "log.file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.parent.executable", - "process.parent.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "service.name", - "service.type", - "source.domain", - "user.domain", - "user.id", - "user.name", - "user.effective.domain", - "user.effective.id", - "user.effective.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "user.target.domain", - "user.target.id", - "user.changes.name", - "winlog.logon.type", - "winlog.logon.id", - "winlog.logon.failure.reason", - "winlog.logon.failure.status", - "winlog.logon.failure.sub_status", - "winlog.api", - "winlog.activity_id", - "winlog.channel", - "winlog.computer_name", - "winlog.computerObject.domain", - "winlog.computerObject.id", - "winlog.computerObject.name", - "winlog.event_data.AccessGranted", - "winlog.event_data.AccessList", - "winlog.event_data.AccessListDescription", - "winlog.event_data.AccessMask", - "winlog.event_data.AccessMaskDescription", - "winlog.event_data.AccessRemoved", - "winlog.event_data.AccountDomain", - "winlog.event_data.AccountExpires", - "winlog.event_data.AccountName", - "winlog.event_data.AllowedToDelegateTo", - "winlog.event_data.AuditPolicyChanges", - "winlog.event_data.AuditPolicyChangesDescription", - "winlog.event_data.AuditSourceName", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallerProcessId", - "winlog.event_data.CallerProcessName", - "winlog.event_data.Category", - "winlog.event_data.CategoryId", - "winlog.event_data.ClientAddress", - "winlog.event_data.ClientName", - "winlog.event_data.CommandLine", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CrashOnAuditFailValue", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DisplayName", - "winlog.event_data.DomainBehaviorVersion", - "winlog.event_data.DomainName", - "winlog.event_data.DomainPolicyChanged", - "winlog.event_data.DomainSid", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.Dummy", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventSourceId", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FailureReason", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.GroupTypeChange", - "winlog.event_data.HandleId", - "winlog.event_data.HomeDirectory", - "winlog.event_data.HomePath", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KerberosPolicyChange", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonHours", - "winlog.event_data.LogonId", - "winlog.event_data.LogonID", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MachineAccountQuota", - "winlog.event_data.MajorVersion", - "winlog.event_data.MandatoryLabel", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.MixedDomainMode", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewSd", - "winlog.event_data.NewSdDacl0", - "winlog.event_data.NewSdDacl1", - "winlog.event_data.NewSdDacl2", - "winlog.event_data.NewSdSacl0", - "winlog.event_data.NewSdSacl1", - "winlog.event_data.NewSdSacl2", - "winlog.event_data.NewTargetUserName", - "winlog.event_data.NewTime", - "winlog.event_data.NewUACList", - "winlog.event_data.NewUacValue", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.ObjectName", - "winlog.event_data.ObjectServer", - "winlog.event_data.ObjectType", - "winlog.event_data.OemInformation", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldSd", - "winlog.event_data.OldSdDacl0", - "winlog.event_data.OldSdDacl1", - "winlog.event_data.OldSdDacl2", - "winlog.event_data.OldSdSacl0", - "winlog.event_data.OldSdSacl1", - "winlog.event_data.OldSdSacl2", - "winlog.event_data.OldTargetUserName", - "winlog.event_data.OldTime", - "winlog.event_data.OldUacValue", - "winlog.event_data.OriginalFileName", - "winlog.event_data.PackageName", - "winlog.event_data.PasswordLastSet", - "winlog.event_data.PasswordHistoryLength", - "winlog.event_data.Path", - "winlog.event_data.ParentProcessName", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreAuthType", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrimaryGroupId", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.ProfilePath", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.ResourceAttributes", - "winlog.event_data.SamAccountName", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptPath", - "winlog.event_data.SidHistory", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.Service", - "winlog.event_data.ServiceAccount", - "winlog.event_data.ServiceFileName", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceSid", - "winlog.event_data.ServiceStartType", - "winlog.event_data.ServiceType", - "winlog.event_data.ServiceVersion", - "winlog.event_data.SessionName", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.SidFilteringEnabled", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StatusDescription", - "winlog.event_data.StopTime", - "winlog.event_data.SubCategory", - "winlog.event_data.SubCategoryGuid", - "winlog.event_data.SubcategoryGuid", - "winlog.event_data.SubCategoryId", - "winlog.event_data.SubcategoryId", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.SubStatus", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetSid", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TdoAttributes", - "winlog.event_data.TdoDirection", - "winlog.event_data.TdoType", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TicketEncryptionType", - "winlog.event_data.TicketEncryptionTypeDescription", - "winlog.event_data.TicketOptions", - "winlog.event_data.TicketOptionsDescription", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserAccountControl", - "winlog.event_data.UserParameters", - "winlog.event_data.UserPrincipalName", - "winlog.event_data.UserSid", - "winlog.event_data.UserWorkstations", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.WorkstationName", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.level", - "winlog.outcome", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.time_created", - "winlog.trustAttribute", - "winlog.trustDirection", - "winlog.trustType", - "winlog.user_data.BackupPath", - "winlog.user_data.Channel", - "winlog.user_data.SubjectDomainName", - "winlog.user_data.SubjectLogonId", - "winlog.user_data.SubjectUserName", - "winlog.user_data.SubjectUserSid", - "winlog.user_data.xml_name", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon": { - "properties": { - "failure": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonHours": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "AllowedToDelegateTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMask": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ResourceAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordHistoryLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "PackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidHistory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CrashOnAuditFailValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "HandleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessListDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineAccountQuota": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserParameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProfilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainPolicyChanged": { - "ignore_above": 1024, - "type": "keyword" - }, - "CategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreAuthType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUACList": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidFilteringEnabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSourceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrimaryGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordLastSet": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "GroupTypeChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessList": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptionsDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserWorkstations": { - "ignore_above": 1024, - "type": "keyword" - }, - "SamAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditSourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChangesDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMaskDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionTypeDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "KerberosPolicyChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MandatoryLabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomeDirectory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountExpires": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceStartType": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "Dummy": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StatusDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainBehaviorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessGranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessRemoved": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "MixedDomainMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "Service": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAccountControl": { - "ignore_above": 1024, - "type": "keyword" - }, - "OemInformation": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonID": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_created": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "trustAttribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "computerObject": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_data": { - "properties": { - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BackupPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "Channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xml_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustType": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.security" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "changes": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json deleted file mode 100644 index 30576a635..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json +++ /dev/null @@ -1,327 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.syslog-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.os.full", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "ecs.version", - "message", - "process.name" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.syslog" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json deleted file mode 100644 index 068e6846b..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json +++ /dev/null @@ -1,986 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.system-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.original", - "event.outcome", - "event.provider", - "event.type", - "error.message", - "message", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.system" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json deleted file mode 100644 index 967641107..