From ffae22beefe5984c97b1b8ee242e13e3148126fb Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 4 Mar 2022 13:04:11 +0000
Subject: [PATCH] Add DTC syslog mappings for .keyword and add refs to
 defaults.yml

---
 salt/elasticsearch/defaults.yaml              |  7 ++
 .../component/so/dtc-syslog-mappings.json     | 73 +++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index faa2caeca..55299013c 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -845,6 +845,8 @@ elasticsearch:
           - source-mappings
           - dtc-source-mappings
           - pb-override-source-mappings
+          - syslog-mappings
+          - dtc-syslog-mappings
           - threat-mappings
           - tls-mappings
           - tracing-mappings
@@ -1342,6 +1344,8 @@ elasticsearch:
           - source-mappings
           - dtc-source-mappings
           - pb-override-source-mappings
+          - syslog-mappings
+          - dtc-syslog-mappings
           - threat-mappings
           - tls-mappings
           - tracing-mappings
@@ -3900,6 +3904,7 @@ elasticsearch:
           - dtc-source-mappings
           - pb-override-source-mappings
           - syslog-mappings
+          - dtc-syslog-mappings
           - threat-mappings
           - tls-mappings
           - tracing-mappings
@@ -4064,6 +4069,8 @@ elasticsearch:
           - source-mappings
           - dtc-source-mappings
           - pb-override-source-mappings
+          - syslog-mappings
+          - dtc-syslog-mappings
           - threat-mappings
           - tls-mappings
           - tracing-mappings
diff --git a/salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json b/salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json
new file mode 100644
index 000000000..332538e0d
--- /dev/null
+++ b/salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json
@@ -0,0 +1,73 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-syslog.html",
+    "ecs_version": "1.12.2"
+  },
+  "template": {
+    "settings": {
+      "analysis": {
+        "analyzer": {
+          "es_security_analyzer": {
+            "type": "custom",
+            "char_filter": [
+              "whitespace_no_way"
+            ],
+            "filter": [
+              "lowercase",
+              "trim"
+            ],
+            "tokenizer": "keyword"
+          }
+        },
+        "char_filter": {
+          "whitespace_no_way": {
+            "type": "pattern_replace",
+            "pattern": "(\\s)+",
+            "replacement": "$1"
+          }
+        },
+        "filter": {
+          "path_hierarchy_pattern_filter": {
+            "type": "pattern_capture",
+            "preserve_original": true,
+            "patterns": [
+              "((?:[^\\\\]*\\\\)*)(.*)",
+              "((?:[^/]*/)*)(.*)"
+            ]
+          }
+        },
+        "tokenizer": {
+          "path_tokenizer": {
+            "type": "path_hierarchy",
+            "delimiter": "\\"
+          }
+        }
+      }
+    },
+    "mappings": {
+      "properties": {
+        "syslog": {
+          "properties": {
+	    "facility": {
+              "type": "long",
+	      "fields": {
+	        "keyword": {
+	          "type": "keyword"
+		}
+	      }
+            },
+	    "priority": {
+              "type": "long",
+	       "fields": {
+                "keyword": {
+                  "type": "keyword"
+                }
+              }
+            }
+	  }
+	}
+      }
+    }
+  }
+}
+