{ "template": { "settings": { "index": { "lifecycle": { "name": "logs" }, "codec": "best_compression", "default_pipeline": "logs-system.syslog-1.6.4", "mapping": { "total_fields": { "limit": "10000" } }, "query": { "default_field": [ "cloud.account.id", "cloud.availability_zone", "cloud.instance.id", "cloud.instance.name", "cloud.machine.type", "cloud.provider", "cloud.region", "cloud.project.id", "cloud.image.id", "container.id", "container.image.name", "container.name", "host.architecture", "host.hostname", "host.id", "host.mac", "host.name", "host.os.family", "host.os.kernel", "host.os.name", "host.os.platform", "host.os.version", "host.os.build", "host.os.codename", "host.os.full", "host.type", "event.action", "event.category", "event.code", "event.kind", "event.outcome", "event.provider", "event.type", "ecs.version", "message", "process.name" ] } } }, "mappings": { "dynamic_templates": [ { "container.labels": { "path_match": "container.labels.*", "mapping": { "type": "keyword" }, "match_mapping_type": "string" } } ], "properties": { "cloud": { "properties": { "availability_zone": { "ignore_above": 1024, "type": "keyword" }, "image": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "instance": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "provider": { "ignore_above": 1024, "type": "keyword" }, "machine": { "properties": { "type": { "ignore_above": 1024, "type": "keyword" } } }, "project": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "region": { "ignore_above": 1024, "type": "keyword" }, "account": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "container": { "properties": { "image": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "process": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "pid": { "type": "long" } } }, "@timestamp": { "type": "date" }, "ecs": { "properties": { "version": { "ignore_above": 1024, "type": "keyword" } } }, "data_stream": { "properties": { "namespace": { "type": "constant_keyword" }, "type": { "type": "constant_keyword", "value": "logs" }, "dataset": { "type": "constant_keyword" } } }, "host": { "properties": { "hostname": { "ignore_above": 1024, "type": "keyword" }, "os": { "properties": { "build": { "ignore_above": 1024, "type": "keyword" }, "kernel": { "ignore_above": 1024, "type": "keyword" }, "codename": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "text": { "type": "text" } } }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" }, "full": { "ignore_above": 1024, "type": "keyword" } } }, "domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "containerized": { "type": "boolean" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "architecture": { "ignore_above": 1024, "type": "keyword" } } }, "event": { "properties": { "sequence": { "type": "long" }, "ingested": { "type": "date" }, "code": { "ignore_above": 1024, "type": "keyword" }, "provider": { "ignore_above": 1024, "type": "keyword" }, "created": { "type": "date" }, "kind": { "ignore_above": 1024, "type": "keyword" }, "module": { "type": "constant_keyword", "value": "system" }, "action": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "dataset": { "type": "constant_keyword", "value": "system.syslog" }, "outcome": { "ignore_above": 1024, "type": "keyword" } } }, "message": { "type": "match_only_text" } } } }, "_meta": { "package": { "name": "system" }, "managed_by": "fleet", "managed": true } }