{ "template": { "settings": { "index": { "lifecycle": { "name": "logs" }, "codec": "best_compression", "default_pipeline": "logs-system.system-1.6.4", "mapping": { "total_fields": { "limit": "10000" } }, "query": { "default_field": [ "cloud.account.id", "cloud.availability_zone", "cloud.instance.id", "cloud.instance.name", "cloud.machine.type", "cloud.provider", "cloud.region", "cloud.project.id", "cloud.image.id", "container.id", "container.image.name", "container.name", "host.architecture", "host.hostname", "host.id", "host.mac", "host.name", "host.os.family", "host.os.kernel", "host.os.name", "host.os.platform", "host.os.version", "host.os.build", "host.os.codename", "host.type", "event.action", "event.category", "event.code", "event.kind", "event.original", "event.outcome", "event.provider", "event.type", "error.message", "message", "winlog.api", "winlog.activity_id", "winlog.computer_name", "winlog.event_data.AuthenticationPackageName", "winlog.event_data.Binary", "winlog.event_data.BitlockerUserInputTime", "winlog.event_data.BootMode", "winlog.event_data.BootType", "winlog.event_data.BuildVersion", "winlog.event_data.Company", "winlog.event_data.CorruptionActionState", "winlog.event_data.CreationUtcTime", "winlog.event_data.Description", "winlog.event_data.Detail", "winlog.event_data.DeviceName", "winlog.event_data.DeviceNameLength", "winlog.event_data.DeviceTime", "winlog.event_data.DeviceVersionMajor", "winlog.event_data.DeviceVersionMinor", "winlog.event_data.DriveName", "winlog.event_data.DriverName", "winlog.event_data.DriverNameLength", "winlog.event_data.DwordVal", "winlog.event_data.EntryCount", "winlog.event_data.ExtraInfo", "winlog.event_data.FailureName", "winlog.event_data.FailureNameLength", "winlog.event_data.FileVersion", "winlog.event_data.FinalStatus", "winlog.event_data.Group", "winlog.event_data.IdleImplementation", "winlog.event_data.IdleStateCount", "winlog.event_data.ImpersonationLevel", "winlog.event_data.IntegrityLevel", "winlog.event_data.IpAddress", "winlog.event_data.IpPort", "winlog.event_data.KeyLength", "winlog.event_data.LastBootGood", "winlog.event_data.LastShutdownGood", "winlog.event_data.LmPackageName", "winlog.event_data.LogonGuid", "winlog.event_data.LogonId", "winlog.event_data.LogonProcessName", "winlog.event_data.LogonType", "winlog.event_data.MajorVersion", "winlog.event_data.MaximumPerformancePercent", "winlog.event_data.MemberName", "winlog.event_data.MemberSid", "winlog.event_data.MinimumPerformancePercent", "winlog.event_data.MinimumThrottlePercent", "winlog.event_data.MinorVersion", "winlog.event_data.NewProcessId", "winlog.event_data.NewProcessName", "winlog.event_data.NewSchemeGuid", "winlog.event_data.NewTime", "winlog.event_data.NominalFrequency", "winlog.event_data.Number", "winlog.event_data.OldSchemeGuid", "winlog.event_data.OldTime", "winlog.event_data.OriginalFileName", "winlog.event_data.Path", "winlog.event_data.PerformanceImplementation", "winlog.event_data.PreviousCreationUtcTime", "winlog.event_data.PreviousTime", "winlog.event_data.PrivilegeList", "winlog.event_data.ProcessId", "winlog.event_data.ProcessName", "winlog.event_data.ProcessPath", "winlog.event_data.ProcessPid", "winlog.event_data.Product", "winlog.event_data.PuaCount", "winlog.event_data.PuaPolicyId", "winlog.event_data.QfeVersion", "winlog.event_data.Reason", "winlog.event_data.SchemaVersion", "winlog.event_data.ScriptBlockText", "winlog.event_data.ServiceName", "winlog.event_data.ServiceVersion", "winlog.event_data.ShutdownActionType", "winlog.event_data.ShutdownEventCode", "winlog.event_data.ShutdownReason", "winlog.event_data.Signature", "winlog.event_data.SignatureStatus", "winlog.event_data.Signed", "winlog.event_data.StartTime", "winlog.event_data.State", "winlog.event_data.Status", "winlog.event_data.StopTime", "winlog.event_data.SubjectDomainName", "winlog.event_data.SubjectLogonId", "winlog.event_data.SubjectUserName", "winlog.event_data.SubjectUserSid", "winlog.event_data.TSId", "winlog.event_data.TargetDomainName", "winlog.event_data.TargetInfo", "winlog.event_data.TargetLogonGuid", "winlog.event_data.TargetLogonId", "winlog.event_data.TargetServerName", "winlog.event_data.TargetUserName", "winlog.event_data.TargetUserSid", "winlog.event_data.TerminalSessionId", "winlog.event_data.TokenElevationType", "winlog.event_data.TransmittedServices", "winlog.event_data.UserSid", "winlog.event_data.Version", "winlog.event_data.Workstation", "winlog.event_data.param1", "winlog.event_data.param2", "winlog.event_data.param3", "winlog.event_data.param4", "winlog.event_data.param5", "winlog.event_data.param6", "winlog.event_data.param7", "winlog.event_data.param8", "winlog.event_id", "winlog.keywords", "winlog.channel", "winlog.record_id", "winlog.related_activity_id", "winlog.opcode", "winlog.provider_guid", "winlog.provider_name", "winlog.task", "winlog.user.identifier", "winlog.user.name", "winlog.user.domain", "winlog.user.type" ] } } }, "mappings": { "dynamic_templates": [ { "container.labels": { "path_match": "container.labels.*", "mapping": { "type": "keyword" }, "match_mapping_type": "string" } }, { "winlog.user_data": { "path_match": "winlog.user_data.*", "mapping": { "type": "keyword" }, "match_mapping_type": "string" } } ], "properties": { "cloud": { "properties": { "availability_zone": { "ignore_above": 1024, "type": "keyword" }, "image": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "instance": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "provider": { "ignore_above": 1024, "type": "keyword" }, "machine": { "properties": { "type": { "ignore_above": 1024, "type": "keyword" } } }, "project": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } }, "region": { "ignore_above": 1024, "type": "keyword" }, "account": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" } } } } }, "container": { "properties": { "image": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" } } }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" } } }, "@timestamp": { "type": "date" }, "winlog": { "properties": { "related_activity_id": { "ignore_above": 1024, "type": "keyword" }, "computer_name": { "ignore_above": 1024, "type": "keyword" }, "process": { "properties": { "pid": { "type": "long" }, "thread": { "properties": { "id": { "type": "long" } } } } }, "keywords": { "ignore_above": 1024, "type": "keyword" }, "channel": { "ignore_above": 1024, "type": "keyword" }, "event_data": { "properties": { "SignatureStatus": { "ignore_above": 1024, "type": "keyword" }, "DeviceTime": { "ignore_above": 1024, "type": "keyword" }, "ProcessName": { "ignore_above": 1024, "type": "keyword" }, "LogonGuid": { "ignore_above": 1024, "type": "keyword" }, "OriginalFileName": { "ignore_above": 1024, "type": "keyword" }, "BootMode": { "ignore_above": 1024, "type": "keyword" }, "Product": { "ignore_above": 1024, "type": "keyword" }, "TargetLogonGuid": { "ignore_above": 1024, "type": "keyword" }, "FileVersion": { "ignore_above": 1024, "type": "keyword" }, "StopTime": { "ignore_above": 1024, "type": "keyword" }, "Status": { "ignore_above": 1024, "type": "keyword" }, "CorruptionActionState": { "ignore_above": 1024, "type": "keyword" }, "KeyLength": { "ignore_above": 1024, "type": "keyword" }, "PreviousCreationUtcTime": { "ignore_above": 1024, "type": "keyword" }, "TargetInfo": { "ignore_above": 1024, "type": "keyword" }, "ServiceVersion": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserSid": { "ignore_above": 1024, "type": "keyword" }, "PerformanceImplementation": { "ignore_above": 1024, "type": "keyword" }, "TargetUserSid": { "ignore_above": 1024, "type": "keyword" }, "Group": { "ignore_above": 1024, "type": "keyword" }, "Description": { "ignore_above": 1024, "type": "keyword" }, "ShutdownActionType": { "ignore_above": 1024, "type": "keyword" }, "DwordVal": { "ignore_above": 1024, "type": "keyword" }, "ProcessPid": { "ignore_above": 