Merge pull request #12050 from Security-Onion-Solutions/hotfix/2.4.30

Hotfix/2.4.30

.github/workflows/pythontest.yml

@@ -4,9 +4,11 @@ on:
   push:
     paths: 
       - "salt/sensoroni/files/analyzers/**"
+      - "salt/manager/tools/sbin"
   pull_request:
     paths:
       - "salt/sensoroni/files/analyzers/**"
+      - "salt/manager/tools/sbin"
 
 jobs:
   build:
@@ -16,7 +18,7 @@ jobs:
       fail-fast: false
       matrix:
         python-version: ["3.10"]
-        python-code-path: ["salt/sensoroni/files/analyzers"]
+        python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
 
     steps:
     - uses: actions/checkout@v3
@@ -34,4 +36,4 @@ jobs:
         flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12  --doctests --max-line-length=200 --statistics
     - name: Test with pytest
       run: |
-        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=${{ matrix.python-code-path }}/pytest.ini
+        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=pytest.ini

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.10-20230815 ISO image released on 2023/08/15
+### 2.4.30-20231219 ISO image released on 2023/12/19
 
 
 
 ### Download and Verify
 
-2.4.10-20230815 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
+2.4.30-20231219 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231219.iso
  
-MD5: 97AEC929FB1FC22F106C0C93E3476FAB  
-SHA1: 78AF37FD19FDC34BA324C1A661632D19D1F2284A  
-SHA256: D04BA45D1664FC3CF7EA2188CB7E570642F6390C3959B4AFBB8222A853859394  
+MD5: 69DDC559C0ACF44397662B732E70DFF4  
+SHA1: 38344CDEB7AC9A62F33688087FC2577298E9390C  
+SHA256: 05731E767EBC46DA5BAF1D9483EE9D50B354EC3393274743A185F1A0411C4F4C  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231219.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231219.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231219.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.10-20230815.iso.sig securityonion-2.4.10-20230815.iso
+gpg --verify securityonion-2.4.30-20231219.iso.sig securityonion-2.4.30-20231219.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sun 13 Aug 2023 05:30:29 PM EDT using RSA key ID FE507013
+gpg: Signature made Mon 18 Dec 2023 05:10:29 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

HOTFIX

@@ -1 +1 @@
-
+20231204

VERSION

@@ -1 +1 @@
-2.4.10
+2.4.30

files/firewall/assigned_hostgroups.local.map.yaml

@@ -12,7 +12,6 @@ role:
   eval:
   fleet:
   heavynode:
-  helixsensor:
   idh:
   import:
   manager:

pillar/logstash/nodes.sls

@@ -7,19 +7,23 @@
     tgt_type='compound') | dictsort()
 %}
 
-{%   set hostname = cached_grains[minionid]['host'] %}
-{%   set node_type = minionid.split('_')[1] %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: ip[0]}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: ip[0]}) %}
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     set hostname = cached_grains[minionid]['host'] %}
+{%     set node_type = minionid.split('_')[1] %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: ip[0]}}) %}
 {%     else %}
-{%       do node_types[node_type][hostname].update(ip[0]) %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: ip[0]}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update(ip[0]) %}
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}
 
+
 logstash:
   nodes:
 {% for node_type, values in node_types.items() %}

pillar/node_data/ips.sls

@@ -4,18 +4,22 @@
 {%   set hostname = minionid.split('_')[0] %}
 {%   set node_type = minionid.split('_')[1] %}
 {%   set is_alive = False %}
-{%   if minionid in manage_alived.keys() %}
-{%     if ip[0] == manage_alived[minionid] %}
-{%       set is_alive = True %}
+
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     if minionid in manage_alived.keys() %}
+{%       if ip[0] == manage_alived[minionid] %}
+{%         set is_alive = True %}
+{%       endif %}
 {%     endif %}
-{%   endif %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
 {%     else %}
-{%       do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}

pillar/thresholding/pillar.example

@@ -1,44 +0,0 @@
-thresholding:
-  sids:
-    8675309:
-      - threshold:
-          gen_id: 1
-          type: threshold
-          track: by_src
-          count: 10
-          seconds: 10
-      - threshold:
-          gen_id: 1
-          type: limit
-          track: by_dst
-          count: 100
-          seconds: 30
-      - rate_filter:
-          gen_id: 1
-          track: by_rule
-          count: 50
-          seconds: 30
-          new_action: alert
-          timeout: 30
-      - suppress:
-          gen_id: 1
-          track: by_either
-          ip: 10.10.3.7
-    11223344:
-      - threshold:
-          gen_id: 1
-          type: limit
-          track: by_dst
-          count: 10
-          seconds: 10
-      - rate_filter:
-          gen_id: 1
-          track: by_src
-          count: 50
-          seconds: 20
-          new_action: pass
-          timeout: 60
-      - suppress:
-          gen_id: 1
-          track: by_src
-          ip: 10.10.3.0/24

pillar/thresholding/pillar.usage

@@ -1,20 +0,0 @@
-thresholding:
-  sids:
-    <signature id>:
-      - threshold:
-          gen_id: <generator id>
-          type: <threshold | limit | both>
-          track: <by_src | by_dst>
-          count: <count>
-          seconds: <seconds>
-      - rate_filter:
-          gen_id: <generator id>
-          track: <by_src | by_dst | by_rule | by_both>
-          count: <count>
-          seconds: <seconds>
-          new_action: <alert | pass>
-          timeout: <seconds>
-      - suppress:
-          gen_id: <generator id>
-          track: <by_src | by_dst | by_either>
-          ip: <ip | subnet>

pillar/top.sls

@@ -4,14 +4,9 @@ base:
     - global.adv_global
     - docker.soc_docker
     - docker.adv_docker
-    - firewall.soc_firewall
-    - firewall.adv_firewall
     - influxdb.token
     - logrotate.soc_logrotate
     - logrotate.adv_logrotate
-    - nginx.soc_nginx
-    - nginx.adv_nginx
-    - node_data.ips
     - ntp.soc_ntp
     - ntp.adv_ntp
     - patch.needs_restarting
@@ -22,6 +17,13 @@ base:
     - telegraf.soc_telegraf
     - telegraf.adv_telegraf
 
+  '* and not *_desktop':
+    - firewall.soc_firewall
+    - firewall.adv_firewall
+    - nginx.soc_nginx
+    - nginx.adv_nginx
+    - node_data.ips
+
   '*_manager or *_managersearch':
     - match: compound
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}

pyci.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+if [[ $# -ne 1 ]]; then
+    echo "Usage: $0 <python_script_dir>"
+    echo "Runs tests on all *_test.py files in the given directory."
+    exit 1
+fi
+
+HOME_DIR=$(dirname "$0")
+TARGET_DIR=${1:-.}
+
+PATH=$PATH:/usr/local/bin
+
+if ! which pytest &> /dev/null || ! which flake8 &> /dev/null ; then
+    echo "Missing dependencies. Consider running the following command:"
+    echo "  python -m pip install flake8 pytest pytest-cov"
+    exit 1
+fi
+
+pip install pytest pytest-cov
+flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini"
+python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100  "$TARGET_DIR" 

salt/allowed_states.map.jinja

@@ -188,6 +188,9 @@
           'docker_clean'
           ],
       'so-desktop': [
+          'ssl',
+          'docker_clean',
+          'telegraf'
           ],
   }, grain='role') %}
 

salt/bpf/macros.jinja

@@ -0,0 +1,10 @@
+{% macro remove_comments(bpfmerged, app) %}
+
+{# remove comments from the bpf #}
+{% for bpf in bpfmerged[app] %}
+{%   if bpf.strip().startswith('#') %}
+{%     do bpfmerged[app].pop(loop.index0) %}
+{%   endif %}
+{% endfor %}
+
+{% endmacro %}

salt/bpf/pcap.map.jinja

@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
 
 {% set PCAPBPF = BPFMERGED.pcap %}

salt/bpf/suricata.map.jinja

@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'suricata') }}
 
 {% set SURICATABPF = BPFMERGED.suricata %}

salt/bpf/zeek.map.jinja

@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'zeek') }}
 
 {% set ZEEKBPF = BPFMERGED.zeek %}

salt/ca/files/signing_policies.conf

@@ -37,7 +37,7 @@ x509_signing_policies:
     - ST: Utah
     - L: Salt Lake City
     - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
     - subjectKeyIdentifier: hash
     - authorityKeyIdentifier: keyid,issuer:always
     - extendedKeyUsage: serverAuth

salt/ca/init.sls

@@ -50,6 +50,12 @@ pki_public_ca_crt:
         attempts: 5
         interval: 30
 
+mine_update_ca_crt:
+  module.run:
+    - mine.update: []
+    - onchanges:
+      - x509: pki_public_ca_crt
+
 cakeyperms:
   file.managed:
     - replace: False

salt/common/init.sls

@@ -8,6 +8,7 @@ include:
   - common.packages
 {% if GLOBALS.role in GLOBALS.manager_roles %}
   - manager.elasticsearch # needed for elastic_curl_config state
+  - manager.kibana
 {% endif %}
 
 net.core.wmem_default:

salt/common/packages.sls

@@ -21,7 +21,6 @@ commonpkgs:
       - python3-dateutil
       - python3-docker
       - python3-packaging
-      - python3-watchdog
       - python3-lxml
       - git
       - rsync
@@ -47,10 +46,16 @@ python-rich:
 {% endif %}
 
 {% if GLOBALS.os_family == 'RedHat' %}
+
+remove_mariadb:
+  pkg.removed:
+    - name: mariadb-devel
+
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
     - pkgs:
+      - python3-dnf-plugin-versionlock
       - curl
       - device-mapper-persistent-data
       - fuse
@@ -63,26 +68,19 @@ commonpkgs:
       - httpd-tools
       - jq
       - lvm2
-      {% if GLOBALS.os == 'CentOS Stream' %}
-      - MariaDB-devel
-      {% else %}
-      - mariadb-devel
-      {% endif %}
       - net-tools
       - nmap-ncat
-      - openssl
       - procps-ng
-      - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto
       - python3-packaging
       - python3-pyyaml
       - python3-rich
-      - python3-watchdog
       - rsync
       - sqlite
       - tcpdump
       - unzip
       - wget
       - yum-utils
+
 {% endif %}

salt/common/soup_scripts.sls

@@ -19,4 +19,5 @@ soup_manager_scripts:
     - source: salt://manager/tools/sbin
     - include_pat:
         - so-firewall
-        - soup
+        - so-repo-sync
+        - soup

salt/common/tools/sbin/so-common

@@ -8,7 +8,7 @@
 # Elastic agent is not managed by salt. Because of this we must store this base information in a 
 # script that accompanies the soup system. Since so-common is one of those special soup files, 
 # and since this same logic is required during installation, it's included in this file.
-ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
+ELASTIC_AGENT_TARBALL_VERSION="8.10.4"
 ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
 ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
 ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
@@ -133,34 +133,47 @@ check_elastic_license() {
 }
 
 check_salt_master_status() {
-	local timeout=$1
-	echo "Checking if we can talk to the salt master"
-	salt-call state.show_top concurrent=true
-
-	return
+	local count=0
+    local attempts="${1:- 10}"
+	current_time="$(date '+%b %d %H:%M:%S')"
+	echo "Checking if we can access the salt master and that it is ready at: ${current_time}"
+    while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do
+        current_time="$(date '+%b %d %H:%M:%S')"
+        echo "Can't access salt master or it is not ready at: ${current_time}"
+        ((count+=1))
+        if [[ $count -eq $attempts ]]; then
+			# 10 attempts takes about 5.5 minutes
+            echo "Gave up trying to access salt-master"
+            return 1
+        fi
+    done
+	current_time="$(date '+%b %d %H:%M:%S')"
+	echo "Successfully accessed and salt master ready at: ${current_time}"
+    return 0
 }
 
+# this is only intended to be used to check the status of the minion from a salt master
 check_salt_minion_status() {
-	local timeout=$1
-	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
-	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	echo "Checking if the salt minion: $minion will respond to jobs" >> "$logfile" 2>&1
+	salt "$minion" test.ping -t $timeout > /dev/null 2>&1
 	local status=$?
 	if [ $status -gt 0 ]; then
-		echo "  Minion did not respond" >> "$setup_log" 2>&1
+		echo "  Minion did not respond" >> "$logfile" 2>&1
 	else
-		echo "  Received job response from salt minion" >> "$setup_log" 2>&1
+		echo "  Received job response from salt minion" >> "$logfile" 2>&1
 	fi
 
 	return $status
 }
 
-
-
 copy_new_files() {
   # Copy new files over to the salt dir
   cd $UPDATE_DIR
-  rsync -a salt $DEFAULT_SALT_DIR/
-  rsync -a pillar $DEFAULT_SALT_DIR/
+  rsync -a salt $DEFAULT_SALT_DIR/ --delete
+  rsync -a pillar $DEFAULT_SALT_DIR/ --delete
   chown -R socore:socore $DEFAULT_SALT_DIR/
   chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
   cd /tmp
@@ -242,7 +255,7 @@ gpg_rpm_import() {
 	    else
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
     	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
@@ -384,6 +397,10 @@ retry() {
 								echo "<Start of output>"
 								echo "$output"
 								echo "<End of output>"
+								if [[ $exitcode -eq 0 ]]; then
+									echo "Forcing exit code to 1"
+									exitcode=1
+								fi
                         fi
                 elif [ -n "$failedOutput" ]; then
                         if [[ "$output" =~ "$failedOutput" ]]; then
@@ -392,7 +409,7 @@ retry() {
 								echo "$output"
 								echo "<End of output>"
 								if [[ $exitcode -eq 0 ]]; then
-									echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output."
+									echo "Forcing exit code to 1"
 									exitcode=1
 								fi
                         else
@@ -430,6 +447,24 @@ run_check_net_err() {
 	fi
 }
 
