elasticsearch: enabled: False retention: retention_pct: 50 config: node: {} cluster: routing: allocation: disk: threshold_enabled: true watermark: low: 80% high: 85% flood_stage: 90% network: host: 0.0.0.0 path: logs: /var/log/elasticsearch action: destructive_requires_name: true transport: bind_host: 0.0.0.0 publish_port: 9300 xpack: ml: enabled: false security: enabled: true authc: anonymous: authz_exception: true roles: [] username: _anonymous transport: ssl: enabled: true verification_mode: none key: /usr/share/elasticsearch/config/elasticsearch.key certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt http: ssl: enabled: true client_authentication: none key: /usr/share/elasticsearch/config/elasticsearch.key certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt script: max_compilations_rate: 20000/1m indices: id_field_data: enabled: false logger: org: elasticsearch: deprecation: ERROR index_settings: global_overrides: index_template: template: settings: index: number_of_replicas: default_placeholder so-logs: index_sorting: False index_template: index_patterns: - "logs-*-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5001 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "so-data-streams-mappings" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - "so-logs-mappings" - "so-logs-settings" priority: 225 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-system_x_auth: index_sorting: False index_template: index_patterns: - "logs-system.auth*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.auth@package" - "logs-system.auth@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system_x_syslog: index_sorting: False index_template: index_patterns: - "logs-system.syslog*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.syslog@package" - "logs-system.syslog@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system_x_system: index_sorting: False index_template: index_patterns: - "logs-system.system*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.system@package" - "logs-system.system@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system_x_application: index_sorting: False index_template: index_patterns: - "logs-system.application*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.application@package" - "logs-system.application@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system_x_security: index_sorting: False index_template: index_patterns: - "logs-system.security*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.security@package" - "logs-system.security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows_x_forwarded: index_sorting: False index_template: index_patterns: - "logs-windows.forwarded*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.forwarded@package" - "logs-windows.forwarded@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows_x_powershell: index_sorting: False index_template: index_patterns: - "logs-windows.powershell-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.powershell@package" - "logs-windows.powershell@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows_x_powershell_operational: index_sorting: False index_template: index_patterns: - "logs-windows.powershell_operational-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.powershell_operational@package" - "logs-windows.powershell_operational@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows_x_sysmon_operational: index_sorting: False index_template: index_patterns: - "logs-windows.sysmon_operational-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.sysmon_operational@package" - "logs-windows.sysmon_operational@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-auditd_x_log: index_sorting: False index_template: index_patterns: - "logs-auditd.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-auditd.log@package" - "logs-auditd.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_cloudtrail: index_sorting: False index_template: index_patterns: - "logs-aws.cloudtrail-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.cloudtrail@package" - "logs-aws.cloudtrail@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_cloudwatch_logs: index_sorting: False index_template: index_patterns: - "logs-aws.cloudwatch_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.cloudwatch_logs@package" - "logs-aws.cloudwatch_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_ec2_logs: index_sorting: False index_template: index_patterns: - "logs-aws.ec2_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.ec2_logs@package" - "logs-aws.ec2_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_elb_logs: index_sorting: False index_template: index_patterns: - "logs-aws.elb_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.elb_logs@package" - "logs-aws.elb_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_firewall_logs: index_sorting: False index_template: index_patterns: - "logs-aws.firewall_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.firewall_logs@package" - "logs-aws.firewall_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_route53_public_logs: index_sorting: False index_template: index_patterns: - "logs-aws.route53_public_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.route53_public_logs@package" - "logs-aws.route53_public_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_route53_resolver_logs: index_sorting: False index_template: index_patterns: - "logs-aws.route53_resolver_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.route53_resolver_logs@package" - "logs-aws.route53_resolver_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_s3access: index_sorting: False index_template: index_patterns: - "logs-aws.s3access-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.s3access@package" - "logs-aws.s3access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_vpcflow: index_sorting: False index_template: index_patterns: - "logs-aws.vpcflow-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.vpcflow@package" - "logs-aws.vpcflow@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws_x_waf: index_sorting: False index_template: index_patterns: - "logs-aws.waf-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.waf@package" - "logs-aws.waf@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_activitylogs: index_sorting: False index_template: index_patterns: - "logs-azure.activitylogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.activitylogs@package" - "logs-azure.activitylogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_application_gateway: index_sorting: False index_template: index_patterns: - "logs-azure.application_gateway-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.application_gateway@package" - "logs-azure.application_gateway@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_auditlogs: index_sorting: False index_template: index_patterns: - "logs-azure.auditlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.auditlogs@package" - "logs-azure.auditlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_eventhub: index_sorting: False index_template: index_patterns: - "logs-azure.eventhub-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.eventhub@package" - "logs-azure.eventhub@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_firewall_logs: index_sorting: False index_template: index_patterns: - "logs-azure.firewall_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.firewall_logs@package" - "logs-azure.firewall_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_identity_protection: index_sorting: False index_template: index_patterns: - "logs-azure.identity_protection-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.identity_protection@package" - "logs-azure.identity_protection@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_platformlogs: index_sorting: False index_template: index_patterns: - "logs-azure.platformlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.platformlogs@package" - "logs-azure.platformlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_provisioning: index_sorting: False index_template: index_patterns: - "logs-azure.provisioning-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.provisioning@package" - "logs-azure.provisioning@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_signinlogs: index_sorting: False index_template: index_patterns: - "logs-azure.signinlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.signinlogs@package" - "logs-azure.signinlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure_x_springcloudlogs: index_sorting: False index_template: index_patterns: - "logs-azure.springcloudlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.springcloudlogs@package" - "logs-azure.springcloudlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-barracuda_x_waf: index_sorting: False index_template: index_patterns: - "logs-barracuda.waf-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-barracuda.waf@package" - "logs-barracuda.waf@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-cisco_asa_x_log: index_sorting: False index_template: index_patterns: - "logs-cisco_asa.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-cisco_asa.log@package" - "logs-cisco_asa.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-cloudflare_x_audit: index_sorting: False index_template: index_patterns: - "logs-cloudflare.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-cloudflare.audit@package" - "logs-cloudflare.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-cloudflare_x_logpull: index_sorting: False index_template: index_patterns: - "logs-cloudflare.logpull-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-cloudflare.logpull@package" - "logs-cloudflare.logpull@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-crowdstrike_x_falcon: index_sorting: False index_template: index_patterns: - "logs-crowdstrike.falcon-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-crowdstrike.falcon@package" - "logs-crowdstrike.falcon@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-crowdstrike_x_fdr: index_sorting: False index_template: index_patterns: - "logs-crowdstrike.fdr-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-crowdstrike.fdr@package" - "logs-crowdstrike.fdr@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-darktrace_x_ai_analyst_alert: index_sorting: False index_template: index_patterns: - "logs-darktrace.ai_analyst_alert-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-darktrace.ai_analyst_alert@package" - "logs-darktrace.ai_analyst_alert@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-darktrace_x_model_breach_alert: index_sorting: False index_template: index_patterns: - "logs-darktrace.model_breach_alert-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-darktrace.model_breach_alert@package" - "logs-darktrace.model_breach_alert@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-darktrace_x_system_status_alert: index_sorting: False index_template: index_patterns: - "logs-darktrace.system_status_alert-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-darktrace.system_status_alert@package" - "logs-darktrace.system_status_alert@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-f5_bigip_x_log: index_sorting: False index_template: index_patterns: - "logs-f5_bigip.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-f5_bigip.log@package" - "logs-f5_bigip.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fim_x_event: index_sorting: False index_template: index_patterns: - "logs-fim.event-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fim.event@package" - "logs-fim.event@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fortinet_x_clientendpoint: index_sorting: False index_template: index_patterns: - "logs-fortinet.clientendpoint-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fortinet.clientendpoint@package" - "logs-fortinet.clientendpoint@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fortinet_x_firewall: index_sorting: False index_template: index_patterns: - "logs-fortinet.firewall-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fortinet.firewall@package" - "logs-fortinet.firewall@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fortinet_x_fortimail: index_sorting: False index_template: index_patterns: - "logs-fortinet.fortimail-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fortinet.fortimail@package" - "logs-fortinet.fortimail@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fortinet_x_fortimanager: index_sorting: False index_template: index_patterns: - "logs-fortinet.fortimanager-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fortinet.fortimanager@package" - "logs-fortinet.fortimanager@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fortinet_x_fortigate: index_sorting: False index_template: index_patterns: - "logs-fortinet.fortigate-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fortinet.fortigate@package" - "logs-fortinet.fortigate@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-gcp_x_audit: index_sorting: False index_template: index_patterns: - "logs-gcp.