1024, "type": "keyword" }, "DeviceVersionMajor": { "ignore_above": 1024, "type": "keyword" }, "ScriptBlockText": { "ignore_above": 1024, "type": "keyword" }, "TransmittedServices": { "ignore_above": 1024, "type": "keyword" }, "MaximumPerformancePercent": { "ignore_above": 1024, "type": "keyword" }, "NewTime": { "ignore_above": 1024, "type": "keyword" }, "FinalStatus": { "ignore_above": 1024, "type": "keyword" }, "IdleStateCount": { "ignore_above": 1024, "type": "keyword" }, "MajorVersion": { "ignore_above": 1024, "type": "keyword" }, "Path": { "ignore_above": 1024, "type": "keyword" }, "SchemaVersion": { "ignore_above": 1024, "type": "keyword" }, "TokenElevationType": { "ignore_above": 1024, "type": "keyword" }, "MinorVersion": { "ignore_above": 1024, "type": "keyword" }, "SubjectLogonId": { "ignore_above": 1024, "type": "keyword" }, "IdleImplementation": { "ignore_above": 1024, "type": "keyword" }, "ProcessPath": { "ignore_above": 1024, "type": "keyword" }, "QfeVersion": { "ignore_above": 1024, "type": "keyword" }, "DeviceVersionMinor": { "ignore_above": 1024, "type": "keyword" }, "OldTime": { "ignore_above": 1024, "type": "keyword" }, "IpAddress": { "ignore_above": 1024, "type": "keyword" }, "DeviceName": { "ignore_above": 1024, "type": "keyword" }, "Company": { "ignore_above": 1024, "type": "keyword" }, "PuaPolicyId": { "ignore_above": 1024, "type": "keyword" }, "IntegrityLevel": { "ignore_above": 1024, "type": "keyword" }, "LastShutdownGood": { "ignore_above": 1024, "type": "keyword" }, "IpPort": { "ignore_above": 1024, "type": "keyword" }, "DriverNameLength": { "ignore_above": 1024, "type": "keyword" }, "LmPackageName": { "ignore_above": 1024, "type": "keyword" }, "UserSid": { "ignore_above": 1024, "type": "keyword" }, "LastBootGood": { "ignore_above": 1024, "type": "keyword" }, "PuaCount": { "ignore_above": 1024, "type": "keyword" }, "Version": { "ignore_above": 1024, "type": "keyword" }, "Signed": { "ignore_above": 1024, "type": "keyword" }, "StartTime": { "ignore_above": 1024, "type": "keyword" }, "ShutdownEventCode": { "ignore_above": 1024, "type": "keyword" }, "NewProcessName": { "ignore_above": 1024, "type": "keyword" }, "FailureNameLength": { "ignore_above": 1024, "type": "keyword" }, "ServiceName": { "ignore_above": 1024, "type": "keyword" }, "PreviousTime": { "ignore_above": 1024, "type": "keyword" }, "State": { "ignore_above": 1024, "type": "keyword" }, "BootType": { "ignore_above": 1024, "type": "keyword" }, "Binary": { "ignore_above": 1024, "type": "keyword" }, "ImpersonationLevel": { "ignore_above": 1024, "type": "keyword" }, "MemberName": { "ignore_above": 1024, "type": "keyword" }, "TargetUserName": { "ignore_above": 1024, "type": "keyword" }, "Detail": { "ignore_above": 1024, "type": "keyword" }, "TerminalSessionId": { "ignore_above": 1024, "type": "keyword" }, "MemberSid": { "ignore_above": 1024, "type": "keyword" }, "DriverName": { "ignore_above": 1024, "type": "keyword" }, "DeviceNameLength": { "ignore_above": 1024, "type": "keyword" }, "OldSchemeGuid": { "ignore_above": 1024, "type": "keyword" }, "CreationUtcTime": { "ignore_above": 1024, "type": "keyword" }, "Reason": { "ignore_above": 1024, "type": "keyword" }, "ShutdownReason": { "ignore_above": 1024, "type": "keyword" }, "TargetServerName": { "ignore_above": 1024, "type": "keyword" }, "Number": { "ignore_above": 1024, "type": "keyword" }, "BuildVersion": { "ignore_above": 1024, "type": "keyword" }, "SubjectDomainName": { "ignore_above": 1024, "type": "keyword" }, "MinimumPerformancePercent": { "ignore_above": 1024, "type": "keyword" }, "LogonId": { "ignore_above": 1024, "type": "keyword" }, "LogonProcessName": { "ignore_above": 1024, "type": "keyword" }, "TSId": { "ignore_above": 1024, "type": "keyword" }, "TargetDomainName": { "ignore_above": 1024, "type": "keyword" }, "PrivilegeList": { "ignore_above": 1024, "type": "keyword" }, "param7": { "ignore_above": 1024, "type": "keyword" }, "param8": { "ignore_above": 