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json +++ /dev/null @@ -1,2544 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.forwarded-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.domain", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "dns.answers.class", - "dns.answers.data", - "dns.answers.name", - "dns.answers.type", - "dns.header_flags", - "dns.id", - "dns.op_code", - "dns.question.class", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "dns.response_code", - "dns.type", - "ecs.version", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.directory", - "file.extension", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.architecture", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.domain", - "group.id", - "group.name", - "log.file.path", - "log.level", - "message", - "network.community_id", - "network.direction", - "network.protocol", - "network.transport", - "network.type", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.args", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.hash.md5", - "process.parent.hash.sha1", - "process.parent.hash.sha256", - "process.parent.hash.sha512", - "process.parent.name", - "process.parent.pe.architecture", - "process.parent.pe.company", - "process.parent.pe.description", - "process.parent.pe.file_version", - "process.parent.pe.imphash", - "process.parent.pe.original_file_name", - "process.parent.pe.product", - "process.parent.title", - "process.pe.architecture", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.title", - "process.working_directory", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "related.hash", - "related.hosts", - "related.user", - "rule.name", - "service.name", - "service.type", - "source.domain", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "sysmon.dns.status", - "winlog.logon.type", - "winlog.logon.id", - "winlog.logon.failure.reason", - "winlog.logon.failure.status", - "winlog.logon.failure.sub_status", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.level", - "winlog.outcome", - "winlog.trustAttribute", - "winlog.trustDirection", - "winlog.trustType", - "winlog.computerObject.domain", - "winlog.computerObject.id", - "winlog.computerObject.name", - "winlog.event_data.AccessGranted", - "winlog.event_data.AccessMask", - "winlog.event_data.AccessMaskDescription", - "winlog.event_data.AccessRemoved", - "winlog.event_data.AccountDomain", - "winlog.event_data.AccountExpires", - "winlog.event_data.AccountName", - "winlog.event_data.AllowedToDelegateTo", - "winlog.event_data.AuditPolicyChanges", - "winlog.event_data.AuditPolicyChangesDescription", - "winlog.event_data.AuditSourceName", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallerProcessId", - "winlog.event_data.CallerProcessName", - "winlog.event_data.Category", - "winlog.event_data.CategoryId", - "winlog.event_data.ClientAddress", - "winlog.event_data.ClientInfo", - "winlog.event_data.ClientName", - "winlog.event_data.CommandLine", - "winlog.event_data.Company", - "winlog.event_data.ComputerAccountChange", - "winlog.event_data.Configuration", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CrashOnAuditFailValue", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DisplayName", - "winlog.event_data.DnsHostName", - "winlog.event_data.DomainBehaviorVersion", - "winlog.event_data.DomainName", - "winlog.event_data.DomainPolicyChanged", - "winlog.event_data.DomainSid", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.Dummy", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventSourceId", - "winlog.event_data.EventType", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FailureReason", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.GroupTypeChange", - "winlog.event_data.HandleId", - "winlog.event_data.HomeDirectory", - "winlog.event_data.HomePath", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KerberosPolicyChange", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonHours", - "winlog.event_data.LogonId", - "winlog.event_data.LogonID", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MachineAccountQuota", - "winlog.event_data.MajorVersion", - "winlog.event_data.MandatoryLabel", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.MixedDomainMode", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewSd", - "winlog.event_data.NewSdDacl0", - "winlog.event_data.NewSdDacl1", - "winlog.event_data.NewSdDacl2", - "winlog.event_data.NewSdSacl0", - "winlog.event_data.NewSdSacl1", - "winlog.event_data.NewSdSacl2", - "winlog.event_data.NewTargetUserName", - "winlog.event_data.NewTime", - "winlog.event_data.NewUACList", - "winlog.event_data.NewUacValue", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.ObjectName", - "winlog.event_data.ObjectServer", - "winlog.event_data.ObjectType", - "winlog.event_data.OemInformation", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldSd", - "winlog.event_data.OldSdDacl0", - "winlog.event_data.OldSdDacl1", - "winlog.event_data.OldSdDacl2", - "winlog.event_data.OldSdSacl0", - "winlog.event_data.OldSdSacl1", - "winlog.event_data.OldSdSacl2", - "winlog.event_data.OldTargetUserName", - "winlog.event_data.OldTime", - "winlog.event_data.OldUacValue", - "winlog.event_data.OriginalFileName", - "winlog.event_data.PackageName", - "winlog.event_data.PasswordLastSet", - "winlog.event_data.PasswordHistoryLength", - "winlog.event_data.Path", - "winlog.event_data.ParentProcessName", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreAuthType", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrimaryGroupId", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.ProfilePath", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SamAccountName", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptPath", - "winlog.event_data.Session", - "winlog.event_data.SidHistory", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.Service", - "winlog.event_data.ServiceAccount", - "winlog.event_data.ServiceFileName", - "winlog.event_data.ServiceName", - "winlog.event_data.ServicePrincipalNames", - "winlog.event_data.ServiceSid", - "winlog.event_data.ServiceStartType", - "winlog.event_data.ServiceType", - "winlog.event_data.ServiceVersion", - "winlog.event_data.SessionName", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.SidFilteringEnabled", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StatusDescription", - "winlog.event_data.StopTime", - "winlog.event_data.SubCategory", - "winlog.event_data.SubCategoryGuid", - "winlog.event_data.SubcategoryGuid", - "winlog.event_data.SubCategoryId", - "winlog.event_data.SubcategoryId", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.SubStatus", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetSid", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TdoAttributes", - "winlog.event_data.TdoDirection", - "winlog.event_data.TdoType", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TicketEncryptionType", - "winlog.event_data.TicketEncryptionTypeDescription", - "winlog.event_data.TicketOptions", - "winlog.event_data.TicketOptionsDescription", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserAccountControl", - "winlog.event_data.UserParameters", - "winlog.event_data.UserPrincipalName", - "winlog.event_data.UserSid", - "winlog.event_data.UserWorkstations", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.WorkstationName", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user_data.BackupPath", - "winlog.user_data.Channel", - "winlog.user_data.SubjectDomainName", - "winlog.user_data.SubjectLogonId", - "winlog.user_data.SubjectUserName", - "winlog.user_data.SubjectUserSid", - "winlog.user_data.xml_name", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - }, - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "network": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "search_analyzer": "powershell_script_analyzer", - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.forwarded" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "start": { - "type": "date" - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon": { - "properties": { - "failure": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonHours": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "AllowedToDelegateTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMask": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordHistoryLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "PackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidHistory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CrashOnAuditFailValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "HandleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DnsHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineAccountQuota": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserParameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProfilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ComputerAccountChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainPolicyChanged": { - "ignore_above": 1024, - "type": "keyword" - }, - "CategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreAuthType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUACList": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidFilteringEnabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSourceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrimaryGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordLastSet": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "GroupTypeChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptionsDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserWorkstations": { - "ignore_above": 1024, - "type": "keyword" - }, - "SamAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditSourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChangesDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMaskDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionTypeDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServicePrincipalNames": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "KerberosPolicyChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MandatoryLabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomeDirectory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountExpires": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceStartType": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "Dummy": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StatusDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainBehaviorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessGranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessRemoved": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "MixedDomainMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "Service": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAccountControl": { - "ignore_above": 1024, - "type": "keyword" - }, - "OemInformation": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonID": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Session": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_created": { - "type": "date" - }, - "trustDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustAttribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "computerObject": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_data": { - "properties": { - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BackupPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "Channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xml_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustType": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "answers": { - "properties": { - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json deleted file mode 100644 index ad0ff857e..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json +++ /dev/null @@ -1,1335 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.powershell-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "ecs.version", - "file.directory", - "file.extension", - "file.name", - "file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "search_analyzer": "powershell_script_analyzer", - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.powershell" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json deleted file mode 100644 index b5cc588c9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json +++ /dev/null @@ -1,1334 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.powershell_operational-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "ecs.version", - "file.directory", - "file.extension", - "file.name", - "file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.powershell_operational" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json deleted file mode 100644 index 451eaf7aa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json +++ /dev/null @@ -1,1752 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.sysmon_operational-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.domain", - "dns.answers.class", - "dns.answers.data", - "dns.answers.name", - "dns.answers.type", - "dns.header_flags", - "dns.id", - "dns.op_code", - "dns.question.class", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "dns.response_code", - "dns.type", - "ecs.version", - "error.code", - "error.message", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.directory", - "file.extension", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.architecture", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.domain", - "group.id", - "group.name", - "log.level", - "message", - "network.community_id", - "network.direction", - "network.protocol", - "network.transport", - "network.type", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.args", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.name", - "process.pe.architecture", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.title", - "process.working_directory", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "related.hash", - "related.hosts", - "related.user", - "rule.name", - "service.name", - "service.type", - "source.domain", - "user.domain", - "user.id", - "user.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "sysmon.dns.status", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallTrace", - "winlog.event_data.ClientInfo", - "winlog.event_data.Company", - "winlog.event_data.Configuration", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventType", - "winlog.event_data.EventNamespace", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.GrantedAccess", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.Name", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewThreadId", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.Operation", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Query", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.Session", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartAddress", - "winlog.event_data.StartFunction", - "winlog.event_data.StartModule", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetImage", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetProcessGUID", - "winlog.event_data.TargetProcessId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.Type", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - }, - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "type": "match_only_text" - } - } - }, - "network": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.sysmon_operational" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Query": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallTrace": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "GrantedAccess": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewThreadId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "Type": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Name": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetProcessGUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartFunction": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetImage": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventNamespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartModule": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "Session": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "answers": { - "properties": { - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json index 60dc5b928..008a6ab10 100644 --- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -20,7 +20,10 @@ "type": "float" } } - } + }, + "image_version": { + "type": "float" + } } }, "elf": { @@ -33,10 +36,17 @@ } } } - } + }, + "entropy": { + "properties": { + "entropy": { + "type": "float" + } + } + } } } } } } -} \ No newline at end of file +} diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 617b4a216..02e8a4644 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -58,6 +58,7 @@ {% set NODE_CONTAINERS = [ 'so-curator', 'so-elasticsearch', + 'so-elastic-agent', 'so-logstash', 'so-nginx', 'so-redis', diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index ff127c419..75df49b25 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -289,6 +289,11 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + desktop: + portgroups: + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -463,7 +468,13 @@ firewall: - endgame desktop: portgroups: + - docker_registry + - influxdb + - sensoroni - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -651,7 +662,13 @@ firewall: - endgame desktop: portgroups: + - docker_registry + - influxdb + - sensoroni - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -847,7 +864,13 @@ firewall: - strelka_frontend desktop: portgroups: + - docker_registry + - influxdb + - sensoroni - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -1141,6 +1164,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -1199,9 +1228,6 @@ firewall: analyst: portgroups: - nginx - desktop: - portgroups: - - yum customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index f792812e4..1d6918405 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -23,7 +23,7 @@ idh: class: *loggingOptions filename: *loggingOptions portscan_x_enabled: &serviceOptions - description: To enable this opencanary module, set this value to true. To disable set to false. + description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid. helpLink: idh.html portscan_x_logfile: *loggingOptions portscan_x_synrate: diff --git a/salt/idstools/enabled.sls b/salt/idstools/enabled.sls index 3f5acda19..decc5a5b2 100644 --- a/salt/idstools/enabled.sls +++ b/salt/idstools/enabled.sls @@ -26,8 +26,8 @@ so-idstools: - http_proxy={{ proxy }} - https_proxy={{ proxy }} - no_proxy={{ salt['pillar.get']('manager:no_proxy') }} - {% if DOCKER.containers['so-elastalert'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + {% if DOCKER.containers['so-idstools'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-idstools'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} @@ -77,6 +77,7 @@ run_so-rule-update: - docker_container: so-idstools - onchanges: - file: idstoolsetcsync + - file: synclocalnidsrules - order: last {% else %} diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 8be3aa1ce..d6f3d93d8 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -3,8 +3,8 @@ --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} ---local=/opt/so/rules/nids/sorules/extraction.rules ---local=/opt/so/rules/nids/sorules/filters.rules +--local=/opt/so/rules/nids/extraction.rules +--local=/opt/so/rules/nids/filters.rules {%- endif %} --url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf diff --git a/salt/idstools/sorules/extraction.rules b/salt/idstools/sorules/extraction.rules deleted file mode 100644 index bccfc69d6..000000000 --- a/salt/idstools/sorules/extraction.rules +++ /dev/null @@ -1,26 +0,0 @@ -# Extract all PDF mime type -alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;) -alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;) -alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;) -alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;) -# Extract EXE/DLL file types -alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;) -alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;) -alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;) -alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100007; rev:1;) -alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;) -alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;) -alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;) -alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100011; rev:1;) - -# Extract all Zip files -alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;) -alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;) -alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;) -alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100015; rev:1;) - -# Extract Word Docs -alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;) -alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;) -alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;) -alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;) \ No newline at end of file diff --git a/salt/idstools/sorules/filters.rules b/salt/idstools/sorules/filters.rules deleted file mode 100644 index 051d1913f..000000000 --- a/salt/idstools/sorules/filters.rules +++ /dev/null @@ -1,11 +0,0 @@ -# Start the filters at sid 1200000 -# Example of filtering out *google.com from being in the dns log. -#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) -# Example of filtering out *google.com from being in the http log. -#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;) -# Example of filtering out someuseragent from being in the http log. -#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;) -# Example of filtering out Google's certificate from being in the ssl log. -#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;) -# Example of filtering out a md5 of a file from being in the files log. -#config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;) diff --git a/salt/idstools/sync_files.sls b/salt/idstools/sync_files.sls index e8d5edda6..64479e937 100644 --- a/salt/idstools/sync_files.sls +++ b/salt/idstools/sync_files.sls @@ -26,13 +26,6 @@ rulesdir: - group: 939 - makedirs: True -SOrulesdir: - file.directory: - - name: /opt/so/rules/nids/sorules - - user: 939 - - group: 939 - - makedirs: True - # Don't show changes because all.rules can be large synclocalnidsrules: file.recurse: @@ -42,13 +35,3 @@ synclocalnidsrules: - group: 939 - show_changes: False - include_pat: 'E@.rules' - -# Don't show changes because all.rules can be large -syncnidsSOrules: - file.recurse: - - name: /opt/so/rules/nids/sorules - - source: salt://idstools/sorules/ - - user: 939 - - group: 939 - - show_changes: False - - include_pat: 'E@.rules' diff --git a/salt/influxdb/config.sls b/salt/influxdb/config.sls index 54e20b713..66c681a0d 100644 --- a/salt/influxdb/config.sls +++ b/salt/influxdb/config.sls @@ -25,6 +25,14 @@ influxlogdir: - group: 939 - makedirs: True +influxetcdir: + file.directory: + - name: /opt/so/conf/influxdb/etc + - dir_mode: 750 + - user: 939 + - group: 939 + - makedirs: True + influxdbdir: file.directory: - name: /nsm/influxdb diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 70f4c404f..c0733c12c 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -38,6 +38,7 @@ so-influxdb: - binds: - /opt/so/log/influxdb/:/log:rw - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro + - /opt/so/conf/influxdb/etc:/etc/influxdb2:rw - /nsm/influxdb:/var/lib/influxdb2:rw - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro diff --git a/salt/logrotate/init.sls b/salt/logrotate/init.sls index 1b096f9db..bdfc3b86c 100644 --- a/salt/logrotate/init.sls +++ b/salt/logrotate/init.sls @@ -3,6 +3,7 @@ logrotateconfdir: file.directory: - name: /opt/so/conf/logrotate + - makedirs: True commonlogrotatescript: file.managed: diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 731ad4ca3..c76f81d21 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -73,7 +73,7 @@ so-logstash: {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% endif %} {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro diff --git a/salt/manager/init.sls b/salt/manager/init.sls index b9d2d3ba9..e808325ef 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -26,6 +26,15 @@ repo_log_dir: - user - group +yara_log_dir: + file.directory: + - name: /opt/so/log/yarasync + - user: socore + - group: socore + - recurse: + - user + - group + repo_conf_dir: file.directory: - name: /opt/so/conf/reposync @@ -52,21 +61,23 @@ manager_sbin: - group: 939 - file_mode: 755 -#manager_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://manager/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja +yara_update_scripts: + file.recurse: + - name: /usr/sbin/ + - source: salt://manager/tools/sbin_jinja/ + - user: socore + - group: socore + - file_mode: 755 + - template: jinja + - defaults: + EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} so-repo-sync: - {% if MANAGERMERGED.reposync.enabled %} + {% if MANAGERMERGED.reposync.enabled %} cron.present: - {% else %} + {% else %} cron.absent: - {% endif %} + {% endif %} - user: socore - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1' - identifier: so-repo-sync @@ -82,7 +93,15 @@ socore_own_saltstack: - user - group -{% if STRELKAMERGED.rules.enabled %} +rules_dir: + file.directory: + - name: /nsm/rules/yara + - user: socore + - group: socore + - makedirs: True + +{% if STRELKAMERGED.rules.enabled %} + strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt @@ -91,67 +110,45 @@ strelkarepos: - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} - makedirs: True -{% endif %} - -yara_update_scripts: - file.recurse: - - name: /usr/sbin/ - - source: salt://manager/tools/sbin_jinja/ - - user: socore - - group: socore - - file_mode: 755 - - template: jinja - - defaults: - EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} - -rules_dir: - file.directory: - - name: /nsm/rules/yara - - user: socore - - group: socore - - makedirs: True - -{% if GLOBALS.airgap %} -remove_strelka-yara-download: - cron.absent: - - user: socore - - identifier: strelka-yara-download strelka-yara-update: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} cron.present: + {% else %} + cron.absent: + {% endif %} - user: socore - - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' + - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1' - identifier: strelka-yara-update - hour: '7' - minute: '1' +strelka-yara-download: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1' + - identifier: strelka-yara-download + - hour: '7' + - minute: '1' + +{% if not GLOBALS.airgap %} update_yara_rules: cmd.run: - name: /usr/sbin/so-yara-update - onchanges: - file: yara_update_scripts -{% else %} -remove_strelka-yara-update: - cron.absent: - - user: socore - - identifier: strelka-yara-update - -strelka-yara-download: - cron.present: - - user: socore - - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1' - - identifier: strelka-yara-download - - hour: '7' - - minute: '1' download_yara_rules: cmd.run: - name: /usr/sbin/so-yara-download - onchanges: - file: yara_update_scripts -{% endif %} - - +{% endif %} +{% endif %} {% else %} {{sls}}_state_not_allowed: diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index edc0b1404..64084dbd0 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -187,15 +187,9 @@ function add_logstash_to_minion() { # Security Onion Desktop function add_desktop_to_minion() { printf '%s\n'\ - "host:"\ - " mainint: '$MNIC'"\ "desktop:"\ " gui:"\ - " enabled: true"\ - "sensoroni:"\ - " enabled: True"\ - " config:"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE + " enabled: true"\ >> $PILLARFILE } # Add basic host info to the minion file @@ -245,6 +239,10 @@ function add_sensor_to_minion() { echo " threads: '$CORECOUNT'" >> $PILLARFILE echo "pcap:" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE + if [[ $is_pcaplimit ]]; then + echo " config:" >> $PILLARFILE + echo " diskfreepercentage: 60" >> $PILLARFILE + fi echo " " >> $PILLARFILE } @@ -415,6 +413,7 @@ function apply_ES_state() { salt-call state.apply elasticsearch concurrent=True } function createEVAL() { + is_pcaplimit=true add_elasticsearch_to_minion add_sensor_to_minion add_strelka_to_minion @@ -435,6 +434,7 @@ function createEVAL() { } function createSTANDALONE() { + is_pcaplimit=true add_elasticsearch_to_minion add_logstash_to_minion add_sensor_to_minion @@ -526,8 +526,9 @@ function createIDH() { } function createHEAVYNODE() { + is_pcaplimit=true add_elasticsearch_to_minion - add_elastic_agent_to_minion + add_elastic_agent_to_minion add_logstash_to_minion add_sensor_to_minion add_strelka_to_minion @@ -556,6 +557,10 @@ function createRECEIVER() { add_telegraf_to_minion } +function createDESKTOP() { + add_desktop_to_minion + add_telegraf_to_minion +} function testConnection() { retry 15 3 "salt '$MINION_ID' test.ping" True diff --git a/salt/manager/tools/sbin/so-repo-sync b/salt/manager/tools/sbin/so-repo-sync index 3e129cd0d..84384fcdf 100644 --- a/salt/manager/tools/sbin/so-repo-sync +++ b/salt/manager/tools/sbin/so-repo-sync @@ -11,6 +11,8 @@ set_version set_os salt_minion_count +set -e + curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ -createrepo /nsm/repo \ No newline at end of file +createrepo /nsm/repo diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 0b4136065..960c50f31 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -171,6 +171,13 @@ airgap_update_dockers() { fi } +backup_old_states_pillars() { + + tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_default_states_pillars.tar.gz /opt/so/saltstack/default/ + tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_local_states_pillars.tar.gz /opt/so/saltstack/local/ + +} + update_registry() { docker stop so-dockerregistry docker rm so-dockerregistry @@ -303,6 +310,7 @@ check_log_size_limit() { check_os_updates() { # Check to see if there are OS updates + echo "Checking for OS updates." NEEDUPDATES="We have detected missing operating system (OS) updates. Do you want to install these OS updates now? This could take a while depending on the size of your grid and how many packages are missing, but it is recommended to keep your system updated." OSUPDATES=$(dnf -q list updates | grep -v docker | grep -v containerd | grep -v salt | grep -v Available | wc -l) if [[ "$OSUPDATES" -gt 0 ]]; then @@ -394,6 +402,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4 [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 [[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10 + [[ "$INSTALLEDVERSION" == 2.4.10 ]] && up_to_2.4.20 true } @@ -405,6 +414,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 [[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10 + [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 true } @@ -430,6 +440,17 @@ post_to_2.4.10() { POSTVERSION=2.4.10 } +post_to_2.4.20() { + echo "Pruning unused docker volumes on all nodes - This process will run in the background." + salt --async \* cmd.run "docker volume prune -f" + POSTVERSION=2.4.20 +} + +repo_sync() { + echo "Sync the local repo." + su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -496,6 +517,12 @@ up_to_2.4.10() { INSTALLEDVERSION=2.4.10 } +up_to_2.4.20() { + echo "Nothing to do for 2.4.20" + + INSTALLEDVERSION=2.4.20 +} + determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap @@ -749,9 +776,7 @@ main() { fi echo "Verifying we have the latest soup script." verify_latest_update_script - echo "Checking for OS updates." - check_os_updates - + echo "Let's see if we need to update Security Onion." upgrade_check upgrade_space @@ -763,10 +788,18 @@ main() { if [[ $is_airgap -eq 0 ]]; then yum clean all check_os_updates + elif [[ $OS == 'oel' ]]; then + # sync remote repo down to local if not airgap + repo_sync + check_os_updates fi if [ "$is_hotfix" == "true" ]; then echo "Applying $HOTFIXVERSION hotfix" + # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars + if [[ ! "$MINIONID" =~ "_import" ]]; then + backup_old_states_pillars + fi copy_new_files apply_hotfix echo "Hotfix applied" @@ -823,6 +856,13 @@ main() { update_centos_repo fi + # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars + if [[ ! "$MINIONID" =~ "_import" ]]; then + echo "" + echo "Creating snapshots of default and local Salt states and pillars and saving to /nsm/backup/" + backup_old_states_pillars + fi + echo "" echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." copy_new_files diff --git a/salt/mysql/config.sls b/salt/mysql/config.sls index 5f9010011..274f25d76 100644 --- a/salt/mysql/config.sls +++ b/salt/mysql/config.sls @@ -9,7 +9,7 @@ # MySQL Setup mysqlpkgs: - pkg.installed: + pkg.removed: - skip_suggestions: False - pkgs: {% if grains['os_family'] != 'RedHat' %} diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 05da0b5d8..3ef0c5c1f 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -8,6 +8,7 @@ worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; +user nobody; include /usr/share/nginx/modules/*.conf; @@ -230,7 +231,20 @@ http { proxy_cookie_path /api/ /influxdb/api/; } - location /kibana/ { + location /app/dashboards/ { + auth_request /auth/sessions/whoami; + rewrite /app/dashboards/(.*) /app/dashboards/$1 break; + proxy_pass http://{{ GLOBALS.manager }}:5601/app/; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:5601/; diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 0f4b7e1e4..32204a23a 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,35 +1,35 @@ pcap: enabled: description: You can enable or disable Stenographer on all sensors or a single sensor. - helpLink: pcap.html + helpLink: stenographer.html config: maxdirectoryfiles: description: The maximum number of packet/index files to create before deleting old files. - helpLink: pcap.html + helpLink: stenographer.html diskfreepercentage: description: The disk space percent to always keep free for PCAP - helpLink: pcap.html + helpLink: stenographer.html blocks: description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True - helpLink: pcap.html + helpLink: stenographer.html preallocate_file_mb: description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this. advanced: True - helpLink: pcap.html + helpLink: stenographer.html aiops: description: The max number of async writes to allow at once. advanced: True - helpLink: pcap.html + helpLink: stenographer.html pin_to_cpu: description: Enable CPU pinning for PCAP. advanced: True - helpLink: pcap.html + helpLink: stenographer.html cpus_to_pin_to: description: CPU to pin PCAP to. Currently only a single CPU is supported. advanced: True - helpLink: pcap.html + helpLink: stenographer.html disks: description: List of disks to use for PCAP. This is currently not used. advanced: True - helpLink: pcap.html + helpLink: stenographer.html diff --git a/salt/playbook/config.sls b/salt/playbook/config.sls index 7d37f8873..f4c2cf137 100644 --- a/salt/playbook/config.sls +++ b/salt/playbook/config.sls @@ -91,6 +91,14 @@ playbooklogdir: - group: 939 - makedirs: True +playbookfilesdir: + file.directory: + - name: /opt/so/conf/playbook/redmine-files + - dir_mode: 775 + - user: 939 + - group: 939 + - makedirs: True + {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} idh-plays: file.recurse: diff --git a/salt/playbook/enabled.sls b/salt/playbook/enabled.sls index 434cb18e4..e70fec693 100644 --- a/salt/playbook/enabled.sls +++ b/salt/playbook/enabled.sls @@ -33,6 +33,7 @@ so-playbook: - sobridge: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: + - /opt/so/conf/playbook/redmine-files:/usr/src/redmine/files:rw - /opt/so/log/playbook:/playbook/log:rw {% if DOCKER.containers['so-playbook'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-playbook'].custom_bind_mounts %} diff --git a/salt/redis/config.sls b/salt/redis/config.sls index d698040f8..053d46707 100644 --- a/salt/redis/config.sls +++ b/salt/redis/config.sls @@ -25,6 +25,13 @@ redisworkdir: - group: 939 - makedirs: True +redisdatadir: + file.directory: + - name: /nsm/redis/data + - user: 939 + - group: 939 + - makedirs: True + redislogdir: file.directory: - name: /opt/so/log/redis diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 2a4f5a179..fc206e3cb 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -28,12 +28,13 @@ so-redis: - /opt/so/log/redis:/var/log/redis:rw - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/working:/redis:rw + - /nsm/redis/data:/data:rw - /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.key:/certs/redis.key:ro {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/certs/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro {% endif %} {% if DOCKER.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 5e06a361f..43f7539f9 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -47,24 +47,24 @@ hold_salt_packages: {% endfor %} {% endif %} -remove_info_log_level_logfile: +remove_error_log_level_logfile: file.line: - name: /etc/salt/minion - - match: "log_level_logfile: info" + - match: "log_level_logfile: error" - mode: delete -remove_info_log_level: +remove_error_log_level: file.line: - name: /etc/salt/minion - - match: "log_level: info" + - match: "log_level: error" - mode: delete set_log_levels: file.append: - name: /etc/salt/minion - text: - - "log_level: error" - - "log_level_logfile: error" + - "log_level: info" + - "log_level_logfile: info" salt_minion_service_unit_file: file.managed: diff --git a/salt/salt/service/salt-minion.service.jinja b/salt/salt/service/salt-minion.service.jinja index c7bae0bc2..27c7a15b6 100644 --- a/salt/salt/service/salt-minion.service.jinja +++ b/salt/salt/service/salt-minion.service.jinja @@ -1,6 +1,6 @@ [Unit] Description=The Salt Minion -Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html +Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltproject.io/en/latest/contents.html After=network.target salt-master.service [Service] @@ -12,4 +12,4 @@ ExecStart=/usr/bin/salt-minion ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index 4ccc11ce9..f53646ac2 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -8,3 +8,31 @@ sensoroni: node_checkin_interval_ms: 10000 sensoronikey: soc_host: + analyzers: + emailrep: + base_url: https://emailrep.io/ + api_key: + greynoise: + base_url: https://api.greynoise.io/ + api_key: + api_version: community + localfile: + file_path: [] + otx: + base_url: https://otx.alienvault.com/api/v1/ + api_key: + pulsedive: + base_url: https://pulsedive.com/api/ + api_key: + spamhaus: + lookup_host: zen.spamhaus.org + nameservers: [] + urlscan: + base_url: https://urlscan.io/api/v1/ + api_key: + enabled: False + visibility: public + timeout: 180 + virustotal: + base_url: https://www.virustotal.com/api/v3/search?query= + api_key: diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index 8b1f44f29..19335a545 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -154,6 +154,12 @@ The analyzer itself will only run when a user in SOC enqueues an analyzer job, s python -m urlhaus '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}' ``` +To manually test an analyzer outside of the Sensoroni Docker container, use a command similar to the following: + +```bash +PYTHONPATH=. python urlhaus/urlhaus.py '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}' +``` + It is up to each analyzer to determine whether the provided input is compatible with that analyzer. This is assisted by the analyzer metadata, as described earlier in this document, with the use of the `supportedTypes` list. Once the analyzer completes its functionality, it must terminate promptly. See the following sections for more details on expected internal behavior of the analyzer. diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 8a35272ea..db51da358 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -2,38 +2,180 @@ sensoroni: enabled: description: Enable or disable Sensoroni. advanced: True - helpLink: sensoroni.html + helpLink: grid.html config: analyze: enabled: description: Enable or disable the analyzer. advanced: True - helpLink: sensoroni.html + helpLink: cases.html timeout_ms: description: Timeout period for the analyzer. advanced: True - helpLink: sensoroni.html + helpLink: cases.html parallel_limit: description: Parallel limit for the analyzer. advanced: True - helpLink: sensoroni.html + helpLink: cases.html node_checkin_interval_ms: description: Interval in ms to checkin to the soc_host. advanced: True - helpLink: sensoroni.html + helpLink: grid.html node_description: description: Description of the specific node. - helpLink: sensoroni.html + helpLink: grid.html node: True forcedType: string sensoronikey: description: Shared key for sensoroni authentication. - helpLink: sensoroni.html + helpLink: grid.html global: True sensitive: True advanced: True soc_host: description: Host for sensoroni agents to connect to. - helpLink: sensoroni.html + helpLink: grid.html global: True advanced: True + analyzers: + emailrep: + api_key: + description: API key for the EmailRep analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the EmailRep analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + greynoise: + api_key: + description: API key for the GreyNoise analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + api_version: + description: API version for the GreyNoise analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + base_url: + description: Base URL for the GreyNoise analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + localfile: + file_path: + description: File path for the LocalFile analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: "[]string" + otx: + api_key: + description: API key for the OTX analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the OTX analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + pulsedive: + api_key: + description: API key for the Pulsedive analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the Pulsedive analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + spamhaus: + lookup_host: + description: Host to use for lookups. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + nameservers: + description: Nameservers used for queries. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedTypes: "[]string" + urlscan: + api_key: + description: API key for the Urlscan analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the Urlscan analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + enabled: + description: Analyzer enabled + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: bool + timeout: + description: Timeout for the Urlscan analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: int + visibility: + description: Type of visibility. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + virustotal: + api_key: + description: API key for the VirusTotal analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the VirusTotal analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 7720e7027..2587051c5 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -16,7 +16,7 @@ {# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #} {% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %} {% for m in minions.keys() %} -{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append(m) %} +{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append('https://' ~ m ~ ':9200') %} {% endfor %} {% endfor %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 49be076c0..6d8ed5bfd 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -474,19 +474,6 @@ soc: - event.dataset - process.executable - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location ':strelka:file': - soc_timestamp - file.name @@ -523,28 +510,6 @@ soc: - message - kibana.log.meta.req.headers.x-real-ip - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module ':syslog:syslog': - soc_timestamp - host.name @@ -1047,6 +1012,8 @@ soc: verifyCert: false salt: queueDir: /opt/sensoroni/queue + timeoutMs: 45000 + longRelayTimeoutMs: 120000 sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 @@ -1621,21 +1588,15 @@ soc: - rule.uuid - rule.category - rule.rev - ':ossec:': + ':playbook:': - soc_timestamp - rule.name - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - - process.name + - event_data.event.module + - event_data.event.category + - event_data.process.executable + - event_data.process.pid + - event_data.winlog.computer_name queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index cf22e863d..d6b0d3d27 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -1,6 +1,6 @@ ## Getting Started -New to Security Onion 2? Click the menu in the upper-right corner and you'll find links for [Help](/docs/) and a [Cheatsheet](/docs/cheatsheet.pdf) that will help you best utilize Security Onion to hunt for evil! In addition, check out our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website. +New to Security Onion 2? Click the menu in the upper-right corner and you'll find links for [Help](/docs/) and a [Cheat Sheet](/docs/cheatsheet.pdf) that will help you best utilize Security Onion to hunt for evil! In addition, check out our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website. If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Then go to the [Dashboards](/#/dashboards) interface for a general overview of all logs collected or go to the [Hunt](/#/hunt) interface for more focused threat hunting. Once you've found something of interest, escalate it to [Cases](/#/cases) to then collect evidence and analyze observables as you work towards closing the case. diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index dc2f889bb..33c0070ad 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -35,7 +35,18 @@ {% endif %} {% set standard_actions = SOCMERGED.config.pop('actions') %} -{% if pillar.global.endgamehost is defined %} + +{% if pillar.global.endgamehost != '' %} +{# this is added to prevent endgame_dict from being added to standard_actions for each time this file is rendered #} +{# since this map file is rendered 3 times, it causes endgame_dict to appened 3 times if custom actions are defined in the pillar #} +{% set endgame = namespace(add=true) %} +{% for d in standard_actions %} +{% if d.name is defined %} +{% if d.name == 'Endgame' %} +{% set endgame.add = false %} +{% endif %} +{% endif %} +{% endfor %} {% set endgame_dict = { "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", @@ -44,7 +55,9 @@ "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"] } %} -{% do standard_actions.append(endgame_dict) %} +{% if endgame.add %} +{% do standard_actions.append(endgame_dict) %} +{% endif %} {% endif %} {% do SOCMERGED.config.server.client.hunt.update({'actions': standard_actions}) %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b2ed893f6..291f564ed 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -111,6 +111,15 @@ soc: description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault). global: True advanced: True + salt: + longRelayTimeoutMs: + description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI. + global: True + advanced: True + relayTimeoutMs: + description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI. + global: True + advanced: True client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 4e48688f3..ef93a9072 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -36,14 +36,24 @@ include: {% set ca_server = global_ca_server[0] %} {% endif %} - +cacertdir: + file.directory: + - name: /etc/pki/tls/certs + - makedirs: True # Trust the CA trusttheca: x509.pem_managed: - - name: /etc/ssl/certs/intca.crt + - name: /etc/pki/tls/certs/intca.crt - text: {{ trusttheca_text }} +{% if GLOBALS.os_family == 'Debian' %} +symlinkca: + file.symlink: + - target: /etc/pki/tls/certs/intca.crt + - name: /etc/ssl/certs/intca.crt +{% endif %} + # Install packages needed for the sensor m2cryptopkgs: pkg.installed: diff --git a/salt/ssl/remove.sls b/salt/ssl/remove.sls index 4eb0eb442..43a245288 100644 --- a/salt/ssl/remove.sls +++ b/salt/ssl/remove.sls @@ -1,6 +1,6 @@ trusttheca: file.absent: - - name: /etc/ssl/certs/intca.crt + - name: /etc/pki/tls/certs/intca.crt influxdb_key: file.absent: diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls index bf3ac3dca..1d0f75adf 100644 --- a/salt/strelka/config.sls +++ b/salt/strelka/config.sls @@ -43,6 +43,20 @@ strelka_sbin: - group: 939 - file_mode: 755 +strelkagkredisdatadir: + file.directory: + - name: /nsm/strelka/gk-redis-data + - user: 939 + - group: 939 + - makedirs: True + +strelkacoordredisdatadir: + file.directory: + - name: /nsm/strelka/coord-redis-data + - user: 939 + - group: 939 + - makedirs: True + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 7a156bc9a..3440cd5a4 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -37,12 +37,13 @@ strelka_coordinator: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} - binds: + - /nsm/strelka/coord-redis-data:/data:rw + {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} - {{ BIND }} {% endfor %} - {% endif %} + {% endif %} delete_so-strelka-coordinator_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index 993a59650..0f9f38914 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -47,6 +47,21 @@ filestream_config: FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} # Filecheck Section +{% if GLOBALS.os_family == 'Debian' %} +install_watchdog: + pkg.installed: + - name: python3-watchdog + +{% elif GLOBALS.os_family == 'RedHat' %} +remove_old_watchdog: + pkg.removed: + - name: python3-watchdog + +install_watchdog: + pkg.installed: + - name: securityonion-python39-watchdog +{% endif %} + filecheck_logdir: file.directory: - name: /opt/so/log/strelka @@ -93,6 +108,11 @@ filecheck_stdout.log: {% if GLOBALS.md_engine == 'ZEEK' %} +remove_filecheck_run: + cron.absent: + - identifier: filecheck_run + - user: socore + filecheck_run_socore: cron.present: - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' @@ -106,6 +126,11 @@ remove_filecheck_run_suricata: {% elif GLOBALS.md_engine == 'SURICATA'%} +remove_filecheck_run: + cron.absent: + - identifier: filecheck_run + - user: suricata + filecheck_run_suricata: cron.present: - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' @@ -127,6 +152,7 @@ filecheck_restart: - onchanges: - file: filecheck_script - file: filecheck_conf + - pkg: install_watchdog filcheck_history_clean: cron.present: diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index b309403f4..8d06ddf6a 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -31,12 +31,13 @@ strelka_gatekeeper: {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - binds: - {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + - /nsm/strelka/gk-redis-data:/data:rw + {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {{ BIND }} - {% endfor %} - {% endif %} + {% endfor %} + {% endif %} {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %} - environment: {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download deleted file mode 100644 index a8087173c..000000000 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -NOROOT=1 -. /usr/sbin/so-common - -{%- set proxy = salt['pillar.get']('manager:proxy') %} - -# Download the rules from the internet -{%- if proxy %} -export http_proxy={{ proxy }} -export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') -{%- endif %} - -mkdir -p /tmp/yara -cd /tmp/yara -git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git -mkdir -p /nsm/rules/yara -rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/ -cd /tmp -rm -rf /tmp/yara - diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml index 36ef679f0..0b7d532b1 100644 --- a/salt/telegraf/defaults.yaml +++ b/salt/telegraf/defaults.yaml @@ -11,19 +11,16 @@ telegraf: quiet: 'false' scripts: eval: - - beatseps.sh - checkfiles.sh - influxdbsize.sh - oldpcap.sh - raid.sh - - redis.sh - sostatus.sh - stenoloss.sh - suriloss.sh - zeekcaptureloss.sh - zeekloss.sh standalone: - - beatseps.sh - checkfiles.sh - eps.sh - influxdbsize.sh @@ -36,13 +33,11 @@ telegraf: - zeekcaptureloss.sh - zeekloss.sh manager: - - beatseps.sh - influxdbsize.sh - raid.sh - redis.sh - sostatus.sh managersearch: - - beatseps.sh - eps.sh - influxdbsize.sh - raid.sh @@ -51,7 +46,6 @@ telegraf: import: - sostatus.sh sensor: - - beatseps.sh - checkfiles.sh - oldpcap.sh - raid.sh @@ -61,7 +55,6 @@ telegraf: - zeekcaptureloss.sh - zeekloss.sh heavynode: - - beatseps.sh - checkfiles.sh - eps.sh - oldpcap.sh @@ -75,16 +68,15 @@ telegraf: idh: - sostatus.sh searchnode: - - beatseps.sh - eps.sh - raid.sh - sostatus.sh receiver: - - beatseps.sh - eps.sh - raid.sh - redis.sh - sostatus.sh fleet: - sostatus.sh - desktop: [] + desktop: + - sostatus.sh diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 598587e17..d55e536d6 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -46,7 +46,7 @@ so-telegraf: {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %} - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro {% endif %} - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro diff --git a/salt/telegraf/scripts/beatseps.sh b/salt/telegraf/scripts/beatseps.sh deleted file mode 100644 index 5f3db53f8..000000000 --- a/salt/telegraf/scripts/beatseps.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -# if this script isn't already running -if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - - PREVCOUNTFILE='/tmp/beatseps.txt' - EVENTCOUNTCURRENT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.acked')" - FAILEDEVENTCOUNT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.failed')" - - if [ ! -z "$EVENTCOUNTCURRENT" ]; then - - if [ -f "$PREVCOUNTFILE" ]; then - EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE` - else - echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE - exit 0 - fi - - echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE - # the division by 30 is because the agent interval is 30 seconds - EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30)) - if [ "$EVENTS" -lt 0 ]; then - EVENTS=0 - fi - - echo "fbstats eps=${EVENTS%%.*},failed=$FAILEDEVENTCOUNT" - fi - -fi - -exit 0 diff --git a/salt/top.sls b/salt/top.sls index 2323731a1..4f84e17ac 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -28,12 +28,10 @@ base: - motd - salt.minion-check - salt.lasthighstate - - docker - - 'not *_desktop and G@saltversion:{{saltversion}}': - - match: compound - common - + - docker + - docker_clean + '*_sensor and G@saltversion:{{saltversion}}': - match: compound - sensor @@ -47,7 +45,6 @@ base: - healthcheck - zeek - strelka - - docker_clean - elasticfleet.install_agent_grid '*_eval and G@saltversion:{{saltversion}}': @@ -57,14 +54,14 @@ base: - ca - ssl - registry - - sensoroni - manager - backup.config_backup - nginx - - telegraf - influxdb - soc - kratos + - sensoroni + - telegraf - firewall - idstools - suricata.manager @@ -82,9 +79,7 @@ base: - utility - soctopus - playbook - - redis - elasticfleet - - docker_clean '*_manager and G@saltversion:{{saltversion}}': - match: compound @@ -92,14 +87,14 @@ base: - ca - ssl - registry - - sensoroni - nginx - - telegraf - influxdb - soc - kratos - firewall - manager + - sensoroni + - telegraf - backup.config_backup - idstools - suricata.manager @@ -115,7 +110,6 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_standalone and G@saltversion:{{saltversion}}': - match: compound @@ -124,15 +118,15 @@ base: - ca - ssl - registry - - sensoroni - manager - backup.config_backup - nginx - - telegraf - influxdb - soc - kratos - firewall + - sensoroni + - telegraf - idstools - suricata.manager - healthcheck @@ -152,19 +146,17 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ssl - sensoroni - - nginx - telegraf + - nginx - firewall - elasticsearch - logstash - elasticfleet.install_agent_grid - - docker_clean '*_managersearch and G@saltversion:{{saltversion}}': - match: compound @@ -172,14 +164,14 @@ base: - ca - ssl - registry - - sensoroni - nginx - - telegraf - influxdb - soc - kratos - firewall - manager + - sensoroni + - telegraf - backup.config_backup - idstools - suricata.manager @@ -195,15 +187,14 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': - match: compound - sensor - ssl - sensoroni - - nginx - telegraf + - nginx - firewall - elasticsearch - logstash @@ -215,7 +206,6 @@ base: - zeek - elasticfleet.install_agent_grid - elasticagent - - docker_clean '*_import and G@saltversion:{{saltversion}}': - match: compound @@ -224,13 +214,13 @@ base: - ca - ssl - registry - - sensoroni - manager - nginx - - telegraf - influxdb - soc - kratos + - sensoroni + - telegraf - firewall - idstools - suricata.manager @@ -242,7 +232,6 @@ base: - suricata - zeek - elasticfleet - - docker_clean '*_receiver and G@saltversion:{{saltversion}}': - match: compound @@ -253,7 +242,6 @@ base: - logstash - redis - elasticfleet.install_agent_grid - - docker_clean '*_idh and G@saltversion:{{saltversion}}': - match: compound @@ -262,7 +250,6 @@ base: - telegraf - firewall - elasticfleet.install_agent_grid - - docker_clean - idh '*_fleet and G@saltversion:{{saltversion}}': @@ -275,7 +262,12 @@ base: - elasticfleet - elasticfleet.install_agent_grid - schedule - - docker_clean + + '*_desktop and G@saltversion:{{saltversion}}': + - ssl + - sensoroni + - telegraf + - elasticfleet.install_agent_grid 'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )': - match: compound diff --git a/salt/vars/desktop.map.jinja b/salt/vars/desktop.map.jinja new file mode 100644 index 000000000..964f69663 --- /dev/null +++ b/salt/vars/desktop.map.jinja @@ -0,0 +1 @@ +{% set ROLE_GLOBALS = {} %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 8e6814b2e..4435670a2 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -8,9 +8,9 @@ zeek: buffer: 128*1024*1024 zeekctl: MailTo: root@localhost - MailConnectionSummary: 1 + MailConnectionSummary: 0 MinDiskSpace: 5 - MailHostUpDown: 1 + MailHostUpDown: 0 LogRotationInterval: 3600 LogExpireInterval: 0 StatsLogEnable: 1 @@ -28,7 +28,6 @@ zeek: - misc/loaded-scripts - tuning/defaults - misc/capture-loss - - misc/stats - frameworks/software/vulnerable - frameworks/software/version-changes - protocols/ftp/software diff --git a/setup/so-functions b/setup/so-functions index 1a1eb1919..aad627a8d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -91,9 +91,12 @@ desktop_salt_local() { securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python3-dateutil yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" + salt_install_module_deps + salt_patch_x509_v2 + logCmd "salt-call state.apply desktop --local --file-root=../salt/ -l info" read -r -d '' message <<- EOM Finished Security Onion Desktop installation. @@ -101,8 +104,10 @@ desktop_salt_local() { Press the Enter key to reboot. EOM - whiptail --title "$whiptail_title" --msgbox "$message" 12 75 - reboot + if [[ -z "$TESTING" ]]; then + whiptail --title "$whiptail_title" --msgbox "$message" 12 75 + reboot + fi exit 0 } @@ -393,20 +398,22 @@ collect_mngr_hostname() { sed -i "/$MSRV/d" /etc/hosts fi - if ! getent hosts "$MSRV"; then - whiptail_manager_ip + if [[ -z "$MSRVIP" ]]; then + if ! getent hosts "$MSRV"; then + whiptail_manager_ip - while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do - whiptail_invalid_input + while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do + whiptail_invalid_input + whiptail_manager_ip "$MSRVIP" + done + else + MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}') whiptail_manager_ip "$MSRVIP" - done - else - MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}') - whiptail_manager_ip "$MSRVIP" - while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do - whiptail_invalid_input - whiptail_manager_ip "$MSRVIP" - done + while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do + whiptail_invalid_input + whiptail_manager_ip "$MSRVIP" + done + fi fi } @@ -700,8 +707,6 @@ checkin_at_boot() { } check_requirements() { - local standalone_or_dist=$1 - local node_type=$2 # optional local req_mem local req_cores local req_storage @@ -709,27 +714,57 @@ check_requirements() { readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g' | sed -r 's/(.*)(\.[0-9]+)@\1/\1\2/g')" local num_nics=${#nic_list[@]} - if [[ "$standalone_or_dist" == 'standalone' ]]; then + if [[ $is_eval ]]; then req_mem=12 req_cores=4 req_nics=2 - elif [[ "$standalone_or_dist" == 'dist' ]]; then - req_mem=8 + elif [[ $is_standalone ]]; then + req_mem=24 req_cores=4 - if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi - if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi - if [[ "$node_type" == 'idh' ]]; then req_mem=1 req_cores=2; fi - elif [[ "$standalone_or_dist" == 'import' ]]; then + req_nics=2 + elif [[ $is_manager ]]; then + req_mem=16 + req_cores=4 + req_nics=1 + elif [[ $is_managersearch ]]; then + req_mem=16 + req_cores=8 + req_nics=1 + elif [[ $is_sensor ]]; then + req_mem=12 + req_cores=4 + req_nics=2 + elif [[ $is_fleet ]]; then req_mem=4 + req_cores=4 + req_nics=1 + elif [[ $is_searchnode ]]; then + req_mem=16 + req_cores=4 + req_nics=1 + elif [[ $is_heavynode ]]; then + req_mem=24 + req_cores=4 + req_nics=2 + elif [[ $is_idh ]]; then + req_mem=1 + req_cores=2 + req_nics=1 + elif [[ $is_import ]]; then + req_mem=4 + req_cores=2 + req_nics=1 + elif [[ $is_receiver ]]; then + req_mem=8 req_cores=2 req_nics=1 fi if [[ $setup_type == 'network' ]] ; then - if [[ -n $nsm_mount ]]; then - if [[ "$standalone_or_dist" == 'import' ]]; then + if [[ -n $nsm_mount ]]; then # does a /nsm mount exist + if [[ $is_import ]]; then req_storage=50 - elif [[ "$node_type" == 'idh' ]]; then + elif [[ $is_idh ]]; then req_storage=12 else req_storage=100 @@ -741,10 +776,10 @@ check_requirements() { whiptail_storage_requirements "/nsm" "${free_space_nsm} GB" "${req_storage} GB" fi else - if [[ "$standalone_or_dist" == 'import' ]]; then + if [[ $is_import ]]; then req_storage=50 - elif [[ "$node_type" == 'idh' ]]; then - req_storage=12 + elif [[ $is_idh ]]; then + req_storage=12 else req_storage=200 fi @@ -1269,7 +1304,7 @@ get_redirect() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER' | 'DESKTOP') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; esac @@ -1664,9 +1699,7 @@ process_installtype() { elif [ "$install_type" = 'RECEIVER' ]; then is_receiver=true elif [ "$install_type" = 'DESKTOP' ]; then - if [ "$setup_type" != 'desktop' ]; then - exec bash so-setup desktop - fi + is_desktop=true fi } @@ -1885,7 +1918,7 @@ securityonion_repo() { if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" fi - if [[ $is_desktop_iso ]]; then + if ! $is_desktop_grid; then gpg_rpm_import if [[ ! $is_airgap ]]; then echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /etc/yum/mirror.txt @@ -1930,12 +1963,10 @@ securityonion_repo() { fi if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi if [[ $waitforstate ]]; then - if [[ ! $is_airgap ]]; then - if [[ $is_rpm ]]; then + if [[ $is_rpm ]]; then # Build the repo locally so we can use it echo "Syncing Repos" repo_sync_local - fi fi fi } @@ -1945,7 +1976,7 @@ repo_sync_local() { if [[ $is_supported ]]; then # Sync the repo from the the SO repo locally. # Check for reposync - info "Backing up old repos" + info "Adding Repo Download Configuration" mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt @@ -1969,10 +2000,10 @@ repo_sync_local() { if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + # After the download is complete run createrepo + create_repo fi - # After the download is complete run createrepo - create_repo else # Add the proper repos for unsupported stuff echo "Adding Repos" @@ -2057,7 +2088,7 @@ saltify() { if [[ $waitforstate ]]; then retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup - retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 + retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1 else retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup @@ -2075,21 +2106,27 @@ saltify() { fi logCmd "mkdir -p /etc/salt/minion.d" + salt_install_module_deps + salt_patch_x509_v2 + +} + +# Run a salt command to generate the minion key +salt_firstcheckin() { + salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput +} + +salt_install_module_deps() { logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" +} +salt_patch_x509_v2() { # this can be removed when https://github.com/saltstack/salt/issues/64195 is resolved if [ $SALTVERSION == "3006.1" ]; then info "Salt version 3006.1 found. Patching /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py" \cp -v ./files/patch/states/x509_v2.py /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py fi - -} - - -# Run a salt command to generate the minion key -salt_firstcheckin() { - salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput } # Create an secrets pillar so that passwords survive re-install @@ -2372,6 +2409,13 @@ set_redirect() { ;; esac } + +set_timezone() { + + logCmd "timedatectl set-timezone Etc/UTC" + +} + so_add_user() { local username=$1 local uid=$2 diff --git a/setup/so-setup b/setup/so-setup index 2b9a0fd01..e35dde579 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -58,6 +58,7 @@ while [[ $# -gt 0 ]]; do esac done +set_timezone # Preserve old setup/error logs [ -f "$error_log" ] && mv "$error_log" "$error_log.$(date +%Y-%m-%dT%H:%M:%S)" [ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(date +%Y-%m-%dT%H:%M:%S)" @@ -68,7 +69,7 @@ detect_os # Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky. set_palette >> $setup_log 2>&1 -if [[ $not_supported ]]; then +if [[ $not_supported ]] && [ -z "$test_profile" ]; then if [[ "$OSVER" == "focal" ]]; then if (whiptail_focal_warning); then true @@ -103,6 +104,7 @@ if [ "$setup_type" = 'desktop' ]; then # Check to see if this is an ISO. Usually this dir on exists on ISO installs. if [ -d /root/SecurityOnion ]; then is_desktop_iso=true + install_type='DESKTOP' fi fi @@ -181,9 +183,40 @@ if [ -n "$test_profile" ]; then install_type=SEARCHNODE HOSTNAME=search MSRVIP_OFFSET=-1 + elif [[ "$test_profile" =~ "-managersearch" ]]; then + install_type=MANAGERSEARCH + HOSTNAME=manager + elif [[ "$test_profile" =~ "-heavynode" ]]; then + install_type=HEAVYNODE + HOSTNAME=sensor + MSRVIP_OFFSET=-1 + elif [[ "$test_profile" =~ "-desktop" ]]; then + install_type=DESKTOP + MSRVIP_OFFSET=-3 + is_desktop_grid=true + elif [[ "$test_profile" =~ "-idh" ]]; then + install_type=IDH + HOSTNAME=idh + MSRVIP_OFFSET=-4 + elif [[ "$test_profile" =~ "-receiver" ]]; then + install_type=RECEIVER + HOSTNAME=receiver + MSRVIP_OFFSET=-5 + elif [[ "$test_profile" =~ "-fleet" ]]; then + install_type=FLEET + HOSTNAME=fleet + MSRVIP_OFFSET=-6 else HOSTNAME=manager fi + + if [[ "$install_type" =~ "DESKTOP" ]]; then + is_desktop=true + HOSTNAME=desktop + if [[ -z "$is_desktop_grid" ]]; then + is_desktop_grid=false + fi + fi info "Activating test profile; profile=$test_profile; install_type=$install_type" @@ -332,39 +365,41 @@ if [[ $is_desktop ]]; then exit 1 fi -# if ! whiptail_desktop_install; then - if [[ $is_desktop_iso ]]; then - if whiptail_desktop_nongrid_iso; then - # Remove setup from auto launching - parse_install_username - sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 - securityonion_repo - info "Enabling graphical interface and setting it to load at boot" - systemctl set-default graphical.target - info "Setting desktop background" - set_desktop_background - echo "Desktop Install Complete!" - echo "" - echo "Please reboot to start graphical interface." - exit 0 + whiptail_desktop_install + if ! $is_desktop_grid; then + if [[ $is_desktop_iso ]]; then + if whiptail_desktop_nongrid_iso; then + # Remove setup from auto launching + parse_install_username + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 + securityonion_repo + info "Enabling graphical interface and setting it to load at boot" + systemctl set-default graphical.target + info "Setting desktop background" + set_desktop_background + echo "Desktop Install Complete!" + echo "" + echo "Please reboot to start graphical interface." + exit 0 + else + # Abort! + exit 0 + fi else - # Abort! - exit 0 - fi - else - if whiptail_desktop_nongrid_network; then - info "" - info "" - info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection." - info "" - info "" - desktop_salt_local - else - # Abort! - exit 0 + if whiptail_desktop_nongrid_network; then + networking_needful + info "" + info "" + info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection." + info "" + info "" + desktop_salt_local + else + # Abort! + exit 0 + fi fi fi -# fi # If you got this far then you want to join the grid is_minion=true @@ -387,7 +422,7 @@ if ! [[ -f $install_opt_file ]]; then # If it is an install from ISO is this airgap? [[ $is_iso ]] && whiptail_airgap # Make sure minimum requirements are met - check_requirements "manager" + check_requirements # Do networking things networking_needful # Do we need a proxy? @@ -418,7 +453,7 @@ if ! [[ -f $install_opt_file ]]; then monints=true check_elastic_license [[ $is_iso ]] && whiptail_airgap - check_requirements "manager" + check_requirements networking_needful [[ ! $is_airgap ]] && collect_net_method collect_dockernet @@ -439,7 +474,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license waitforstate=true [[ $is_iso ]] && whiptail_airgap - check_requirements "manager" + check_requirements networking_needful [[ ! $is_airgap ]] && collect_net_method collect_dockernet @@ -459,7 +494,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license waitforstate=true [[ $is_iso ]] && whiptail_airgap - check_requirements "manager" + check_requirements networking_needful [[ ! $is_airgap ]] && collect_net_method collect_dockernet @@ -477,7 +512,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_sensor ]]; then info "Setting up as node type sensor" monints=true - check_requirements "sensor" + check_requirements calculate_useable_cores networking_needful check_network_manager_conf @@ -492,7 +527,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_fleet ]]; then info "Setting up as node type fleet" - check_requirements "fleet" + check_requirements networking_needful check_network_manager_conf set_network_dev_status_list @@ -505,7 +540,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_searchnode ]]; then info "Setting up as node type searchnode" - check_requirements "elasticsearch" + check_requirements networking_needful check_network_manager_conf set_network_dev_status_list @@ -519,7 +554,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_heavynode ]]; then info "Setting up as node type heavynode" monints=true - check_requirements "heavynode" + check_requirements calculate_useable_cores networking_needful check_network_manager_conf @@ -534,7 +569,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_idh ]]; then info "Setting up as node type idh" - check_requirements "idh" + check_requirements networking_needful collect_mngr_hostname add_mngr_ip_to_hosts @@ -548,7 +583,7 @@ if ! [[ -f $install_opt_file ]]; then waitforstate=true [[ $is_iso ]] && whiptail_airgap check_elastic_license - check_requirements "import" + check_requirements networking_needful [[ ! $is_airgap ]] && detect_cloud collect_dockernet @@ -566,13 +601,24 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_receiver ]]; then info "Setting up as node type receiver" - check_requirements "receiver" + check_requirements networking_needful collect_mngr_hostname add_mngr_ip_to_hosts check_manager_connection set_minion_info whiptail_end_settings + + # desktop install will only get this far if joining the grid + elif [[ $is_desktop ]]; then + info "Setting up as node type desktop" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + set_minion_info + whiptail_end_settings + fi if [[ $waitforstate ]]; then diff --git a/setup/so-variables b/setup/so-variables index 7c5e51c6c..7f6522487 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -5,7 +5,7 @@ mkdir -p /nsm total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//') export total_mem -total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1024/1024); }') +total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1000/1000); }') export total_mem_hr num_cpu_cores=$(nproc) @@ -32,10 +32,10 @@ export filesystem_root filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm -free_space_nsm=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +free_space_nsm=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1042803 }' | awk '{ printf("%.0f", $1) }') export free_space_nsm -free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1042803 }' | awk '{ printf("%.0f", $1) }') export free_space_root readarray -t mountpoints <<< "$(lsblk -nlo MOUNTPOINT)" @@ -218,4 +218,4 @@ patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls" export patch_pillar_file adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls" -export adv_patch_pillar_file \ No newline at end of file +export adv_patch_pillar_file diff --git a/setup/so-verify b/setup/so-verify index 07d24d114..e9a8a375c 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -52,6 +52,8 @@ log_has_errors() { grep -vE "/nsm/rules/yara*" | \ grep -vE "Failed to restart snapd" | \ grep -vE "Login Failed Details" | \ + grep -vE "response from daemon: unauthorized" | \ + grep -vE "Reading first line of patchfile" | \ grep -vE "Running scope as unit" &> "$error_log" if [[ $? -eq 0 ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index c55e2db8f..ede138d26 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -58,6 +58,12 @@ whiptail_desktop_install() { whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 --defaultno + if [ $? -eq 0 ]; then + is_desktop_grid=true + else + is_desktop_grid=false + fi + } whiptail_desktop_nongrid_iso() { @@ -226,7 +232,7 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return - if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then + if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') =~ 'nic' ]]; then whiptail --title "$whiptail_title" \ --msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select OK to exit setup and reconfigure the machine." 10 75 @@ -557,7 +563,7 @@ whiptail_install_type() { "EVAL" "Evaluation mode (not for production) " \ "STANDALONE" "Standalone production install " \ "DISTRIBUTED" "Distributed install submenu " \ - "OTHER" "Other install types" \ + "DESKTOP" "Install Security Onion Desktop" \ 3>&1 1>&2 2>&3 ) elif [[ "$OSVER" == "focal" ]]; then @@ -578,8 +584,6 @@ whiptail_install_type() { else whiptail_install_type_dist_existing fi - elif [[ $install_type == "OTHER" ]]; then - whiptail_install_type_other fi export install_type @@ -678,30 +682,13 @@ whiptail_install_type_dist_existing() { elif [ "$install_type" = 'RECEIVER' ]; then is_receiver=true elif [ "$install_type" = 'DESKTOP' ]; then - if [ "$setup_type" != 'desktop' ]; then - exec bash so-setup desktop - fi + is_desktop=true fi local exitstatus=$? whiptail_check_exitstatus $exitstatus } - -whiptail_install_type_other() { - - [ -n "$TESTING" ] && return - - install_type=$(whiptail --title "$whiptail_title" --menu \ - "Choose node type:" 10 65 2 \ - "DESKTOP" "Setup will run 'so-setup desktop' " 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - export install_type -} - whiptail_invalid_input() { # TODO: This should accept a list of arguments to specify what general pattern the input should follow [ -n "$TESTING" ] && return @@ -1197,21 +1184,6 @@ whiptail_reinstall() { whiptail_check_exitstatus $exitstatus } -whiptail_requirements_error() { - - local requirement_needed=$1 - local current_val=$2 - local needed_val=$3 - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select YES to continue anyway, or select NO to cancel." 10 75 - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_sensor_config() { [ -n "$TESTING" ] && return diff --git a/sigs/securityonion-2.4.20-20231006.iso.sig b/sigs/securityonion-2.4.20-20231006.iso.sig new file mode 100644 index 000000000..b253c6734 Binary files /dev/null and b/sigs/securityonion-2.4.20-20231006.iso.sig differ