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-gcp.audit@package" - "logs-gcp.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-gcp_x_dns: index_sorting: False index_template: index_patterns: - "logs-gcp.dns-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-gcp.dns@package" - "logs-gcp.dns@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-gcp_x_firewall: index_sorting: False index_template: index_patterns: - "logs-gcp.firewall-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-gcp.firewall@package" - "logs-gcp.firewall@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-gcp_x_loadbalancing_logs: index_sorting: False index_template: index_patterns: - "logs-gcp.loadbalancing_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-gcp.loadbalancing_logs@package" - "logs-gcp.loadbalancing_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-gcp_x_vpcflow: index_sorting: False index_template: index_patterns: - "logs-gcp.vpcflow-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-gcp.vpcflow@package" - "logs-gcp.vpcflow@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github_x_audit: index_sorting: False index_template: index_patterns: - "logs-github.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.audit@package" - "logs-github.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github_x_code_scanning: index_sorting: False index_template: index_patterns: - "logs-github.code_scanning-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.code_scanning@package" - "logs-github.code_scanning@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github_x_dependabot: index_sorting: False index_template: index_patterns: - "logs-github.dependabot-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.dependabot@package" - "logs-github.dependabot@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github_x_issues: index_sorting: False index_template: index_patterns: - "logs-github.issues-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.issues@package" - "logs-github.issues@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github_x_secret_scanning: index_sorting: False index_template: index_patterns: - "logs-github.secret_scanning-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.secret_scanning@package" - "logs-github.secret_scanning@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_access_transparency: index_sorting: False index_template: index_patterns: - "logs-google_workspace.access_transparency-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.access_transparency@package" - "logs-google_workspace.access_transparency@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_admin: index_sorting: False index_template: index_patterns: - "logs-google_workspace.admin-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.admin@package" - "logs-google_workspace.admin@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_alert: index_sorting: False index_template: index_patterns: - "logs-google_workspace.alert-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.alert@package" - "logs-google_workspace.alert@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_context_aware_access: index_sorting: False index_template: index_patterns: - "logs-google_workspace.context_aware_access-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.context_aware_access@package" - "logs-google_workspace.context_aware_access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_device: index_sorting: False index_template: index_patterns: - "logs-google_workspace.device-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.device@package" - "logs-google_workspace.device@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_drive: index_sorting: False index_template: index_patterns: - "logs-google_workspace.drive-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.drive@package" - "logs-google_workspace.drive@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_gcp: index_sorting: False index_template: index_patterns: - "logs-google_workspace.gcp-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.gcp@package" - "logs-google_workspace.gcp@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_group_enterprise: index_sorting: False index_template: index_patterns: - "logs-google_workspace.group_enterprise-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.group_enterprise@package" - "logs-google_workspace.group_enterprise@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_groups: index_sorting: False index_template: index_patterns: - "logs-google_workspace.groups-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.groups@package" - "logs-google_workspace.groups@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_login: index_sorting: False index_template: index_patterns: - "logs-google_workspace.login-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.login@package" - "logs-google_workspace.login@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_rules: index_sorting: False index_template: index_patterns: - "logs-google_workspace.rules-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.rules@package" - "logs-google_workspace.rules@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_saml: index_sorting: False index_template: index_patterns: - "logs-google_workspace.saml-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.saml@package" - "logs-google_workspace.saml@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_token: index_sorting: False index_template: index_patterns: - "logs-google_workspace.token-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.token@package" - "logs-google_workspace.token@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace_x_user_accounts: index_sorting: False index_template: index_patterns: - "logs-google_workspace.user_accounts-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.user_accounts@package" - "logs-google_workspace.user_accounts@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-http_endpoint_x_generic: index_sorting: False index_template: index_patterns: - "logs-http_endpoint.generic-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-http_endpoint.generic@package" - "logs-http_endpoint.generic@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-httpjson_x_generic: index_sorting: False index_template: index_patterns: - "logs-httpjson.generic-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-httpjson.generic@package" - "logs-httpjson.generic@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-juniper_x_junos: index_sorting: False index_template: index_patterns: - "logs-juniper.junos-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-juniper.junos@package" - "logs-juniper.junos@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-juniper_x_netscreen: index_sorting: False index_template: index_patterns: - "logs-juniper.netscreen-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-juniper.netscreen@package" - "logs-juniper.netscreen@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-juniper_x_srx: index_sorting: False index_template: index_patterns: - "logs-juniper.srx-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-juniper.srx@package" - "logs-juniper.srx@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-juniper_srx_x_log: index_sorting: False index_template: index_patterns: - "logs-juniper_srx.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-juniper_srx.log@package" - "logs-juniper_srx.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-kafka_log_x_generic: index_sorting: False index_template: index_patterns: - "logs-kafka_log.generic-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-kafka_log.generic@package" - "logs-kafka_log.generic@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-lastpass_x_detailed_shared_folder: index_sorting: False index_template: index_patterns: - "logs-lastpass.detailed_shared_folder-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-lastpass.detailed_shared_folder@package" - "logs-lastpass.detailed_shared_folder@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-lastpass_x_event_report: index_sorting: False index_template: index_patterns: - "logs-lastpass.event_report-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-lastpass.event_report@package" - "logs-lastpass.event_report@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-lastpass_x_user: index_sorting: False index_template: index_patterns: - "logs-lastpass.user-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-lastpass.user@package" - "logs-lastpass.user@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-m365_defender_x_event: index_sorting: False index_template: index_patterns: - "logs-m365_defender.event-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-m365_defender.event@package" - "logs-m365_defender.event@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-m365_defender_x_incident: index_sorting: False index_template: index_patterns: - "logs-m365_defender.incident-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-m365_defender.incident@package" - "logs-m365_defender.incident@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-m365_defender_x_log: index_sorting: False index_template: index_patterns: - "logs-m365_defender.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-m365_defender.log@package" - "logs-m365_defender.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-microsoft_defender_endpoint_x_log: index_sorting: False index_template: index_patterns: - "logs-microsoft_defender_endpoint.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-microsoft_defender_endpoint.log@package" - "logs-microsoft_defender_endpoint.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-microsoft_dhcp_x_log: index_sorting: False index_template: index_patterns: - "logs-microsoft_dhcp.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-microsoft_dhcp.log@package" - "logs-microsoft_dhcp.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-netflow_x_log: index_sorting: False index_template: index_patterns: - "logs-netflow.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-netflow.log@package" - "logs-netflow.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-o365_x_audit: index_sorting: False index_template: index_patterns: - "logs-o365.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-o365.audit@package" - "logs-o365.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-okta_x_system: index_sorting: False index_template: index_patterns: - "logs-okta.system-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-okta.system@package" - "logs-okta.system@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-panw_x_panos: index_sorting: False index_template: index_patterns: - "logs-panw.panos-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-panw.panos@package" - "logs-panw.panos@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-pfsense_x_log: index_sorting: False index_template: index_patterns: - "logs-pfsense.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-pfsense.log@package" - "logs-pfsense.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-sentinel_one_x_activity: index_sorting: False index_template: index_patterns: - "logs-sentinel_one.activity-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-sentinel_one.activity@package" - "logs-sentinel_one.activity@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-sentinel_one_x_agent: index_sorting: False index_template: index_patterns: - "logs-sentinel_one.agent-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-sentinel_one.agent@package" - "logs-sentinel_one.agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-sentinel_one_x_alert: index_sorting: False index_template: index_patterns: - "logs-sentinel_one.alert-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-sentinel_one.alert@package" - "logs-sentinel_one.alert@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-sentinel_one_x_group: index_sorting: False index_template: index_patterns: - "logs-sentinel_one.group-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-sentinel_one.group@package" - "logs-sentinel_one.group@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-sentinel_one_x_threat: index_sorting: False index_template: index_patterns: - "logs-sentinel_one.threat-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-sentinel_one.threat@package" - "logs-sentinel_one.threat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-sonicwall_firewall_x_log: index_sorting: False index_template: index_patterns: - "logs-sonicwall_firewall.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-sonicwall_firewall.log@package" - "logs-sonicwall_firewall.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-symantec_endpoint_x_log: index_sorting: False index_template: index_patterns: - "logs-symantec_endpoint.log-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-symantec_endpoint.log@package" - "logs-symantec_endpoint.