1024, "type": "keyword" }, "param5": { "ignore_above": 1024, "type": "keyword" }, "param6": { "ignore_above": 1024, "type": "keyword" }, "DriveName": { "ignore_above": 1024, "type": "keyword" }, "NewProcessId": { "ignore_above": 1024, "type": "keyword" }, "LogonType": { "ignore_above": 1024, "type": "keyword" }, "ExtraInfo": { "ignore_above": 1024, "type": "keyword" }, "param3": { "ignore_above": 1024, "type": "keyword" }, "param4": { "ignore_above": 1024, "type": "keyword" }, "param1": { "ignore_above": 1024, "type": "keyword" }, "param2": { "ignore_above": 1024, "type": "keyword" }, "TargetLogonId": { "ignore_above": 1024, "type": "keyword" }, "Workstation": { "ignore_above": 1024, "type": "keyword" }, "SubjectUserName": { "ignore_above": 1024, "type": "keyword" }, "FailureName": { "ignore_above": 1024, "type": "keyword" }, "NewSchemeGuid": { "ignore_above": 1024, "type": "keyword" }, "Signature": { "ignore_above": 1024, "type": "keyword" }, "MinimumThrottlePercent": { "ignore_above": 1024, "type": "keyword" }, "ProcessId": { "ignore_above": 1024, "type": "keyword" }, "EntryCount": { "ignore_above": 1024, "type": "keyword" }, "BitlockerUserInputTime": { "ignore_above": 1024, "type": "keyword" }, "AuthenticationPackageName": { "ignore_above": 1024, "type": "keyword" }, "NominalFrequency": { "ignore_above": 1024, "type": "keyword" } } }, "opcode": { "ignore_above": 1024, "type": "keyword" }, "version": { "type": "long" }, "record_id": { "ignore_above": 1024, "type": "keyword" }, "event_id": { "ignore_above": 1024, "type": "keyword" }, "task": { "ignore_above": 1024, "type": "keyword" }, "provider_guid": { "ignore_above": 1024, "type": "keyword" }, "activity_id": { "ignore_above": 1024, "type": "keyword" }, "api": { "ignore_above": 1024, "type": "keyword" }, "provider_name": { "ignore_above": 1024, "type": "keyword" }, "user": { "properties": { "identifier": { "ignore_above": 1024, "type": "keyword" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" } } } } }, "data_stream": { "properties": { "namespace": { "type": "constant_keyword" }, "type": { "type": "constant_keyword" }, "dataset": { "type": "constant_keyword" } } }, "host": { "properties": { "hostname": { "ignore_above": 1024, "type": "keyword" }, "os": { "properties": { "build": { "ignore_above": 1024, "type": "keyword" }, "kernel": { "ignore_above": 1024, "type": "keyword" }, "codename": { "ignore_above": 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "text": { "type": "text" } } }, "family": { "ignore_above": 1024, "type": "keyword" }, "version": { "ignore_above": 1024, "type": "keyword" }, "platform": { "ignore_above": 1024, "type": "keyword" } } }, "domain": { "ignore_above": 1024, "type": "keyword" }, "ip": { "type": "ip" }, "containerized": { "type": "boolean" }, "name": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above": 1024, "type": "keyword" }, "type": { "ignore_above": 1024, "type": "keyword" }, "mac": { "ignore_above": 1024, "type": "keyword" }, "architecture": { "ignore_above": 1024, "type": "keyword" } } }, "event": { "properties": { "code": { "ignore_above": 1024, "type": "keyword" }, "original": { "ignore_above": 1024, "type": "keyword" }, "created": { "type": "date" }, "kind": { "ignore_above": 1024, "type": "keyword" }, "module": { "type": "constant_keyword", "value": "system" }, "type": { "ignore_above": 1024, "type": "keyword" }, "sequence": { "type": "long" }, "ingested": { "type": "date" }, "provider": { "ignore_above": 1024, "type": "keyword" }, "action": { "ignore_above": 1024, "type": "keyword" }, "category": { "ignore_above": 1024, "type": "keyword" }, "dataset": { "type": "constant_keyword", "value": "system.system" }, "outcome": { "ignore_above": 1024, "type": "keyword" } } }, "error": { "properties": { "message": { "type": "match_only_text" } } }, "message": { "type": "match_only_text" } } } }, "_meta": { "package": { "name": "system" }, "managed_by": "fleet", "managed": true } }