+wait_for_salt_minion() {
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
+	local attempt=0
+	# each attempts would take about 15 seconds
+	local maxAttempts=20
+	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
+		attempt=$((attempt+1))
+		if [[ $attempt -eq $maxAttempts ]]; then
+			return 1
+		fi
+		sleep 10
+	done
+	return 0
+}
+
 salt_minion_count() {
 	local MINIONDIR="/opt/so/saltstack/local/pillar/minions"
 	MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l)
@@ -442,15 +477,51 @@ set_os() {
 			OS=rocky
 			OSVER=9
 			is_rocky=true
+			is_rpm=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
 		fi
 		cron_service_name="crond"
-	else
-		OS=ubuntu
-		is_ubuntu=true
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
 		cron_service_name="cron"
 	fi
 }
@@ -484,6 +555,10 @@ set_version() {
 	fi
 }
 
+status () {
+    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
+}
+
 systemctl_func() {
 	local action=$1
 	local echo_action=$1

salt/common/tools/sbin/so-image-common

@@ -137,7 +137,7 @@ update_docker_containers() {
   for i in "${TRUSTED_CONTAINERS[@]}"
   do
     if [ -z "$PROGRESS_CALLBACK" ]; then
-      echo "Downloading $i" >> "$LOG_FILE" 2>&1 
+      echo "Downloading $i" >> "$LOG_FILE" 2>&1
     else
       $PROGRESS_CALLBACK $i
     fi

salt/common/tools/sbin/so-log-check

@@ -0,0 +1,243 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+RECENT_LOG_LINES=200
+EXCLUDE_STARTUP_ERRORS=N
+EXCLUDE_FALSE_POSITIVE_ERRORS=N
+EXCLUDE_KNOWN_ERRORS=N
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --exclude-connection-errors)
+            EXCLUDE_STARTUP_ERRORS=Y
+            ;;
+        --exclude-false-positives)
+            EXCLUDE_FALSE_POSITIVE_ERRORS=Y
+            ;;
+        --exclude-known-errors)
+            EXCLUDE_KNOWN_ERRORS=Y
+            ;;
+        --unknown)
+            EXCLUDE_STARTUP_ERRORS=Y
+            EXCLUDE_FALSE_POSITIVE_ERRORS=Y
+            EXCLUDE_KNOWN_ERRORS=Y
+            ;;
+        --recent-log-lines)
+            shift
+            RECENT_LOG_LINES=$1
+            ;;
+        *)
+            echo "Usage: $0 [options]"
+            echo ""
+            echo "where options are:"
+            echo "  --recent-log-lines N            looks at the most recent N log lines per file or container; defaults to 200"
+            echo "  --exclude-connection-errors     exclude errors caused by a recent server or container restart"
+            echo "  --exclude-false-positives       exclude logs that are known false positives"
+            echo "  --exclude-known-errors          exclude errors that are known and non-critical issues"
+            echo "  --unknown                       exclude everything mentioned above; only show unknown errors"
+            echo ""
+            echo "A non-zero return value indicates errors were found"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+echo "Security Onion Log Check - $(date)"
+echo "-------------------------------------------"
+echo ""
+echo "- RECENT_LOG_LINES:                $RECENT_LOG_LINES"
+echo "- EXCLUDE_STARTUP_ERRORS:          $EXCLUDE_STARTUP_ERRORS"
+echo "- EXCLUDE_FALSE_POSITIVE_ERRORS:   $EXCLUDE_FALSE_POSITIVE_ERRORS"
+echo "- EXCLUDE_KNOWN_ERRORS:            $EXCLUDE_KNOWN_ERRORS"
+echo ""
+
+function status() {
+    header "$1"
+}
+
+function exclude_container() {
+    name=$1
+
+    exclude_id=$(docker ps | grep "$name" | awk '{print $1}')
+    if [[ -n "$exclude_id" ]]; then
+        CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g")
+        return $?
+    fi
+    return $?
+}
+
+function exclude_log() {
+    name=$1
+
+    cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new
+    mv /tmp/log_check_files.new /tmp/log_check_files
+}
+
+function check_for_errors() {
+    if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then
+        RESULT=1
+    fi
+}
+
+EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__"
+
+if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked"           # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset"                   # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable"                  # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process"             # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates"   # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction"                 # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host"             # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py"                   # server not yet ready (python stack output)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror"                    # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail"                     # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect"                      # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards"               # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics"       # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502"                  # server not yet ready (nginx waiting on upstream)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non"    # server not yet ready (salt waiting on minions)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term"                 # server not yet ready (influxdb not yet setup)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|search_phase_execution_exception" # server not yet ready (elastalert running searches before ES is ready)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving docker"    # Telegraf unable to reach Docker engine, rare
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
+fi
+
+if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error"      # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error"             # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'"                   # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index"                 # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror"                      # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror"             # false positive (elastic command line)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template"    # false positive (elastic security)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template"        # false positive (elastic security)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors"                    # false positive (suricata stats)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template"               # false positive (elastic templates)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated"                   # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows"                      # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors"           # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml"                   # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h"                    # false positive (zeek test data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules"           # false positive (error in rulename)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input"          # false positive (Invalid user input in hunt query)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example"                      # false positive (example test data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200"                   # false positive (request successful, contained error string in content)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error"              # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal"  # false positive (Open Canary logging out blank IP addresses)
+fi
+
+if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise"                        # redis/python generic stack line, rely on other lines for actual error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)"              # redis/python generic stack line, rely on other lines for actual error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror"                     # idstools connection timeout
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror"                 # idstools connection timeout
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden"                    # playbook
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml"                          # Elastic ML errors 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled"             # elastic agent during shutdown
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128"         # soctopus errors during forced restart by highstate
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update"       # airgap can't update GeoIP DB
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror"            # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord"                 # playbook expected error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats"  # Elastic transform temporary error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip"        # known issue in GH
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail"                     # zeek
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
+fi
+
+RESULT=0
+
+# Check Security Onion container stdout/stderr logs
+CONTAINER_IDS=$(docker ps -q)
+exclude_container so-kibana   # kibana error logs are too verbose with large varieties of errors most of which are temporary
+exclude_container so-idstools # ignore due to known issues and noisy logging
+exclude_container so-playbook # ignore due to several playbook known issues
+
+for container_id in $CONTAINER_IDS; do
+    container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
+    status "Checking container $container_name"
+    docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1
+    check_for_errors
+done
+
+# Check Security Onion related log files
+find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files
+if [[ -f /var/log/cron ]]; then
+    echo "/var/log/cron" >> /tmp/log_check_files
+fi
+exclude_log "kibana.log"   # kibana error logs are too verbose with large varieties of errors most of which are temporary
+exclude_log "spool"        # disregard zeek analyze logs as this is data specific
+exclude_log "import"       # disregard imported test data the contains error strings
+exclude_log "update.log"   # ignore playbook updates due to several known issues
+exclude_log "playbook.log" # ignore due to several playbook known issues
+
+for log_file in $(cat /tmp/log_check_files); do
+    status "Checking log file $log_file"
+    tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check
+    check_for_errors
+done
+
+# Cleanup temp files
+rm -f /tmp/log_check_files
+rm -f /tmp/log_check
+
+if [[ $RESULT -eq 0 ]]; then
+    echo -e "\nResult: No errors found"
+else
+    echo -e "\nResult: One or more errors found"
+fi
+
+exit $RESULT

salt/common/tools/sbin/so-test

@@ -5,4 +5,14 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+. /usr/sbin/so-common
+
+set -e
+
+# Playback live sample data onto monitor interface
 so-tcpreplay /opt/samples/* 2> /dev/null
+
+# Ingest sample pfsense log entry
+if is_sensor_node; then
+    echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1
+fi

salt/common/tools/sbin/so-zeek-logs

@@ -1,67 +0,0 @@
-#!/bin/bash
-local_salt_dir=/opt/so/saltstack/local
-
-zeek_logs_enabled() {
-  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
-  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
-  for BLOG in "${BLOGS[@]}"; do
-    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
-  done
-}
-
-whiptail_manager_adv_service_zeeklogs() {
-  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
-  "conn" "Connection Logging" ON \
-  "dce_rpc" "RPC Logs" ON \
-  "dhcp" "DHCP Logs" ON \
-  "dnp3" "DNP3 Logs" ON \
-  "dns" "DNS Logs" ON \
-  "dpd" "DPD Logs" ON \
-  "files" "Files Logs" ON \
-  "ftp" "FTP Logs" ON \
-  "http" "HTTP Logs" ON \
-  "intel" "Intel Hits Logs" ON \
-  "irc" "IRC Chat Logs" ON \
-  "kerberos" "Kerberos Logs" ON \
-  "modbus" "MODBUS Logs" ON \
-  "notice" "Zeek Notice Logs" ON \
-  "ntlm" "NTLM Logs" ON \
-  "pe" "PE Logs" ON \
-  "radius" "Radius Logs" ON \
-  "rfb" "RFB Logs" ON \
-  "rdp" "RDP Logs" ON \
-  "sip" "SIP Logs" ON \
-  "smb_files" "SMB Files Logs" ON \
-  "smb_mapping" "SMB Mapping Logs" ON \
-  "smtp" "SMTP Logs" ON \
-  "snmp" "SNMP Logs" ON \
-  "ssh" "SSH Logs" ON \
-  "ssl" "SSL Logs" ON \
-  "syslog" "Syslog Logs" ON \
-  "tunnel" "Tunnel Logs" ON \
-  "weird" "Zeek Weird Logs" ON \
-  "mysql" "MySQL Logs" ON \
-  "socks" "SOCKS Logs" ON \
-  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
-  
-  local exitstatus=$?
-
-  IFS=' ' read -ra BLOGS <<< "$BLOGS"
-
-  return $exitstatus
-}
-
-whiptail_manager_adv_service_zeeklogs
-return_code=$?
-case $return_code in
-  1)
-    whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75
-    ;;
-  255)
-    whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75
-    ;;
-  *)
-    zeek_logs_enabled
-    ;;
-esac
-

salt/common/tools/sbin_jinja/so-import-evtx

@@ -80,8 +80,8 @@ function evtx2es() {
     -e "SHIFTTS=$SHIFTDATE" \
     -v "$EVTX:/tmp/data.evtx" \
     -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-    -v "/nsm/import/evtx-end_newest:/tmp/newest" \
-    -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \
+    -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
+    -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
     --entrypoint "/evtx_calc_timestamps.sh" \
     {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
 }
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
 VALID_EVTXS_COUNT=0
 SKIPPED_EVTXS_COUNT=0
 
-touch /nsm/import/evtx-start_oldest
-touch /nsm/import/evtx-end_newest
-
-echo $START_OLDEST > /nsm/import/evtx-start_oldest
-echo $END_NEWEST > /nsm/import/evtx-end_newest
-
 # paths must be quoted in case they include spaces
 for EVTX in $INPUT_FILES; do
   EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
     status "- this EVTX has already been imported; skipping"
     SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
   else
+    # create EVTX directory
     EVTX_DIR=$HASH_DIR/evtx
     mkdir -p $EVTX_DIR
+    # create import timestamp files
+    for i in evtx-start_oldest evtx-end_newest; do
+      if ! [ -f "$i" ]; then
+        touch /nsm/import/$HASH/$i
+      fi
+    done
 
     # import evtx and write them to import ingest pipeline
     status "- importing logs to Elasticsearch..."
@@ -154,28 +155,37 @@ for EVTX in $INPUT_FILES; do
       VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
     fi
 
-    # compare $START to $START_OLDEST
-    START=$(cat /nsm/import/evtx-start_oldest)
-    START_COMPARE=$(date -d $START +%s)
-    START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
-    if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
-      START_OLDEST=$START
-    fi  
-
-    # compare $ENDNEXT to $END_NEWEST
-    END=$(cat /nsm/import/evtx-end_newest)
-    ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
-    ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
-    END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
-    if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
-      END_NEWEST=$ENDNEXT
-    fi  
-
     cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
     chmod 644 "${EVTX_DIR}"/data.evtx
 
   fi # end of valid evtx
 
+  # determine start and end and make sure they aren't reversed
+  START=$(cat /nsm/import/$HASH/evtx-start_oldest)
+  END=$(cat /nsm/import/$HASH/evtx-end_newest)
+  START_EPOCH=`date -d "$START" +"%s"`
+  END_EPOCH=`date -d "$END" +"%s"`
+  if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then
+    TEMP=$START
+    START=$END
+    END=$TEMP
+  fi
+
+  # compare $START to $START_OLDEST
+  START_COMPARE=$(date -d $START +%s)
+  START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
+  if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
+    START_OLDEST=$START
+  fi
+
+  # compare $ENDNEXT to $END_NEWEST
+  ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
+  ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
+  END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
+  if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
+    END_NEWEST=$ENDNEXT
+  fi
+
   status
 
 done # end of for-loop processing evtx files

salt/desktop/packages.sls

@@ -1,7 +1,5 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'OEL' %}
+{% if grains.os == 'OEL' %}
 
 desktop_packages:
   pkg.installed:
@@ -348,7 +346,6 @@ desktop_packages:
       - snappy
       - sound-theme-freedesktop
       - soundtouch
-      - securityonion-networkminer
       - speech-dispatcher
       - speech-dispatcher-espeak-ng
       - speex
@@ -435,6 +432,10 @@ desktop_packages:
       - xorg-x11-xinit-session
       - zip
 
+install_networkminer:
+  pkg.latest:
+    - name: securityonion-networkminer
+
 {% else %}
 
 desktop_packages_os_fail:

salt/desktop/remove_gui.sls

@@ -1,7 +1,5 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'OEL' %}
+{% if grains.os == 'OEL' %}
 
 remove_graphical_target:
   file.symlink:

salt/desktop/scripts/convert-gnome-classic.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-echo "Setting default session to gnome-classic"
-cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/
-sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard

salt/desktop/xwindows.sls

@@ -1,7 +1,5 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'OEL' %}
+{% if grains.os == 'OEL' %}
 
 include:
   - desktop.packages
@@ -14,10 +12,7 @@ graphical_target:
     - require:
       - desktop_packages
 
-convert_gnome_classic:
-  cmd.script:
-    - name: salt://desktop/scripts/convert-gnome-classic.sh
-
+{# set users to use gnome-classic #}
 {%   for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
 {%     set username = username.split('/')[2] %}
 {%     if username != 'zeek' %}

salt/docker/defaults.yaml

@@ -178,6 +178,9 @@ docker:
       extra_env: []
     'so-elastic-agent':
       final_octet: 46
+      port_bindings:
+        - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:514:514/udp
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []

salt/docker/init.sls

@@ -6,6 +6,9 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
+# include ssl since docker service requires the intca
+include:
+  - ssl
 
 dockergroup:
   group.present:
@@ -86,6 +89,11 @@ docker_running:
     - enable: True
     - watch:
       - file: docker_daemon
+      - x509: trusttheca
+    - require:
+      - file: docker_daemon
+      - x509: trusttheca
+
 
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
 # 57314 = Strelka, 47760-47860 = Zeek

salt/docker/soc_docker.yaml

@@ -8,7 +8,7 @@ docker:
     helpLink: docker.html
     advanced: True
   containers:
-    so-curator: &dockerOptions
+    so-dockerregistry: &dockerOptions
       final_octet:
         description: Last octet of the container IP address.
         helpLink: docker.html
@@ -20,6 +20,7 @@ docker:
         helpLink: docker.html
         advanced: True
         multiline: True
+        forcedType: "[]string"
       custom_bind_mounts:
         description: List of custom local volume bindings.
         advanced: True
@@ -38,12 +39,8 @@ docker:
         helpLink: docker.html
         multiline: True
         forcedType: "[]string"
-    so-dockerregistry: *dockerOptions
-    so-elastalert: *dockerOptions
-    so-elastic-fleet-package-registry: *dockerOptions
     so-elastic-fleet: *dockerOptions
     so-elasticsearch: *dockerOptions
-    so-idh: *dockerOptions
     so-idstools: *dockerOptions
     so-influxdb: *dockerOptions
     so-kibana: *dockerOptions
@@ -53,11 +50,21 @@ docker:
     so-nginx: *dockerOptions
     so-playbook: *dockerOptions
     so-redis: *dockerOptions
+    so-sensoroni: *dockerOptions
     so-soc: *dockerOptions
     so-soctopus: *dockerOptions
     so-strelka-backend: *dockerOptions
-    so-strelka-coordinator: *dockerOptions
     so-strelka-filestream: *dockerOptions
     so-strelka-frontend: *dockerOptions
-    so-strelka-gatekeeper: *dockerOptions
     so-strelka-manager: *dockerOptions
+    so-strelka-gatekeeper: *dockerOptions
+    so-strelka-coordinator: *dockerOptions
+    so-elastalert: *dockerOptions
+    so-curator: *dockerOptions
+    so-elastic-fleet-package-registry: *dockerOptions
+    so-idh: *dockerOptions
+    so-elastic-agent: *dockerOptions
+    so-telegraf: *dockerOptions
+    so-steno: *dockerOptions
+    so-suricata: *dockerOptions
+    so-zeek: *dockerOptions

salt/docker_clean/init.sls

@@ -9,6 +9,7 @@
 prune_images:
   cmd.run:
     - name: so-docker-prune
+    - order: last
 
 {% else %}
 

salt/elasticagent/enabled.sls

@@ -31,6 +31,10 @@ so-elastic-agent:
         - {{ XTRAHOST }}
           {% endfor %}
         {% endif %}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - binds:
       - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
       - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs

salt/elasticagent/files/elastic-agent.yml.jinja

@@ -430,3 +430,54 @@ inputs:
         exclude_files:
           - >-
             broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
+  - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
+    name: syslog-udp-514
+    revision: 3
+    type: udp
+    use_output: default
+    meta:
+      package:
+        name: udp
+        version: 1.10.0
+    data_stream:
+      namespace: so
+    package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
+    streams:
+      - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
+        data_stream:
+          dataset: syslog
+        pipeline: syslog
+        host: '0.0.0.0:514'
+        max_message_size: 10KiB
+        processors:
+          - add_fields:
+              fields:
+                module: syslog
+              target: event
+        tags:
+          - syslog
+  - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+    name: syslog-tcp-514
+    revision: 3
+    type: tcp
+    use_output: default
+    meta:
+      package:
+        name: tcp
+        version: 1.10.0
+    data_stream:
+      namespace: so
+    package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+    streams:
+      - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+        data_stream:
+          dataset: syslog
+        pipeline: syslog
+        host: '0.0.0.0:514'
+        processors:
+          - add_fields:
+              fields:
+                module: syslog
+              target: event
+        tags:
+          - syslog

salt/elasticfleet/config.sls

@@ -6,6 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if sls.split('.')[0] in allowed_states %}
+{% set node_data = salt['pillar.get']('node_data') %}
 
 # Add EA Group
 elasticfleetgroup:
@@ -37,6 +38,8 @@ elasticfleet_sbin_jinja:
     - group: 939 
     - file_mode: 755
     - template: jinja
+    - exclude_pat:
+      - so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes
 
 eaconfdir:
   file.directory:
@@ -59,6 +62,15 @@ eastatedir:
     - group: 939
     - makedirs: True
 
+eapackageupgrade:
+  file.managed:
+    - name: /usr/sbin/so-elastic-fleet-package-upgrade
+    - source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
+    - user: 947
+    - group: 939
+    - mode: 755
+    - template: jinja
+
 {%   if GLOBALS.role != "so-fleet" %}
 eaintegrationsdir:
   file.directory:
@@ -82,12 +94,53 @@ eaintegration:
     - user: 947
     - group: 939
 
+eaoptionalintegrationsdir:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional
+    - user: 947
+    - group: 939
+    - makedirs: True
+
+{% for minion in node_data %}
+{% set role = node_data[minion]["role"] %}
+{% if role in [ "eval","fleet","heavynode","import","manager","managersearch","standalone" ] %}
+{% set optional_integrations = salt['pillar.get']('elasticfleet:optional_integrations', {}) %}
+{% set integration_keys = salt['pillar.get']('elasticfleet:optional_integrations', {}).keys() %}
+fleet_server_integrations_{{ minion }}:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}
+    - user: 947
+    - group: 939
+    - makedirs: True
+{% for integration in integration_keys %}
+{% if 'enabled_nodes' in optional_integrations[integration]%}
+{% set enabled_nodes = optional_integrations[integration]["enabled_nodes"] %}
+{% if minion in enabled_nodes %}
+optional_integrations_dynamic_{{ minion }}_{{ integration }}:
+  file.managed:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}/{{ integration }}.json
+    - source: salt://elasticfleet/files/integrations-optional/{{ integration }}.json
+    - user: 947
+    - group: 939
+    - template: jinja
+    - defaults:
+        NAME: {{ minion }}
+{% else %}
+optional_integrations_dynamic_{{ minion }}_{{ integration }}_delete:
+  file.absent:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}/{{ integration }}.json
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
 ea-integrations-load:
   file.absent:
     - name: /opt/so/state/eaintegrations.txt
     - onchanges:
       - file: eaintegration
       - file: eadynamicintegration
+      - file: /opt/so/conf/elastic-fleet/integrations-optional/*
 {% endif %}
 {% else %}
 

salt/elasticfleet/defaults.yaml

@@ -13,7 +13,10 @@ elasticfleet:
         - broker
         - capture_loss
         - cluster
+        - conn-summary
+        - console
         - ecat_arp_info
+        - known_certs
         - known_hosts
         - known_services
         - loaded_scripts
@@ -25,20 +28,75 @@ elasticfleet:
         - stderr
         - stdout
   packages:
+    - apache
+    - auditd
+    - auth0
     - aws
     - azure
+    - barracuda
+    - carbonblack_edr
+    - checkpoint
+    - cisco_asa
+    - cisco_duo
+    - cisco_meraki
+    - cisco_umbrella
     - cloudflare
+    - crowdstrike
+    - darktrace
+    - elastic_agent
     - elasticsearch
     - endpoint
-    - fleet_server
+    - f5_bigip
     - fim
+    - fireeye
+    - fleet_server
+    - fortinet
+    - fortinet_fortigate
+    - gcp
     - github
     - google_workspace
+    - http_endpoint
+    - httpjson
+    - juniper
+    - juniper_srx
+    - kafka_log
+    - lastpass
     - log
+    - m365_defender
+    - microsoft_defender_endpoint
+    - microsoft_dhcp
+    - mimecast
+    - netflow
+    - o365
+    - okta
     - osquery_manager
+    - panw
+    - pfsense
+    - pulse_connect_secure
     - redis
+    - sentinel_one
+    - snyk
+    - sonicwall_firewall
+    - sophos
+    - sophos_central
+    - symantec_endpoint
     - system
     - tcp
+    - tenable_sc
+    - ti_abusech
+    - ti_misp
+    - ti_otx
+    - ti_recordedfuture
     - udp
+    - vsphere
     - windows
+    - zscaler_zia
+    - zscaler_zpa
     - 1password
+  optional_integrations:
+    sublime_platform:
+      enabled_nodes: []
+      api_key:
+      base_url: https://api.platform.sublimesecurity.com
+      poll_interval: 5m
+      limit: 100

salt/elasticfleet/enabled.sls

@@ -68,11 +68,6 @@ so-elastic-fleet:
       - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
       - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
       - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
-      {% if GLOBALS.os_family == 'Debian' %}
-      - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
-      - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
-      - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
-      {% endif %}
       - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
      {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -87,13 +82,8 @@ so-elastic-fleet:
       - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
       - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
       - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
-      {% if GLOBALS.os_family == 'Debian' %}
-      - FLEET_CA=/etc/ssl/certs/intca.crt     
-      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
-      {% else %}
-      - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
       - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
-      {% endif %}
       - LOGS_PATH=logs
       {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
@@ -106,6 +96,17 @@ so-elastic-fleet:
 {%   endif %}
 
 {%  if GLOBALS.role != "so-fleet" %}
+so-elastic-fleet-package-statefile:
+  file.managed:
+    - name: /opt/so/state/elastic_fleet_packages.txt
+    - contents: {{ELASTICFLEETMERGED.packages}}
+
+so-elastic-fleet-package-upgrade:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-package-upgrade
+    - onchanges:
+      - file: /opt/so/state/elastic_fleet_packages.txt
+
 so-elastic-fleet-integrations:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-integration-policy-load

salt/elasticfleet/files/integrations-optional/sublime_platform.json

@@ -0,0 +1,44 @@
+{%- from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED -%}
+{%- from 'sensoroni/map.jinja' import SENSORONIMERGED -%}
+{%- from 'vars/globals.map.jinja' import GLOBALS -%}
+{%- raw -%}
+{
+  "package": {
+    "name": "httpjson",
+    "version": ""
+  },
+  "name": "sublime-platform",
+  "namespace": "default",
+  "description": "",
+  "policy_id": "FleetServer_{%- endraw -%}{{ NAME }}{%- raw -%}",
+  "vars": {},
+  "inputs": {
+    "generic-httpjson": {
+      "enabled": true,
+      "streams": {
+        "httpjson.generic": {
+          "enabled": true,
+          "vars": {
+            "request_method": "GET",
+            "processors": "- drop_event:\n    when:\n        not:\n            contains: \n                message: \"flagged_rules\"\n- decode_json_fields:\n    fields: [\"message\"]\n    document_id: id\n    target: \"\"",
+            "enable_request_tracer": false,
+            "oauth_scopes": [],
+            "request_transforms": "- set:\n    target: header.Authorization\n    value: 'Bearer {% endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.api_key }}{%- raw -%}'\n- set:\n    target: header.accept\n    value: application/json\n- set:\n    target: url.params.last_message_created_at[gte]\n    value: '[[formatDate (now (parseDuration \"-{%- endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.poll_interval }}{%- raw -%}\")) \"2006-01-02T15:04:05Z\"]]'\n- set:\n    target: url.params.reviewed\n    value: false\n- set:\n    target: url.params.flagged\n    value: true\n- set:\n    target: url.params.limit\n    value: {% endraw %}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.limit }}{%- raw -%}",
+            "response_transforms": "",
+            "request_redirect_headers_ban_list": [],
+            "request_encode_as": "application/x-www-form-urlencoded",
+            "request_url": "{%- endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.base_url }}{%- raw -%}/v0/message-groups",
+            "response_split": "target: body.message_groups\ntype: array\nkeep_parent: false\ntransforms:\n    - set:\n        target: body.sublime.request_url\n        value : '[[ .last_response.url.value ]]'",
+            "tags": [
+              "forwarded"
+            ],
+            "pipeline": "sublime",
+            "data_stream.dataset": "sublime",
+            "request_interval": "1m"
+          }
+        }
+      }
+    }
+  }
+}
+{%- endraw -%}

salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json

@@ -5,7 +5,7 @@
 	"package": {
 		"name": "endpoint",
 		"title": "Elastic Defend",
-		"version": "8.8.0"
+		"version": "8.10.2"
 	},
 	"enabled": true,
 	"policy_id": "endpoints-initial",

salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json

@@ -20,7 +20,7 @@
             ],
             "data_stream.dataset": "import",
             "custom": "",
-            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      namespace: default\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true  \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows",
+            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true\n- add_fields:\n    target: \"@metadata\"\n    fields:\n        pipeline: logs-system.security-1.43.0\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.sysmon_operational-1.38.0\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.application-1.43.0\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.system-1.43.0\n    \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.powershell_operational-1.38.0\n- add_fields:\n    target: data_stream\n    fields:\n        dataset: import",
             "tags": [
               "import"
             ]

salt/elasticfleet/soc_elasticfleet.yaml

@@ -40,3 +40,36 @@ elasticfleet:
         helpLink: elastic-fleet.html
         sensitive: True
         advanced: True
+  optional_integrations:
+    sublime_platform:
+      enabled_nodes:
+        description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: "[]string"
+      api_key:
+        description: API key for Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: string
+        sensitive: True
+      base_url:
+        description: Base URL for Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: string
+      poll_interval:
+        description: Poll interval for alerts from Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: string
+      limit:
+        description: The maximum number of message groups to return from Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: int

salt/elasticfleet/tools/sbin/so-elastic-fleet-common

@@ -42,6 +42,23 @@ elastic_fleet_integration_create() {
     curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 
+
+elastic_fleet_integration_remove() {
+
+    AGENT_POLICY=$1
+
+    NAME=$2
+
+    INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id')
+
+    JSON_STRING=$( jq -n \
+                    --arg INTEGRATIONID "$INTEGRATION_ID" \
+                    '{"packagePolicyIds":[$INTEGRATIONID]}'
+                    )
+
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
 elastic_fleet_integration_update() {
 
     UPDATE_ID=$1
@@ -51,6 +68,19 @@ elastic_fleet_integration_update() {
     curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 
+elastic_fleet_integration_policy_upgrade() {
+
+    INTEGRATION_ID=$1
+
+    JSON_STRING=$( jq -n \
+                    --arg INTEGRATIONID "$INTEGRATION_ID" \
+                    '{"packagePolicyIds":[$INTEGRATIONID]}'
+                    )
+
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
+
 elastic_fleet_package_version_check() {
     PACKAGE=$1
     curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
@@ -62,8 +92,9 @@ elastic_fleet_package_latest_version_check() {
 }
 
 elastic_fleet_package_install() {
-    PKGKEY=$1
-    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"
+    PKG=$1
+    VERSION=$2
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION"
 }
 
 elastic_fleet_package_is_installed() {
@@ -97,3 +128,4 @@ elastic_fleet_policy_update() {
 
     curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
+

salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Usage: Run with --force to update the Elastic Defend integration policy
+
+. /usr/sbin/so-elastic-fleet-common
+
+# Manage Elastic Defend Integration for Initial Endpoints Policy
+for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
+do
+  printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
+  elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
+  if [ -n "$INTEGRATION_ID" ]; then
+      printf "\n\nIntegration $NAME exists - Upgrading integration policy\n"
+      elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"
+  else
+    printf "\n\nIntegration does not exist - Creating integration\n"
+    elastic_fleet_integration_create "@$INTEGRATION"
+  fi
+done

salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load

@@ -12,6 +12,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
   # First, check for any package upgrades
   /usr/sbin/so-elastic-fleet-package-upgrade
 
+  # Second, configure Elastic Defend Integration seperately
+  /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
+
   # Initial Endpoints
   for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
   do
@@ -61,7 +64,28 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
   if [[ "$RETURN_CODE" != "1" ]]; then
     touch /opt/so/state/eaintegrations.txt
   fi
+
+  # Fleet Server - Optional integrations
+  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json
+  do
+    if ! [ "$INTEGRATION" == "/opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json" ]; then
+      FLEET_POLICY=`echo "$INTEGRATION"| cut -d'/' -f7`
+      printf "\n\nFleet Server Policy - Loading $INTEGRATION\n"
+      elastic_fleet_integration_check "$FLEET_POLICY" "$INTEGRATION"
+      if [ -n "$INTEGRATION_ID" ]; then
+        printf "\n\nIntegration $NAME exists - Updating integration\n"
+        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
+      else
+        printf "\n\nIntegration does not exist - Creating integration\n"
+        if [ "$NAME" != "elasticsearch-logs" ]; then
+          elastic_fleet_integration_create "@$INTEGRATION"
+        fi
+      fi
+    fi
+  done
+  if [[ "$RETURN_CODE" != "1" ]]; then
+    touch /opt/so/state/eaintegrations.txt
+  fi
 else
   exit $RETURN_CODE
 fi
-

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers

@@ -46,7 +46,7 @@ do
 done 
 
 printf "\n### Stripping out unused components"
-find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete 
+find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete 
 
 printf "\n### Tarring everything up again"
 for OS in "${OSARCH[@]}"
@@ -65,7 +65,7 @@ do
     if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
     printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
     docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
-    --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
+    --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \
     --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
     --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
     {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN"  -o /output/so-elastic-agent_${GOOS}_${GOARCH}

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load

@@ -11,7 +11,7 @@
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Setting up {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}")
-elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
 echo
 {%- endfor %}
 echo

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade

@@ -11,7 +11,8 @@
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Upgrading {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
-elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
 echo
 {%- endfor %}
 echo
+/usr/sbin/so-elasticsearch-templates-load

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup

@@ -6,14 +6,21 @@
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% if GLOBALS.os_family == 'Debian' %}
-INTCA=/etc/ssl/certs/intca.crt
-{% else %}
 INTCA=/etc/pki/tls/certs/intca.crt
-{% endif %}
 
+. /usr/sbin/so-common
 . /usr/sbin/so-elastic-fleet-common
 
+# Check to make sure that Kibana API is up & ready
+RETURN_CODE=0
+wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
+RETURN_CODE=$?
+
+if [[ "$RETURN_CODE" != "0" ]]; then
+    printf "Kibana API not accessible, exiting Elastic Fleet setup..."
+    exit 1
+fi
+
 printf "\n### Create ES Token ###\n"
 ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' |  jq -r .value)
 
@@ -124,3 +131,4 @@ salt-call state.apply elasticfleet queue=True
 # Generate installers & install Elastic Agent on the node
 so-elastic-agent-gen-installers
 salt-call state.apply elasticfleet.install_agent_grid queue=True
+exit 0

salt/elasticsearch/config.map.jinja

@@ -20,20 +20,12 @@
       {% for NODE in ES_LOGSTASH_NODES %}
         {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
       {% endfor %}
-      {% if grains.id.split('_') | last == 'manager' %}
-        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
-      {% else %}
-        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
-      {% endif %}
     {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
-  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
   {% if HIGHLANDER %}
         {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
   {% endif %}
   {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
-{% elif grains.id.split('_') | last == 'heavynode' %}
-  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client', 'ingest']}) %}
 {% endif %}
 {% if HIGHLANDER %}
       {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
@@ -53,3 +45,5 @@
     {% endif %}
   {% endfor %}
 {% endif %}
+
+{% do ELASTICSEARCHMERGED.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].config.node.roles}) %}

salt/elasticsearch/enabled.sls

@@ -59,7 +59,7 @@ so-elasticsearch:
       {% if GLOBALS.is_manager %}
       - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
       {% else %}
-      - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
       {% endif %}
       - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
       - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
@@ -108,8 +108,9 @@ escomponenttemplates:
     - source: salt://elasticsearch/templates/component
     - user: 930
     - group: 939
+    - clean: True
     - onchanges_in:
-      - cmd: so-elasticsearch-templates
+      - file: so-elasticsearch-templates-reload
       
 # Auto-generate templates from defaults file
 {%     for index, settings in ES_INDEX_SETTINGS.items() %}
@@ -122,7 +123,7 @@ es_index_template_{{index}}:
       TEMPLATE_CONFIG: {{ settings.index_template }}
     - template: jinja
     - onchanges_in:
-      - cmd: so-elasticsearch-templates
+      - file: so-elasticsearch-templates-reload
 {%       endif %}
 {%     endfor %}
 
@@ -141,7 +142,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
     - user: 930
     - group: 939
     - onchanges_in:
-      - cmd: so-elasticsearch-templates
+      - file: so-elasticsearch-templates-reload
 {%       endfor %}
 {%     endif %}
 
@@ -166,6 +167,10 @@ so-elasticsearch-ilm-policy-load:
     - onchanges:
       - file: so-elasticsearch-ilm-policy-load-script
 
+so-elasticsearch-templates-reload:
+  file.absent:
+    - name: /opt/so/state/estemplates.txt
+
 so-elasticsearch-templates:
   cmd.run:
     - name: /usr/sbin/so-elasticsearch-templates-load

salt/elasticsearch/files/ingest/.fleet_final_pipeline-1

@@ -78,7 +78,10 @@
     { "set":        { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
     { "set":        { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
     { "set":        { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
-    {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
+    { "set":        { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
+    { "set":        { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
+    { "date":       { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
+    { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
     { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
   ],
   "on_failure": [

salt/elasticsearch/files/ingest/strelka.file

@@ -63,8 +63,8 @@
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69",   "field": "event.severity", "value": 2, "override": true }  },
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
-    { "set":         { "if": "ctx.scan?.entropy?.entropy == 0",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
-    { "set":         { "if": "ctx.scan?.pe?.image_version == 0",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
+    { "set":         { "if": "ctx.scan?.entropy?.entropy == '0'",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
+    { "set":         { "if": "ctx.scan?.pe?.image_version == '0'",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
     { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
     { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },

salt/elasticsearch/files/ingest/sublime

@@ -0,0 +1,34 @@
+{
+  "description" : " Email alerts from Sublime",
+  "processors" : [
+    { "set":         { "field": "event.module", "value": "sublime"  } },
+    { "set":         { "field": "event.dataset", "value": "alert"  } },
+    { "set":         { "field": "event.severity", "value": 3, "override": true }  },
+    { "set":         { "field": "rule.name", "value": "Sublime Platform: {{ flagged_rules.0.name }}", "override": true }  },
+    { "set":         { "field": "sublime.message_group_id", "value": "{{ _id }}", "override": true }  },
+    { "set":         { "field": "email.address", "value": "{{ messages.0.recipients.0.email }}", "override": true }  },
+    { "set":         { "field": "email.forwarded_recipents", "value": "{{ messages.0.forwarded_receipients }}", "override": true }  },
+    { "set":         { "field": "email.sender.address", "value": "{{ messages.0.sender.email }}", "override": true }  },
+    { "set":         { "field": "email.subject", "value": "{{ messages.0.subject }}", "override": true }  },
+    { "set":         { "field": "email.forwarded_at", "value": "{{ messages.0.forwarded_at }}", "override": true }  },
+    { "set":         { "field": "email.created_at", "value": "{{ messages.0.created_at }}", "override": true }  },
+    { "set":         { "field": "email.read_at", "value": "{{ messages.0.read_at }}", "override": true }  },
+    { "set":         { "field": "email.replied_at", "value": "{{ messages.0.replied_at }}", "override": true }  },
+    {
+        "grok": {
+          "field": "sublime.request_url",
+          "patterns": ["^https://api.%{DATA:sublime_host}/v0%{GREEDYDATA}$"],
+          "ignore_failure": true
+        }
+    },
+
+    { "rename":      { "field": "sublime_host", "target_field": "sublime.url", "ignore_missing": true } },
+    { "rename":      { "field": "data", "target_field": "sublime", "ignore_missing": true } },
+    { "rename":      { "field": "flagged_rules", "target_field": "sublime.flagged_rules", "ignore_missing": true } },
+    { "rename":      { "field": "organization_id", "target_field": "sublime.organization_id", "ignore_missing": true } },
+    { "rename":      { "field": "review_status", "target_field": "sublime.review_status", "ignore_missing": true } },
+    { "rename":      { "field": "state", "target_field": "sublime.state", "ignore_missing": true } },
+    { "rename":      { "field": "user_reports", "target_field": "sublime.user_reports", "ignore_missing": true } },
+    { "pipeline":    { "name": "common" } }
+  ]
+}

salt/elasticsearch/files/ingest/suricata.common

@@ -2,6 +2,7 @@
   "description" : "suricata.common",
   "processors" : [
     { "json":   { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
+    { "rename": { "field": "message2.pkt_src",          "target_field": "network.packet_source","ignore_failure": true  } },
     { "rename": { "field": "message2.proto",            "target_field": "network.transport",    "ignore_failure": true  } },
     { "rename": { "field": "message2.flow_id",          "target_field": "log.id.uid",           "ignore_failure": true  } },
     { "rename": { "field": "message2.src_ip",           "target_field": "source.ip",            "ignore_failure": true  } },

salt/elasticsearch/soc_elasticsearch.yaml

@@ -33,7 +33,6 @@ elasticsearch:
               flood_stage: 
                 description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
                 helpLink: elasticsearch.html
-
     script:
       max_compilations_rate: 
         description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
@@ -47,31 +46,16 @@ elasticsearch:
             global: True
             helpLink: elasticsearch.html
   index_settings:
-    so-logs: &indexSettings
-      index_sorting: 
-        description: Sorts the index by event time, at the cost of additional processing resource consumption.
-        global: True
-        helpLink: elasticsearch.html
+    global_overrides:
       index_template:
-        index_patterns:
-          description: Patterns for matching multiple indices or tables.
-          forceType: "[]string"
-          multiline: True
-          global: True
-          helpLink: elasticsearch.html
         template:
           settings:
             index:
-              number_of_replicas: 
-                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
+              number_of_replicas:
+                description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
+                forcedType: int
                 global: True
                 helpLink: elasticsearch.html
-              mapping:
-                total_fields:
-                  limit:
-                    description: Max number of fields that can exist on a single index. Larger values will consume more resources.
-                    global: True
-                    helpLink: elasticsearch.html
               refresh_interval: 
                 description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
                 global: True
@@ -89,48 +73,10 @@ elasticsearch:
                   description: The order to sort by. Must set index_sorting to True.
                   global: True
                   helpLink: elasticsearch.html
-          mappings:
-            _meta:
-              package:
-                name:
-                  description: Meta settings for the mapping.
-                  global: True
-                  helpLink: elasticsearch.html
-              managed_by:
-                  description: Meta settings for the mapping.
-                  global: True
-                  helpLink: elasticsearch.html
-              managed:
-                  description: Meta settings for the mapping.
-                  forcedType: bool
-                  global: True
-                  helpLink: elasticsearch.html
-        composed_of:
-          description: The index template is composed of these component templates.
-          forcedType: "[]string"
-          global: True
-          helpLink: elasticsearch.html
-        priority:
-          description: The priority of the index template.
-          forcedType: int
-          global: True
-          helpLink: elasticsearch.html
-        data_stream:
-          hidden:
-            description: Hide the data stream.
-            forcedType: bool
-            global: True
-            helpLink: elasticsearch.html
-          allow_custom_routing:
-            description: Allow custom routing for the data stream.
-            forcedType: bool
-            global: True
-            helpLink: elasticsearch.html
-      policy:
         phases:
           hot:
-            min_age:
-              description: Minimum age of index. This determines when the index should be moved to the hot tier.
+            max_age:
+              description: Maximum age of index. ex. 7d - This determines when the index should be moved out of the hot tier.
               global: True
               helpLink: elasticsearch.html
             actions:
@@ -149,10 +95,187 @@ elasticsearch:
                   description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                   global: True
                   helpLink: elasticsearch.html
+          cold:
+            min_age:
+              description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier.  While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
+              global: True
+              helpLink: elasticsearch.html
+            actions:
+              set_priority:
+                priority:
+                  description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
+                  global: True
+                  helpLink: elasticsearch.html
+          warm:
+            min_age: 
+              description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier.  While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
+              regex: ^\[0-9\]{1,5}d$
+              forcedType: string
+              global: True
+            actions:
+              set_priority:
+                priority:
+                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
+                  forcedType: int
+                  global: True
+                  helpLink: elasticsearch.html
+          delete:
+            min_age:
+              description: Minimum age of index. ex. 90d - This determines when the index should be deleted.
+              global: True
+              helpLink: elasticsearch.html
+    so-logs: &indexSettings
+      index_sorting: 
+        description: Sorts the index by event time, at the cost of additional processing resource consumption.
+        global: True
+        advanced: True
+        helpLink: elasticsearch.html
+      index_template:
+        index_patterns:
+          description: Patterns for matching multiple indices or tables.
+          forceType: "[]string"
+          multiline: True
+          global: True
+          advanced: True
+          helpLink: elasticsearch.html
+        template:
+          settings:
+            index:
+              number_of_replicas: 
+                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
+                forcedType: int
+                global: True
+                advanced: True
+                helpLink: elasticsearch.html
+              mapping:
+                total_fields:
+                  limit:
+                    description: Max number of fields that can exist on a single index. Larger values will consume more resources.
+                    global: True
+                    advanced: True
+                    helpLink: elasticsearch.html
+              refresh_interval: 
+                description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
+                global: True
+                advanced: True
+                helpLink: elasticsearch.html
+              number_of_shards: 
+                description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
+                global: True
+                advanced: True
+                helpLink: elasticsearch.html
+              sort:
+                field:
+                  description: The field to sort by. Must set index_sorting to True.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+                order:
+                  description: The order to sort by. Must set index_sorting to True.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+          mappings:
+            _meta:
+              package:
+                name:
+                  description: Meta settings for the mapping.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+              managed_by:
+                  description: Meta settings for the mapping.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+              managed:
+                  description: Meta settings for the mapping.
+                  forcedType: bool
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+        composed_of:
+          description: The index template is composed of these component templates.
+          forcedType: "[]string"
+          global: True
+          advanced: True
+          helpLink: elasticsearch.html
+        priority:
+          description: The priority of the index template.
+          forcedType: int
+          global: True
+          advanced: True
+          helpLink: elasticsearch.html
+        data_stream:
+          hidden:
+            description: Hide the data stream.
+            forcedType: bool
+            global: True
+            advanced: True
+            helpLink: elasticsearch.html
+          allow_custom_routing:
+            description: Allow custom routing for the data stream.
+            forcedType: bool
+            global: True
+            advanced: True
+            helpLink: elasticsearch.html
+      policy:
+        phases:
+          hot:
+            min_age:
+              description: Minimum age of index. This determines when the index should be moved to the hot tier.
+              global: True
+              advanced: True
+              helpLink: elasticsearch.html
+            actions:
+              set_priority:
+                priority:
+                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
+                  forcedType: int
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+              rollover:
+                max_age:
+                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+                max_primary_shard_size:
+                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+          warm:
+            min_age:
+              description: Minimum age of index. This determines when the index should be moved to the hot tier.
+              global: True
+              advanced: True
+              helpLink: elasticsearch.html
+            actions:
+              set_priority:
+                priority:
+                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
+                  forcedType: int
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+              rollover:
+                max_age:
+                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
+                max_primary_shard_size:
+                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
+                  global: True
+                  advanced: True
+                  helpLink: elasticsearch.html
           cold:
             min_age:
               description: Minimum age of index.  This determines when the index should be moved to the cold tier.  While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
               global: True
+              advanced: True
               helpLink: elasticsearch.html
             actions:
               set_priority:
@@ -160,26 +283,31 @@ elasticsearch:
                   description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                   forcedType: int
                   global: True
+                  advanced: True
                   helpLink: elasticsearch.html
           delete:
             min_age:
               description: Minimum age of index. This determines when the index should be deleted.
               global: True
+              advanced: True
               helpLink: elasticsearch.html
         _meta:
           package:
             name:
               description: Meta settings for the mapping.
               global: True
+              advanced: True
               helpLink: elasticsearch.html
           managed_by:
             description: Meta settings for the mapping.
             global: True
+            advanced: True
             helpLink: elasticsearch.html
           managed:
             description: Meta settings for the mapping.
             forcedType: bool
             global: True
+            advanced: True
             helpLink: elasticsearch.html
     so-logs-system_x_auth: *indexSettings
     so-logs-system_x_syslog: *indexSettings
@@ -190,6 +318,9 @@ elasticsearch:
     so-logs-windows_x_powershell: *indexSettings
     so-logs-windows_x_powershell_operational: *indexSettings
     so-logs-windows_x_sysmon_operational: *indexSettings
+    so-logs-apache_x_access: *indexSettings
+    so-logs-apache_x_error: *indexSettings
+    so-logs-auditd_x_log: *indexSettings
     so-logs-aws_x_cloudtrail: *indexSettings
     so-logs-aws_x_cloudwatch_logs: *indexSettings
     so-logs-aws_x_ec2_logs: *indexSettings
@@ -210,9 +341,27 @@ elasticsearch:
     so-logs-azure_x_provisioning: *indexSettings
     so-logs-azure_x_signinlogs: *indexSettings
     so-logs-azure_x_springcloudlogs: *indexSettings
+    so-logs-barracuda_x_waf: *indexSettings
+    so-logs-cisco_asa_x_log: *indexSettings
     so-logs-cloudflare_x_audit: *indexSettings
     so-logs-cloudflare_x_logpull: *indexSettings
+    so-logs-crowdstrike_x_falcon: *indexSettings
+    so-logs-crowdstrike_x_fdr: *indexSettings
+    so-logs-darktrace_x_ai_analyst_alert: *indexSettings
+    so-logs-darktrace_x_model_breach_alert: *indexSettings
+    so-logs-darktrace_x_system_status_alert: *indexSettings
+    so-logs-f5_bigip_x_log: *indexSettings
     so-logs-fim_x_event: *indexSettings
+    so-logs-fortinet_x_clientendpoint: *indexSettings
+    so-logs-fortinet_x_firewall: *indexSettings
+    so-logs-fortinet_x_fortimail: *indexSettings
+    so-logs-fortinet_x_fortimanager: *indexSettings
+    so-logs-fortinet_x_fortigate: *indexSettings
+    so-logs-gcp_x_audit: *indexSettings
+    so-logs-gcp_x_dns: *indexSettings
+    so-logs-gcp_x_firewall: *indexSettings
+    so-logs-gcp_x_loadbalancing_logs: *indexSettings
+    so-logs-gcp_x_vpcflow: *indexSettings
     so-logs-github_x_audit: *indexSettings
     so-logs-github_x_code_scanning: *indexSettings
     so-logs-github_x_dependabot: *indexSettings
@@ -232,6 +381,52 @@ elasticsearch:
     so-logs-google_workspace_x_saml: *indexSettings
     so-logs-google_workspace_x_token: *indexSettings
     so-logs-google_workspace_x_user_accounts: *indexSettings
+    so-logs-http_endpoint_x_generic: *indexSettings
+    so-logs-httpjson_x_generic: *indexSettings
+    so-logs-juniper_x_junos: *indexSettings
+    so-logs-juniper_x_netscreen: *indexSettings
+    so-logs-juniper_x_srx: *indexSettings
+    so-logs-juniper_srx_x_log: *indexSettings
+    so-logs-kafka_log_x_generic: *indexSettings
+    so-logs-lastpass_x_detailed_shared_folder: *indexSettings
+    so-logs-lastpass_x_event_report: *indexSettings
+    so-logs-lastpass_x_user: *indexSettings
+    so-logs-m365_defender_x_event: *indexSettings
+    so-logs-m365_defender_x_incident: *indexSettings
+    so-logs-m365_defender_x_log: *indexSettings
+    so-logs-microsoft_defender_endpoint_x_log: *indexSettings
+    so-logs-microsoft_dhcp_x_log: *indexSettings
+    so-logs-netflow_x_log: *indexSettings
+    so-logs-o365_x_audit: *indexSettings
+    so-logs-okta_x_system: *indexSettings
+    so-logs-panw_x_panos: *indexSettings
+    so-logs-pfsense_x_log: *indexSettings
+    so-logs-sentinel_one_x_activity: *indexSettings
+    so-logs-sentinel_one_x_agent: *indexSettings
+    so-logs-sentinel_one_x_alert: *indexSettings
+    so-logs-sentinel_one_x_group: *indexSettings
+    so-logs-sentinel_one_x_threat: *indexSettings
+    so-logs-sonicwall_firewall_x_log: *indexSettings
+    so-logs-symantec_endpoint_x_log: *indexSettings
+    so-logs-ti_abusech_x_malware: *indexSettings
+    so-logs-ti_abusech_x_malwarebazaar: *indexSettings
+    so-logs-ti_abusech_x_threatfox: *indexSettings
+    so-logs-ti_abusech_x_url: *indexSettings
+    so-logs-ti_misp_x_threat: *indexSettings
+    so-logs-ti_misp_x_threat_attributes: *indexSettings
+    so-logs-ti_otx_x_threat: *indexSettings
+    so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
+    so-logs-ti_recordedfuture_x_threat: *indexSettings
+    so-logs-zscaler_zia_x_alerts: *indexSettings
+    so-logs-zscaler_zia_x_dns: *indexSettings
+    so-logs-zscaler_zia_x_firewall: *indexSettings
+    so-logs-zscaler_zia_x_tunnel: *indexSettings
+    so-logs-zscaler_zia_x_web: *indexSettings
+    so-logs-zscaler_zpa_x_app_connector_status: *indexSettings
+    so-logs-zscaler_zpa_x_audit: *indexSettings
+    so-logs-zscaler_zpa_x_browser_access: *indexSettings
+    so-logs-zscaler_zpa_x_user_activity: *indexSettings
+    so-logs-zscaler_zpa_x_user_status: *indexSettings
     so-logs-1password_x_item_usages: *indexSettings
     so-logs-1password_x_signin_attempts: *indexSettings
     so-logs-osquery-manager-actions: *indexSettings
@@ -267,3 +462,19 @@ elasticsearch:
     so-strelka: *indexSettings
     so-syslog: *indexSettings
     so-zeek: *indexSettings
+  so_roles:
+    so-manager: &soroleSettings
+      config:
+        node:
+          roles:
+            description: List of Elasticsearch roles that the node should have. Blank assumes all roles
+            forcedType: "[]string"
+            global: False
+            advanced: True
+            helpLink: elasticsearch.html
+    so-managersearch: *soroleSettings
+    so-standalone: *soroleSettings
+    so-searchnode: *soroleSettings
+    so-heavynode: *soroleSettings
+    so-eval: *soroleSettings
+    so-import: *soroleSettings

salt/elasticsearch/template.map.jinja

@@ -1,11 +1,28 @@
-{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
-{%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
-{% set ES_INDEX_SETTINGS = {} %}
-{% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %}
-  {% if settings.index_template is defined %}
-    {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
-      {% do settings.index_template.template.settings.index.pop('sort') %}
-    {% endif %}
-  {% endif %}
-  {% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %}
+{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
+{% set DEFAULT_GLOBAL_OVERRIDES = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings.pop('global_overrides') %}
+
+{% set PILLAR_GLOBAL_OVERRIDES = {} %}
+{% if salt['pillar.get']('elasticsearch:index_settings') is defined %}
+{%   set ES_INDEX_PILLAR = salt['pillar.get']('elasticsearch:index_settings') %}
+{%   if ES_INDEX_PILLAR.global_overrides is defined %}
+{%     set PILLAR_GLOBAL_OVERRIDES = ES_INDEX_PILLAR.pop('global_overrides') %}
+{%   endif %}
+{% endif %}
+
+{% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %}
+
+{% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %}
+{% for index in ES_INDEX_SETTINGS_ORIG.keys() %}
+{%   do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %}
+{% endfor %}
+
+{% set ES_INDEX_SETTINGS = {} %}
+{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update(salt['defaults.merge'](ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %}
+{% for index, settings in ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.items() %}
+{%   if settings.index_template is defined %}
+{%     if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
+{%       do settings.index_template.template.settings.index.pop('sort') %}
+{%     endif %}
+{%   endif %}
+{%   do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index]}) %}
 {% endfor %}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.apm_server-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json

@@ -1,339 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "decision_id",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "message": {
-                "type": "match_only_text"
-              },
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "result": {
-                "type": "object"
-              },
-              "input": {
-                "type": "object"
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "decision_id": {
-                "type": "text"
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.filebeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json

@@ -1,329 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json

@@ -1,322 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "ecs.version",
-                  "agent.build.original",
-                  "agent.ephemeral_id",
-                  "agent.id",
-                  "agent.name",
-                  "agent.type",
-                  "agent.version",
-                  "log.level",
-                  "message",
-                  "elastic_agent.id",
-                  "elastic_agent.process",
-                  "elastic_agent.version"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic": false,
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "agent": {
-                "properties": {
-                  "build": {
-                    "properties": {
-                      "original": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ephemeral_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "ecs": {
-                "properties": {
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "log": {
-                "properties": {
-                  "level": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "elastic_agent": {
-                "properties": {
-                  "process": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "snapshot": {
-                    "type": "boolean"
-                  }
-                }
-              },
-              "message": {
-                "type": "text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "elastic_agent"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json

@@ -5,7 +5,7 @@
                 "name": "logs"
               },
               "codec": "best_compression",
-              "default_pipeline": "logs-elastic_agent-1.7.0",
+              "default_pipeline": "logs-elastic_agent-1.13.1",
               "mapping": {
                 "total_fields": {
                   "limit": "10000"

salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json

@@ -1,952 +0,0 @@
-        {"template": {
-          "settings": {
-            "index": {
-              "lifecycle": {
-                "name": "logs"
-              },
-              "codec": "best_compression",
-              "default_pipeline": "logs-system.application-1.6.4",
-              "mapping": {
-                "total_fields": {
-                  "limit": "10000"
-                }
-              },
-              "query": {
-                "default_field": [
-                  "cloud.account.id",
-                  "cloud.availability_zone",
-                  "cloud.instance.id",
-                  "cloud.instance.name",
-                  "cloud.machine.type",
-                  "cloud.provider",
-                  "cloud.region",
-                  "cloud.project.id",
-                  "cloud.image.id",
-                  "container.id",
-                  "container.image.name",
-                  "container.name",
-                  "host.architecture",
-                  "host.hostname",
-                  "host.id",
-                  "host.mac",
-                  "host.name",
-                  "host.os.family",
-                  "host.os.kernel",
-                  "host.os.name",
-                  "host.os.platform",
-                  "host.os.version",
-                  "host.os.build",
-                  "host.os.codename",
-                  "host.type",
-                  "event.code",
-                  "event.original",
-                  "error.message",
-                  "message",
-                  "winlog.api",
-                  "winlog.activity_id",
-                  "winlog.computer_name",
-                  "winlog.event_data.AuthenticationPackageName",
-                  "winlog.event_data.Binary",
-                  "winlog.event_data.BitlockerUserInputTime",
-                  "winlog.event_data.BootMode",
-                  "winlog.event_data.BootType",
-                  "winlog.event_data.BuildVersion",
-                  "winlog.event_data.Company",
-                  "winlog.event_data.CorruptionActionState",
-                  "winlog.event_data.CreationUtcTime",
-                  "winlog.event_data.Description",
-                  "winlog.event_data.Detail",
-                  "winlog.event_data.DeviceName",
-                  "winlog.event_data.DeviceNameLength",
-                  "winlog.event_data.DeviceTime",
-                  "winlog.event_data.DeviceVersionMajor",
-                  "winlog.event_data.DeviceVersionMinor",
-                  "winlog.event_data.DriveName",
-                  "winlog.event_data.DriverName",
-                  "winlog.event_data.DriverNameLength",
-                  "winlog.event_data.DwordVal",
-                  "winlog.event_data.EntryCount",
-                  "winlog.event_data.ExtraInfo",
-                  "winlog.event_data.FailureName",
-                  "winlog.event_data.FailureNameLength",
-                  "winlog.event_data.FileVersion",
-                  "winlog.event_data.FinalStatus",
-                  "winlog.event_data.Group",
-                  "winlog.event_data.IdleImplementation",
-                  "winlog.event_data.IdleStateCount",
-                  "winlog.event_data.ImpersonationLevel",
-                  "winlog.event_data.IntegrityLevel",
-                  "winlog.event_data.IpAddress",
-                  "winlog.event_data.IpPort",
-                  "winlog.event_data.KeyLength",
-                  "winlog.event_data.LastBootGood",
-                  "winlog.event_data.LastShutdownGood",
-                  "winlog.event_data.LmPackageName",
-                  "winlog.event_data.LogonGuid",
-                  "winlog.event_data.LogonId",
-                  "winlog.event_data.LogonProcessName",
-                  "winlog.event_data.LogonType",
-                  "winlog.event_data.MajorVersion",
-                  "winlog.event_data.MaximumPerformancePercent",
-                  "winlog.event_data.MemberName",
-                  "winlog.event_data.MemberSid",
-                  "winlog.event_data.MinimumPerformancePercent",
-                  "winlog.event_data.MinimumThrottlePercent",
-                  "winlog.event_data.MinorVersion",
-                  "winlog.event_data.NewProcessId",
-                  "winlog.event_data.NewProcessName",
-                  "winlog.event_data.NewSchemeGuid",
-                  "winlog.event_data.NewTime",
-                  "winlog.event_data.NominalFrequency",
-                  "winlog.event_data.Number",
-                  "winlog.event_data.OldSchemeGuid",
-                  "winlog.event_data.OldTime",
-                  "winlog.event_data.OriginalFileName",
-                  "winlog.event_data.Path",
-                  "winlog.event_data.PerformanceImplementation",
-                  "winlog.event_data.PreviousCreationUtcTime",
-                  "winlog.event_data.PreviousTime",
-                  "winlog.event_data.PrivilegeList",
-                  "winlog.event_data.ProcessId",
-                  "winlog.event_data.ProcessName",
-                  "winlog.event_data.ProcessPath",
-                  "winlog.event_data.ProcessPid",
-                  "winlog.event_data.Product",
-                  "winlog.event_data.PuaCount",
-                  "winlog.event_data.PuaPolicyId",
-                  "winlog.event_data.QfeVersion",
-                  "winlog.event_data.Reason",
-                  "winlog.event_data.SchemaVersion",
-                  "winlog.event_data.ScriptBlockText",
-                  "winlog.event_data.ServiceName",
-                  "winlog.event_data.ServiceVersion",
-                  "winlog.event_data.ShutdownActionType",
-                  "winlog.event_data.ShutdownEventCode",
-                  "winlog.event_data.ShutdownReason",
-                  "winlog.event_data.Signature",
-                  "winlog.event_data.SignatureStatus",
-                  "winlog.event_data.Signed",
-                  "winlog.event_data.StartTime",
-                  "winlog.event_data.State",
-                  "winlog.event_data.Status",
-                  "winlog.event_data.StopTime",
-                  "winlog.event_data.SubjectDomainName",
-                  "winlog.event_data.SubjectLogonId",
-                  "winlog.event_data.SubjectUserName",
-                  "winlog.event_data.SubjectUserSid",
-                  "winlog.event_data.TSId",
-                  "winlog.event_data.TargetDomainName",
-                  "winlog.event_data.TargetInfo",
-                  "winlog.event_data.TargetLogonGuid",
-                  "winlog.event_data.TargetLogonId",
-                  "winlog.event_data.TargetServerName",
-                  "winlog.event_data.TargetUserName",
-                  "winlog.event_data.TargetUserSid",
-                  "winlog.event_data.TerminalSessionId",
-                  "winlog.event_data.TokenElevationType",
-                  "winlog.event_data.TransmittedServices",
-                  "winlog.event_data.UserSid",
-                  "winlog.event_data.Version",
-                  "winlog.event_data.Workstation",
-                  "winlog.event_data.param1",
-                  "winlog.event_data.param2",
-                  "winlog.event_data.param3",
-                  "winlog.event_data.param4",
-                  "winlog.event_data.param5",
-                  "winlog.event_data.param6",
-                  "winlog.event_data.param7",
-                  "winlog.event_data.param8",
-                  "winlog.event_id",
-                  "winlog.keywords",
-                  "winlog.channel",
-                  "winlog.record_id",
-                  "winlog.related_activity_id",
-                  "winlog.opcode",
-                  "winlog.provider_guid",
-                  "winlog.provider_name",
-                  "winlog.task",
-                  "winlog.user.identifier",
-                  "winlog.user.name",
-                  "winlog.user.domain",
-                  "winlog.user.type"
-                ]
-              }
-            }
-          },
-          "mappings": {
-            "dynamic_templates": [
-              {
-                "container.labels": {
-                  "path_match": "container.labels.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              },
-              {
-                "winlog.user_data": {
-                  "path_match": "winlog.user_data.*",
-                  "mapping": {
-                    "type": "keyword"
-                  },
-                  "match_mapping_type": "string"
-                }
-              }
-            ],
-            "properties": {
-              "cloud": {
-                "properties": {
-                  "availability_zone": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "image": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "instance": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "provider": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "machine": {
-                    "properties": {
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "project": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "region": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "account": {
-                    "properties": {
-                      "id": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "container": {
-                "properties": {
-                  "image": {
-                    "properties": {
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "@timestamp": {
-                "type": "date"
-              },
-              "winlog": {
-                "properties": {
-                  "related_activity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "computer_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "process": {
-                    "properties": {
-                      "pid": {
-                        "type": "long"
-                      },
-                      "thread": {
-                        "properties": {
-                          "id": {
-                            "type": "long"
-                          }
-                        }
-                      }
-                    }
-                  },
-                  "keywords": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "channel": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "event_data": {
-                    "properties": {
-                      "SignatureStatus": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DeviceTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ProcessName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LogonGuid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "OriginalFileName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "BootMode": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Product": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetLogonGuid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "FileVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "StopTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Status": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "CorruptionActionState": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "KeyLength": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "PreviousCreationUtcTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetInfo": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ServiceVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "SubjectUserSid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "PerformanceImplementation": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetUserSid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Group": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Description": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ShutdownActionType": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DwordVal": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ProcessPid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DeviceVersionMajor": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ScriptBlockText": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TransmittedServices": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MaximumPerformancePercent": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "NewTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "FinalStatus": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "IdleStateCount": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MajorVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Path": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "SchemaVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TokenElevationType": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MinorVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "SubjectLogonId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "IdleImplementation": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ProcessPath": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "QfeVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DeviceVersionMinor": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "OldTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "IpAddress": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DeviceName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Company": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "PuaPolicyId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "IntegrityLevel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LastShutdownGood": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "IpPort": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DriverNameLength": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LmPackageName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "UserSid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LastBootGood": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "PuaCount": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Signed": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "StartTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ShutdownEventCode": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "NewProcessName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "FailureNameLength": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ServiceName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "PreviousTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "State": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "BootType": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Binary": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ImpersonationLevel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MemberName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetUserName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Detail": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TerminalSessionId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MemberSid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DriverName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DeviceNameLength": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "OldSchemeGuid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "CreationUtcTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Reason": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ShutdownReason": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetServerName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Number": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "BuildVersion": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "SubjectDomainName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MinimumPerformancePercent": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LogonId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LogonProcessName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TSId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetDomainName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "PrivilegeList": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param7": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param8": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param5": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param6": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "DriveName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "NewProcessId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "LogonType": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ExtraInfo": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param3": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param4": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param1": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "param2": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "TargetLogonId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Workstation": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "SubjectUserName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "FailureName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "NewSchemeGuid": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "Signature": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "MinimumThrottlePercent": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "ProcessId": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "EntryCount": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "BitlockerUserInputTime": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "AuthenticationPackageName": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "NominalFrequency": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "opcode": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "version": {
-                    "type": "long"
-                  },
-                  "record_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "event_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "task": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "provider_guid": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "activity_id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "api": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "provider_name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "user": {
-                    "properties": {
-                      "identifier": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "domain": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "type": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  }
-                }
-              },
-              "data_stream": {
-                "properties": {
-                  "namespace": {
-                    "type": "constant_keyword"
-                  },
-                  "type": {
-                    "type": "constant_keyword"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword"
-                  }
-                }
-              },
-              "host": {
-                "properties": {
-                  "hostname": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "os": {
-                    "properties": {
-                      "build": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "kernel": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "codename": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "name": {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                        "fields": {
-                          "text": {
-                            "type": "text"
-                          }
-                        }
-                      },
-                      "family": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "version": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      },
-                      "platform": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
-                      }
-                    }
-                  },
-                  "domain": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "ip": {
-                    "type": "ip"
-                  },
-                  "containerized": {
-                    "type": "boolean"
-                  },
-                  "name": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "id": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "type": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "mac": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "architecture": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  }
-                }
-              },
-              "event": {
-                "properties": {
-                  "ingested": {
-                    "type": "date"
-                  },
-                  "code": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "original": {
-                    "ignore_above": 1024,
-                    "type": "keyword"
-                  },
-                  "created": {
-                    "type": "date"
-                  },
-                  "module": {
-                    "type": "constant_keyword",
-                    "value": "system"
-                  },
-                  "dataset": {
-                    "type": "constant_keyword",
-                    "value": "system.application"
-                  }
-                }
-              },
-              "error": {
-                "properties": {
-                  "message": {
-                    "type": "match_only_text"
-                  }
-                }
-              },
-              "message": {
-                "type": "match_only_text"
-              }
-            }
-          }
-        },
-        "_meta": {
-          "package": {
-            "name": "system"
-          },
-          "managed_by": "fleet",
-          "managed": true
-        }
-      }

salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json

@@ -1,530 +0,0 @@
-{
-  "template": {
-    "settings": {
-      "index": {
-        "lifecycle": {
-          "name": "logs"
-        },
-        "codec": "best_compression",
-        "default_pipeline": "logs-system.auth-1.6.4",
-        "mapping": {
-          "total_fields": {
-            "limit": "10000"
-          }
-        },
-        "query": {
-          "default_field": [
-            "cloud.account.id",
-            "cloud.availability_zone",
-            "cloud.instance.id",
-            "cloud.instance.name",
-            "cloud.machine.type",
-            "cloud.provider",
-            "cloud.region",
-            "cloud.project.id",
-            "cloud.image.id",
-            "container.id",
-            "container.image.name",
-            "container.name",
-            "host.architecture",
-            "host.hostname",
-            "host.id",
-            "host.mac",
-            "host.name",
-            "host.os.family",
-            "host.os.kernel",
-            "host.os.name",
-            "host.os.platform",
-            "host.os.version",
-            "host.os.build",
-            "host.os.codename",
-            "host.os.full",
-            "host.type",
-            "event.action",
-            "event.category",
-            "event.code",
-            "event.kind",
-            "event.outcome",
-            "event.provider",
-            "event.type",
-            "ecs.version",
-            "error.message",
-            "group.id",
-            "group.name",
-            "message",
-            "process.name",
-            "related.hosts",
-            "related.user",
-            "source.as.organization.name",
-            "source.geo.city_name",
-            "source.geo.continent_name",
-            "source.geo.country_iso_code",
-            "source.geo.country_name",
-            "source.geo.region_iso_code",
-            "source.geo.region_name",
-            "user.effective.name",
-            "user.id",
-            "user.name",
-            "system.auth.ssh.method",
-            "system.auth.ssh.signature",
-            "system.auth.ssh.event",
-            "system.auth.sudo.error",
-            "system.auth.sudo.tty",
-            "system.auth.sudo.pwd",
-            "system.auth.sudo.user",
-            "system.auth.sudo.command",
-            "system.auth.useradd.home",
-            "system.auth.useradd.shell",
-            "version"
-          ]
-        }
-      }
-    },
-    "mappings": {
-      "dynamic_templates": [
-        {
-          "container.labels": {
-            "path_match": "container.labels.*",
-            "mapping": {
-              "type": "keyword"
-            },
-            "match_mapping_type": "string"
-          }
-        }
-      ],
-      "properties": {
-        "container": {
-          "properties": {
-            "image": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "process": {
-          "properties": {
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "pid": {
-              "type": "long"
-            }
-          }
-        },
-        "source": {
-          "properties": {
-            "geo": {
-              "properties": {
-                "continent_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "region_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "city_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "country_iso_code": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "country_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "location": {
-                  "type": "geo_point"
-                },
-                "region_name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "as": {
-              "properties": {
-                "number": {
-                  "type": "long"
-                },
-                "organization": {
-                  "properties": {
-                    "name": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                }
-              }
-            },
-            "port": {
-              "type": "long"
-            },
-            "ip": {
-              "type": "ip"
-            }
-          }
-        },
-        "error": {
-          "properties": {
-            "message": {
-              "type": "match_only_text"
-            }
-          }
-        },
-        "message": {
-          "type": "match_only_text"
-        },
-        "version": {
-          "ignore_above": 1024,
-          "type": "keyword"
-        },
-        "cloud": {
-          "properties": {
-            "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "image": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "instance": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "machine": {
-              "properties": {
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "project": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "account": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            }
-          }
-        },
-        "@timestamp": {
-          "type": "date"
-        },
-        "system": {
-          "properties": {
-            "auth": {
-              "properties": {
-                "ssh": {
-                  "properties": {
-                    "method": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "dropped_ip": {
-                      "type": "ip"
-                    },
-                    "signature": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "event": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "sudo": {
-                  "properties": {
-                    "tty": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "error": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "pwd": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "user": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "command": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                },
-                "useradd": {
-                  "properties": {
-                    "shell": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    },
-                    "home": {
-                      "ignore_above": 1024,
-                      "type": "keyword"
-                    }
-                  }
-                }
-              }
-            }
-          }
-        },
-        "ecs": {
-          "properties": {
-            "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "related": {
-          "properties": {
-            "hosts": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "ip": {
-              "type": "ip"
-            },
-            "user": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "data_stream": {
-          "properties": {
-            "namespace": {
-              "type": "constant_keyword"
-            },
-            "type": {
-              "type": "constant_keyword",
-              "value": "logs"
-            },
-            "dataset": {
-              "type": "constant_keyword"
-            }
-          }
-        },
-        "host": {
-          "properties": {
-            "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "os": {
-              "properties": {
-                "build": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "codename": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "text": {
-                      "type": "text"
-                    }
-                  }
-                },
-                "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "full": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "ip": {
-              "type": "ip"
-            },
-            "containerized": {
-              "type": "boolean"
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "event": {
-          "properties": {
-            "sequence": {
-              "type": "long"
-            },
-            "ingested": {
-              "type": "date"
-            },
-            "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "created": {
-              "type": "date"
-            },
-            "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "module": {
-              "type": "constant_keyword",
-              "value": "system"
-            },
-            "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "dataset": {
-              "type": "constant_keyword",
-              "value": "system.auth"
-            },
-            "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "user": {
-          "properties": {
-            "effective": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "group": {
-          "properties": {
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        }
-      }
-    }
-  },
-  "_meta": {
-    "package": {
-      "name": "system"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json

@@ -1,327 +0,0 @@
-{
-  "template": {
-    "settings": {
-      "index": {
-        "lifecycle": {
-          "name": "logs"
-        },
-        "codec": "best_compression",
-        "default_pipeline": "logs-system.syslog-1.6.4",
-        "mapping": {
-          "total_fields": {
-            "limit": "10000"
-          }
-        },
-        "query": {
-          "default_field": [
-            "cloud.account.id",
-            "cloud.availability_zone",
-            "cloud.instance.id",
-            "cloud.instance.name",
-            "cloud.machine.type",
-            "cloud.provider",
-            "cloud.region",
-            "cloud.project.id",
-            "cloud.image.id",
-            "container.id",
-            "container.image.name",
-            "container.name",
-            "host.architecture",
-            "host.hostname",
-            "host.id",
-            "host.mac",
-            "host.name",
-            "host.os.family",
-            "host.os.kernel",
-            "host.os.name",
-            "host.os.platform",
-            "host.os.version",
-            "host.os.build",
-            "host.os.codename",
-            "host.os.full",
-            "host.type",
-            "event.action",
-            "event.category",
-            "event.code",
-            "event.kind",
-            "event.outcome",
-            "event.provider",
-            "event.type",
-            "ecs.version",
-            "message",
-            "process.name"
-          ]
-        }
-      }
-    },
-    "mappings": {
-      "dynamic_templates": [
-        {
-          "container.labels": {
-            "path_match": "container.labels.*",
-            "mapping": {
-              "type": "keyword"
-            },
-            "match_mapping_type": "string"
-          }
-        }
-      ],
-      "properties": {
-        "cloud": {
-          "properties": {
-            "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "image": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "instance": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "machine": {
-              "properties": {
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "project": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "account": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            }
-          }
-        },
-        "container": {
-          "properties": {
-            "image": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "process": {
-          "properties": {
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "pid": {
-              "type": "long"
-            }
-          }
-        },
-        "@timestamp": {
-          "type": "date"
-        },
-        "ecs": {
-          "properties": {
-            "version": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "data_stream": {
-          "properties": {
-            "namespace": {
-              "type": "constant_keyword"
-            },
-            "type": {
-              "type": "constant_keyword",
-              "value": "logs"
-            },
-            "dataset": {
-              "type": "constant_keyword"
-            }
-          }
-        },
-        "host": {
-          "properties": {
-            "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "os": {
-              "properties": {
-                "build": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "codename": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "text": {
-                      "type": "text"
-                    }
-                  }
-                },
-                "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "full": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "ip": {
-              "type": "ip"
-            },
-            "containerized": {
-              "type": "boolean"
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "event": {
-          "properties": {
-            "sequence": {
-              "type": "long"
-            },
-            "ingested": {
-              "type": "date"
-            },
-            "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "created": {
-              "type": "date"
-            },
-            "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "module": {
-              "type": "constant_keyword",
-              "value": "system"
-            },
-            "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "dataset": {
-              "type": "constant_keyword",
-              "value": "system.syslog"
-            },
-            "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "message": {
-          "type": "match_only_text"
-        }
-      }
-    }
-  },
-  "_meta": {
-    "package": {
-      "name": "system"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json

@@ -1,986 +0,0 @@
-{
-  "template": {
-    "settings": {
-      "index": {
-        "lifecycle": {
-          "name": "logs"
-        },
-        "codec": "best_compression",
-        "default_pipeline": "logs-system.system-1.6.4",
-        "mapping": {
-          "total_fields": {
-            "limit": "10000"
-          }
-        },
-        "query": {
-          "default_field": [
-            "cloud.account.id",
-            "cloud.availability_zone",
-            "cloud.instance.id",
-            "cloud.instance.name",
-            "cloud.machine.type",
-            "cloud.provider",
-            "cloud.region",
-            "cloud.project.id",
-            "cloud.image.id",
-            "container.id",
-            "container.image.name",
-            "container.name",
-            "host.architecture",
-            "host.hostname",
-            "host.id",
-            "host.mac",
-            "host.name",
-            "host.os.family",
-            "host.os.kernel",
-            "host.os.name",
-            "host.os.platform",
-            "host.os.version",
-            "host.os.build",
-            "host.os.codename",
-            "host.type",
-            "event.action",
-            "event.category",
-            "event.code",
-            "event.kind",
-            "event.original",
-            "event.outcome",
-            "event.provider",
-            "event.type",
-            "error.message",
-            "message",
-            "winlog.api",
-            "winlog.activity_id",
-            "winlog.computer_name",
-            "winlog.event_data.AuthenticationPackageName",
-            "winlog.event_data.Binary",
-            "winlog.event_data.BitlockerUserInputTime",
-            "winlog.event_data.BootMode",
-            "winlog.event_data.BootType",
-            "winlog.event_data.BuildVersion",
-            "winlog.event_data.Company",
-            "winlog.event_data.CorruptionActionState",
-            "winlog.event_data.CreationUtcTime",
-            "winlog.event_data.Description",
-            "winlog.event_data.Detail",
-            "winlog.event_data.DeviceName",
-            "winlog.event_data.DeviceNameLength",
-            "winlog.event_data.DeviceTime",
-            "winlog.event_data.DeviceVersionMajor",
-            "winlog.event_data.DeviceVersionMinor",
-            "winlog.event_data.DriveName",
-            "winlog.event_data.DriverName",
-            "winlog.event_data.DriverNameLength",
-            "winlog.event_data.DwordVal",
-            "winlog.event_data.EntryCount",
-            "winlog.event_data.ExtraInfo",
-            "winlog.event_data.FailureName",
-            "winlog.event_data.FailureNameLength",
-            "winlog.event_data.FileVersion",
-            "winlog.event_data.FinalStatus",
-            "winlog.event_data.Group",
-            "winlog.event_data.IdleImplementation",
-            "winlog.event_data.IdleStateCount",
-            "winlog.event_data.ImpersonationLevel",
-            "winlog.event_data.IntegrityLevel",
-            "winlog.event_data.IpAddress",
-            "winlog.event_data.IpPort",
-            "winlog.event_data.KeyLength",
-            "winlog.event_data.LastBootGood",
-            "winlog.event_data.LastShutdownGood",
-            "winlog.event_data.LmPackageName",
-            "winlog.event_data.LogonGuid",
-            "winlog.event_data.LogonId",
-            "winlog.event_data.LogonProcessName",
-            "winlog.event_data.LogonType",
-            "winlog.event_data.MajorVersion",
-            "winlog.event_data.MaximumPerformancePercent",
-            "winlog.event_data.MemberName",
-            "winlog.event_data.MemberSid",
-            "winlog.event_data.MinimumPerformancePercent",
-            "winlog.event_data.MinimumThrottlePercent",
-            "winlog.event_data.MinorVersion",
-            "winlog.event_data.NewProcessId",
-            "winlog.event_data.NewProcessName",
-            "winlog.event_data.NewSchemeGuid",
-            "winlog.event_data.NewTime",
-            "winlog.event_data.NominalFrequency",
-            "winlog.event_data.Number",
-            "winlog.event_data.OldSchemeGuid",
-            "winlog.event_data.OldTime",
-            "winlog.event_data.OriginalFileName",
-            "winlog.event_data.Path",
-            "winlog.event_data.PerformanceImplementation",
-            "winlog.event_data.PreviousCreationUtcTime",
-            "winlog.event_data.PreviousTime",
-            "winlog.event_data.PrivilegeList",
-            "winlog.event_data.ProcessId",
-            "winlog.event_data.ProcessName",
-            "winlog.event_data.ProcessPath",
-            "winlog.event_data.ProcessPid",
-            "winlog.event_data.Product",
-            "winlog.event_data.PuaCount",
-            "winlog.event_data.PuaPolicyId",
-            "winlog.event_data.QfeVersion",
-            "winlog.event_data.Reason",
-            "winlog.event_data.SchemaVersion",
-            "winlog.event_data.ScriptBlockText",
-            "winlog.event_data.ServiceName",
-            "winlog.event_data.ServiceVersion",
-            "winlog.event_data.ShutdownActionType",
-            "winlog.event_data.ShutdownEventCode",
-            "winlog.event_data.ShutdownReason",
-            "winlog.event_data.Signature",
-            "winlog.event_data.SignatureStatus",
-            "winlog.event_data.Signed",
-            "winlog.event_data.StartTime",
-            "winlog.event_data.State",
-            "winlog.event_data.Status",
-            "winlog.event_data.StopTime",
-            "winlog.event_data.SubjectDomainName",
-            "winlog.event_data.SubjectLogonId",
-            "winlog.event_data.SubjectUserName",
-            "winlog.event_data.SubjectUserSid",
-            "winlog.event_data.TSId",
-            "winlog.event_data.TargetDomainName",
-            "winlog.event_data.TargetInfo",
-            "winlog.event_data.TargetLogonGuid",
-            "winlog.event_data.TargetLogonId",
-            "winlog.event_data.TargetServerName",
-            "winlog.event_data.TargetUserName",
-            "winlog.event_data.TargetUserSid",
-            "winlog.event_data.TerminalSessionId",
-            "winlog.event_data.TokenElevationType",
-            "winlog.event_data.TransmittedServices",
-            "winlog.event_data.UserSid",
-            "winlog.event_data.Version",
-            "winlog.event_data.Workstation",
-            "winlog.event_data.param1",
-            "winlog.event_data.param2",
-            "winlog.event_data.param3",
-            "winlog.event_data.param4",
-            "winlog.event_data.param5",
-            "winlog.event_data.param6",
-            "winlog.event_data.param7",
-            "winlog.event_data.param8",
-            "winlog.event_id",
-            "winlog.keywords",
-            "winlog.channel",
-            "winlog.record_id",
-            "winlog.related_activity_id",
-            "winlog.opcode",
-            "winlog.provider_guid",
-            "winlog.provider_name",
-            "winlog.task",
-            "winlog.user.identifier",
-            "winlog.user.name",
-            "winlog.user.domain",
-            "winlog.user.type"
-          ]
-        }
-      }
-    },
-    "mappings": {
-      "dynamic_templates": [
-        {
-          "container.labels": {
-            "path_match": "container.labels.*",
-            "mapping": {
-              "type": "keyword"
-            },
-            "match_mapping_type": "string"
-          }
-        },
-        {
-          "winlog.user_data": {
-            "path_match": "winlog.user_data.*",
-            "mapping": {
-              "type": "keyword"
-            },
-            "match_mapping_type": "string"
-          }
-        }
-      ],
-      "properties": {
-        "cloud": {
-          "properties": {
-            "availability_zone": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "image": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "instance": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "machine": {
-              "properties": {
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "project": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "region": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "account": {
-              "properties": {
-                "id": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            }
-          }
-        },
-        "container": {
-          "properties": {
-            "image": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "@timestamp": {
-          "type": "date"
-        },
-        "winlog": {
-          "properties": {
-            "related_activity_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "computer_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "process": {
-              "properties": {
-                "pid": {
-                  "type": "long"
-                },
-                "thread": {
-                  "properties": {
-                    "id": {
-                      "type": "long"
-                    }
-                  }
-                }
-              }
-            },
-            "keywords": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "channel": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "event_data": {
-              "properties": {
-                "SignatureStatus": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DeviceTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ProcessName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LogonGuid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "OriginalFileName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "BootMode": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Product": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetLogonGuid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "FileVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "StopTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Status": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "CorruptionActionState": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "KeyLength": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "PreviousCreationUtcTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetInfo": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ServiceVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "SubjectUserSid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "PerformanceImplementation": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetUserSid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Group": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Description": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ShutdownActionType": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DwordVal": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ProcessPid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DeviceVersionMajor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ScriptBlockText": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TransmittedServices": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MaximumPerformancePercent": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "NewTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "FinalStatus": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "IdleStateCount": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MajorVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Path": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "SchemaVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TokenElevationType": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MinorVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "SubjectLogonId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "IdleImplementation": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ProcessPath": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "QfeVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DeviceVersionMinor": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "OldTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "IpAddress": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DeviceName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Company": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "PuaPolicyId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "IntegrityLevel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LastShutdownGood": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "IpPort": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DriverNameLength": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LmPackageName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "UserSid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LastBootGood": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "PuaCount": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Signed": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "StartTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ShutdownEventCode": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "NewProcessName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "FailureNameLength": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ServiceName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "PreviousTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "State": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "BootType": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Binary": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ImpersonationLevel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MemberName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetUserName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Detail": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TerminalSessionId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MemberSid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DriverName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DeviceNameLength": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "OldSchemeGuid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "CreationUtcTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Reason": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ShutdownReason": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetServerName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Number": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "BuildVersion": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "SubjectDomainName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MinimumPerformancePercent": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LogonId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LogonProcessName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TSId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetDomainName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "PrivilegeList": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param7": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param8": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param5": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param6": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "DriveName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "NewProcessId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "LogonType": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ExtraInfo": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param3": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param4": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param1": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "param2": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "TargetLogonId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Workstation": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "SubjectUserName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "FailureName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "NewSchemeGuid": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "Signature": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "MinimumThrottlePercent": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "ProcessId": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "EntryCount": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "BitlockerUserInputTime": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "AuthenticationPackageName": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "NominalFrequency": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "opcode": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "version": {
-              "type": "long"
-            },
-            "record_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "event_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "task": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "provider_guid": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "activity_id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "api": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "provider_name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "user": {
-              "properties": {
-                "identifier": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "domain": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "type": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            }
-          }
-        },
-        "data_stream": {
-          "properties": {
-            "namespace": {
-              "type": "constant_keyword"
-            },
-            "type": {
-              "type": "constant_keyword"
-            },
-            "dataset": {
-              "type": "constant_keyword"
-            }
-          }
-        },
-        "host": {
-          "properties": {
-            "hostname": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "os": {
-              "properties": {
-                "build": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "kernel": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "codename": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "text": {
-                      "type": "text"
-                    }
-                  }
-                },
-                "family": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "version": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "platform": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              }
-            },
-            "domain": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "ip": {
-              "type": "ip"
-            },
-            "containerized": {
-              "type": "boolean"
-            },
-            "name": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "mac": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "architecture": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "event": {
-          "properties": {
-            "code": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "original": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "created": {
-              "type": "date"
-            },
-            "kind": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "module": {
-              "type": "constant_keyword",
-              "value": "system"
-            },
-            "type": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "sequence": {
-              "type": "long"
-            },
-            "ingested": {
-              "type": "date"
-            },
-            "provider": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "action": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "category": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "dataset": {
-              "type": "constant_keyword",
-              "value": "system.system"
-            },
-            "outcome": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "error": {
-          "properties": {
-            "message": {
-              "type": "match_only_text"
-            }
-          }
-        },
-        "message": {
-          "type": "match_only_text"
-        }
-      }
-    }
-  },
-  "_meta": {
-    "package": {
-      "name": "system"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}

salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json

@@ -1,12 +0,0 @@
-{
-  "template": {
-    "settings": {}
-  },
-  "_meta": {
-    "package": {
-      "name": "elastic_agent"
-    },
-    "managed_by": "fleet",
-    "managed": true
-  }
-}