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_abusech_x_malware: index_sorting: False index_template: index_patterns: - "logs-ti_abusech.malware-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_abusech.malware@package" - "logs-ti_abusech.malware@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_abusech_x_malwarebazaar: index_sorting: False index_template: index_patterns: - "logs-ti_abusech.malwarebazaar-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_abusech.malwarebazaar@package" - "logs-ti_abusech.malwarebazaar@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_abusech_x_threatfox: index_sorting: False index_template: index_patterns: - "logs-ti_abusech.threatfox-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_abusech.threatfox@package" - "logs-ti_abusech.threatfox@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_abusech_x_url: index_sorting: False index_template: index_patterns: - "logs-ti_abusech.url-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_abusech.url@package" - "logs-ti_abusech.url@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_misp_x_threat: index_sorting: False index_template: index_patterns: - "logs-ti_misp.threat-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_misp.threat@package" - "logs-ti_misp.threat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_misp_x_threat_attributes: index_sorting: False index_template: index_patterns: - "logs-ti_misp.threat_attributes-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_misp.threat_attributes@package" - "logs-ti_misp.threat_attributes@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_otx_x_threat: index_sorting: False index_template: index_patterns: - "logs-ti_otx.threat-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_otx.threat@package" - "logs-ti_otx.threat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_recordedfuture_x_latest_ioc-template: index_sorting: False index_template: index_patterns: - "logs-ti_recordedfuture.latest_ioc-template-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_recordedfuture.latest_ioc-template@package" - "logs-ti_recordedfuture.latest_ioc-template@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-ti_recordedfuture_x_threat: index_sorting: False index_template: index_patterns: - "logs-ti_recordedfuture.threat-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-ti_recordedfuture.threat@package" - "logs-ti_recordedfuture.threat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zia_x_alerts: index_sorting: False index_template: index_patterns: - "logs-zscaler_zia.alerts-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zia.alerts@package" - "logs-zscaler_zia.alerts@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zia_x_dns: index_sorting: False index_template: index_patterns: - "logs-zscaler_zia.dns-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zia.dns@package" - "logs-zscaler_zia.dns@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zia_x_firewall: index_sorting: False index_template: index_patterns: - "logs-zscaler_zia.firewall-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zia.firewall@package" - "logs-zscaler_zia.firewall@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zia_x_tunnel: index_sorting: False index_template: index_patterns: - "logs-zscaler_zia.tunnel-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zia.tunnel@package" - "logs-zscaler_zia.tunnel@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zia_x_web: index_sorting: False index_template: index_patterns: - "logs-zscaler_zia.web-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zia.web@package" - "logs-zscaler_zia.web@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zpa_x_app_connector_status: index_sorting: False index_template: index_patterns: - "logs-zscaler_zpa.app_connector_status-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zpa.app_connector_status@package" - "logs-zscaler_zpa.app_connector_status@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zpa_x_audit: index_sorting: False index_template: index_patterns: - "logs-zscaler_zpa.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zpa.audit@package" - "logs-zscaler_zpa.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zpa_x_browser_access: index_sorting: False index_template: index_patterns: - "logs-zscaler_zpa.browser_access-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zpa.browser_access@package" - "logs-zscaler_zpa.browser_access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zpa_x_user_activity: index_sorting: False index_template: index_patterns: - "logs-zscaler_zpa.user_activity-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zpa.user_activity@package" - "logs-zscaler_zpa.user_activity@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-zscaler_zpa_x_user_status: index_sorting: False index_template: index_patterns: - "logs-zscaler_zpa.user_status-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-zscaler_zpa.user_status@package" - "logs-zscaler_zpa.user_status@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-1password_x_item_usages: index_sorting: False index_template: index_patterns: - "logs-1password.item_usages-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-1password.item_usages@package" - "logs-1password.item_usages@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-1password_x_signin_attempts: index_sorting: False index_template: index_patterns: - "logs-1password.signin_attempts-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-1password.signin_attempts@package" - "logs-1password.signin_attempts@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-osquery-manager-actions: index_sorting: False index_template: index_patterns: - ".logs-osquery_manager.actions*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-osquery_manager.actions" priority: 501 _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-osquery-manager-action_x_responses: index_sorting: False index_template: index_patterns: - ".logs-osquery_manager.action.responses*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-osquery_manager.action.responses" priority: 501 _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_apm_server: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.apm_server-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.apm_server@package" - "logs-elastic_agent.apm_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_auditbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.auditbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.auditbeat@package" - "logs-elastic_agent.auditbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_cloudbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.cloudbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.cloudbeat@package" - "logs-elastic_agent.cloudbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_endpoint_security: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.endpoint_security-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.endpoint_security@package" - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_alerts: index_sorting: False index_template: index_patterns: - "logs-endpoint.alerts-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.alerts@custom" - "logs-endpoint.alerts@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_api: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.api-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.api@custom" - "logs-endpoint.events.api@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_file: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.file-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.file@custom" - "logs-endpoint.events.file@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_library: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.library-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.library@custom" - "logs-endpoint.events.library@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_network: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.network-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.network@custom" - "logs-endpoint.events.network@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_process: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.process-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.process@custom" - "logs-endpoint.events.process@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_registry: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.registry-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.registry@custom" - "logs-endpoint.events.registry@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-endpoint_x_events_x_security: index_sorting: False index_template: index_patterns: - "logs-endpoint.events.security-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-endpoint.events.security@custom" - "logs-endpoint.events.security@package" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_filebeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.filebeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.filebeat@package" - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_fleet_server: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.fleet_server-*" template: settings: index: number_of_replicas: 0 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.fleet_server@package" - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_heartbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.heartbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.heartbeat@package" - "logs-elastic_agent.heartbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent: index_sorting: False index_template: index_patterns: - "logs-elastic_agent-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "event-mappings" - "logs-elastic_agent@package" - "logs-elastic_agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_metricbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.metricbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.metricbeat@package" - "logs-elastic_agent.metricbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_osquerybeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.osquerybeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.osquerybeat@package" - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent_x_packetbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.packetbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.packetbeat@package" - "logs-elastic_agent.packetbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-case: index_sorting: False index_template: index_patterns: - so-case* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 1500 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - case-mappings - case-settings priority: 500 so-common: warm: 7 close: 30 delete: 365 index_sorting: False index_template: data_stream: {} index_patterns: - logs-*-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings priority: 1 so-endgame: index_sorting: False index_template: index_patterns: - endgame* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - endgame-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings priority: 500 so-idh: warm: 7 close: 30 delete: 365 index_sorting: False index_template: index_patterns: - so-idh-* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings priority: 500 so-suricata: index_sorting: False index_template: data_stream: {} index_patterns: - logs-suricata-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-suricata-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-import: index_sorting: False index_template: data_stream: {} index_patterns: - logs-import-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-import-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-kratos: warm: 7 close: 30 delete: 365 index_sorting: False index_template: data_stream: hidden: false allow_custom_routing: false index_patterns: - logs-kratos-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-logstash: index_sorting: False index_template: index_patterns: - logs-logstash-default* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-logstash-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - logstash-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-redis: index_sorting: False index_template: index_patterns: - logs-redis-default* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-redis-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - redis-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-strelka: index_sorting: False index_template: data_stream: {} index_patterns: - logs-strelka-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - so-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - so-scan-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-syslog: index_sorting: False index_template: index_patterns: - logs-syslog-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-zeek: index_sorting: False index_template: data_stream: {} index_patterns: - logs-zeek-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-zeek-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 2 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - zeek-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {}