elasticsearch: enabled: description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported. forcedType: bool advanced: True helpLink: elasticsearch version: description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure." readonly: True global: True advanced: True esheap: description: Specify the memory heap size in (m)egabytes for Elasticsearch. helpLink: elasticsearch index_clean: description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings. forcedType: bool helpLink: elasticsearch vm: max_map_count: description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions. forcedType: int helpLink: elasticsearch retention: retention_pct: decription: Total percentage of space used by Elasticsearch for multi node clusters helpLink: elasticsearch global: True config: cluster: name: description: The name of the Security Onion Elasticsearch cluster, for identification purposes. readonly: True global: True helpLink: elasticsearch logsdb: enabled: description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over. forcedType: bool global: True advanced: True helpLink: elasticsearch routing: allocation: disk: threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. forcedType: bool helpLink: elasticsearch watermark: low: description: The lower percentage of used disk space representing a healthy node. helpLink: elasticsearch high: description: The higher percentage of used disk space representing an unhealthy node. helpLink: elasticsearch flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. helpLink: elasticsearch action: destructive_requires_name: description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns. advanced: True forcedType: bool helpLink: elasticsearch script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True helpLink: elasticsearch indices: id_field_data: enabled: description: Enables or disables loading of field data on the _id field. advanced: True forcedType: bool helpLink: elasticsearch query: bool: max_clause_count: description: Max number of boolean clauses per query. global: True helpLink: elasticsearch xpack: ml: enabled: description: Enables or disables machine learning on the node. forcedType: bool advanced: True helpLink: elasticsearch security: enabled: description: Enables or disables Elasticsearch security features. forcedType: bool advanced: True helpLink: elasticsearch authc: anonymous: authz_exception: description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges. advanced: True forcedType: bool helpLink: elasticsearch http: ssl: enabled: description: Enables or disables TLS/SSL for the HTTP layer. advanced: True forcedType: bool helpLink: elasticsearch transport: ssl: enabled: description: Enables or disables TLS/SSL for the transport layer. advanced: True forcedType: bool helpLink: elasticsearch pipelines: custom001: &pipelines description: description: Description of the ingest node pipeline global: True advanced: True helpLink: elasticsearch processors: description: Processors for the ingest node pipeline global: True advanced: True multiline: True helpLink: elasticsearch custom002: *pipelines custom003: *pipelines custom004: *pipelines custom005: *pipelines custom006: *pipelines custom007: *pipelines custom008: *pipelines custom009: *pipelines custom010: *pipelines index_settings: global_overrides: index_template: template: settings: index: number_of_replicas: description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices. forcedType: int global: True helpLink: elasticsearch refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True helpLink: elasticsearch number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True helpLink: elasticsearch sort: field: description: The field to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch order: description: The order to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch policy: phases: hot: actions: set_priority: priority: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True helpLink: elasticsearch rollover: max_age: description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. global: True helpLink: elasticsearch max_primary_shard_size: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. options: - COUNT - SIZE global: True advanced: True forcedType: string number_of_shards: title: shard count description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'. global: True forcedType: int advanced: True max_primary_shard_size: title: max shard size description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'. regex: ^[0-9]+(?:gb|tb|pb)$ global: True forcedType: string advanced: True allow_write_after_shrink: description: Allow writes after shrink. global: True forcedType: bool default: False advanced: True forcemerge: max_num_segments: description: Reduce the number of segments in each index shard and clean up deleted documents. global: True forcedType: int advanced: True index_codec: title: compression description: Use higher compression for stored fields at the cost of slower performance. forcedType: bool global: True default: False advanced: True cold: min_age: description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True helpLink: elasticsearch actions: set_priority: priority: description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. global: True helpLink: elasticsearch allocate: number_of_replicas: description: Set the number of replicas. Remains the same as the previous phase by default. forcedType: int global: True advanced: True warm: min_age: description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True helpLink: elasticsearch actions: set_priority: priority: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. options: - COUNT - SIZE global: True advanced: True number_of_shards: title: shard count description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'. global: True forcedType: int advanced: True max_primary_shard_size: title: max shard size description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'. regex: ^[0-9]+(?:gb|tb|pb)$ global: True forcedType: string advanced: True allow_write_after_shrink: description: Allow writes after shrink. global: True forcedType: bool default: False advanced: True forcemerge: max_num_segments: description: Reduce the number of segments in each index shard and clean up deleted documents. global: True forcedType: int advanced: True index_codec: title: compression description: Use higher compression for stored fields at the cost of slower performance. forcedType: bool global: True default: False advanced: True allocate: number_of_replicas: description: Set the number of replicas. Remains the same as the previous phase by default. forcedType: int global: True advanced: True delete: min_age: description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion. regex: ^[0-9]{1,5}d$ forcedType: string global: True helpLink: elasticsearch so-logs: &indexSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. forcedType: bool global: True advanced: True helpLink: elasticsearch index_template: index_patterns: description: Patterns for matching multiple indices or tables. forcedType: "[]string" multiline: True global: True advanced: True helpLink: elasticsearch template: settings: index: number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. forcedType: int global: True advanced: True helpLink: elasticsearch mapping: total_fields: limit: description: Max number of fields that can exist on a single index. Larger values will consume more resources. global: True advanced: True helpLink: elasticsearch refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True advanced: True helpLink: elasticsearch number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True advanced: True helpLink: elasticsearch sort: field: description: The field to sort by. Must set index_sorting to True. global: True advanced: True helpLink: elasticsearch order: description: The order to sort by. Must set index_sorting to True. global: True advanced: True helpLink: elasticsearch mappings: _meta: package: name: description: Meta settings for the mapping. global: True advanced: True helpLink: elasticsearch managed_by: description: Meta settings for the mapping. global: True advanced: True helpLink: elasticsearch managed: description: Meta settings for the mapping. forcedType: bool global: True advanced: True helpLink: elasticsearch composed_of: description: The index template is composed of these component templates. forcedType: "[]string" global: True advanced: True helpLink: elasticsearch priority: description: The priority of the index template. forcedType: int global: True advanced: True helpLink: elasticsearch data_stream: hidden: description: Hide the data stream. forcedType: bool global: True advanced: True helpLink: elasticsearch allow_custom_routing: description: Allow custom routing for the data stream. forcedType: bool global: True advanced: True helpLink: elasticsearch policy: phases: hot: min_age: description: Minimum age of index. This determines when the index should be moved to the hot tier. global: True advanced: True helpLink: elasticsearch actions: set_priority: priority: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True advanced: True helpLink: elasticsearch rollover: max_age: description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True helpLink: elasticsearch max_primary_shard_size: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. options: - COUNT - SIZE global: True advanced: True forcedType: string number_of_shards: title: shard count description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'. global: True forcedType: int advanced: True max_primary_shard_size: title: max shard size description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'. regex: ^[0-9]+(?:gb|tb|pb)$ global: True forcedType: string advanced: True allow_write_after_shrink: description: Allow writes after shrink. global: True forcedType: bool default: False advanced: True forcemerge: max_num_segments: description: Reduce the number of segments in each index shard and clean up deleted documents. global: True forcedType: int advanced: True index_codec: title: compression description: Use higher compression for stored fields at the cost of slower performance. forcedType: bool global: True default: False advanced: True warm: min_age: description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True advanced: True helpLink: elasticsearch actions: set_priority: priority: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True advanced: True helpLink: elasticsearch rollover: max_age: description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True helpLink: elasticsearch max_primary_shard_size: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. options: - COUNT - SIZE global: True advanced: True number_of_shards: title: shard count description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'. global: True forcedType: int advanced: True max_primary_shard_size: title: max shard size description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'. regex: ^[0-9]+(?:gb|tb|pb)$ global: True forcedType: string advanced: True allow_write_after_shrink: description: Allow writes after shrink. global: True forcedType: bool default: False advanced: True forcemerge: max_num_segments: description: Reduce the number of segments in each index shard and clean up deleted documents. global: True forcedType: int advanced: True index_codec: title: compression description: Use higher compression for stored fields at the cost of slower performance. forcedType: bool global: True default: False advanced: True allocate: number_of_replicas: description: Set the number of replicas. Remains the same as the previous phase by default. forcedType: int global: True advanced: True cold: min_age: description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True advanced: True helpLink: elasticsearch actions: set_priority: priority: description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True advanced: True helpLink: elasticsearch allocate: number_of_replicas: description: Set the number of replicas. Remains the same as the previous phase by default. forcedType: int global: True advanced: True delete: min_age: description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion. regex: ^[0-9]{1,5}d$ forcedType: string global: True advanced: True helpLink: elasticsearch _meta: package: name: description: Meta settings for the mapping. global: True advanced: True helpLink: elasticsearch managed_by: description: Meta settings for the mapping. global: True advanced: True helpLink: elasticsearch managed: description: Meta settings for the mapping. forcedType: bool global: True advanced: True helpLink: elasticsearch so-logs-system_x_auth: *indexSettings so-logs-system_x_syslog: *indexSettings so-logs-system_x_system: *indexSettings so-logs-system_x_application: *indexSettings so-logs-system_x_security: *indexSettings so-logs-windows_x_forwarded: *indexSettings so-logs-windows_x_powershell: *indexSettings so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings so-logs-winlog_x_winlog: *indexSettings so-logs-detections_x_alerts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings so-logs-osquery-manager-actions: *indexSettings so-logs-osquery-manager-action_x_responses: *indexSettings so-logs-osquery-manager_x_action_x_responses: *indexSettings so-logs-osquery-manager_x_result: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings so-logs-elastic_agent_x_auditbeat: *indexSettings so-logs-elastic_agent_x_cloudbeat: *indexSettings so-logs-elastic_agent_x_endpoint_security: *indexSettings so-logs-endpoint_x_alerts: *indexSettings so-logs-endpoint_x_events_x_api: *indexSettings so-logs-endpoint_x_events_x_file: *indexSettings so-logs-endpoint_x_events_x_library: *indexSettings so-logs-endpoint_x_events_x_network: *indexSettings so-logs-endpoint_x_events_x_process: *indexSettings so-logs-endpoint_x_events_x_registry: *indexSettings so-logs-endpoint_x_events_x_security: *indexSettings so-logs-elastic_agent_x_filebeat: *indexSettings so-logs-elastic_agent_x_fleet_server: *indexSettings so-logs-elastic_agent_x_heartbeat: *indexSettings so-logs-elastic_agent: *indexSettings so-logs-elastic_agent_x_metricbeat: *indexSettings so-logs-elastic_agent_x_osquerybeat: *indexSettings so-logs-elastic_agent_x_packetbeat: *indexSettings so-logs-elasticsearch_x_server: *indexSettings so-metrics-endpoint_x_metadata: *indexSettings so-metrics-endpoint_x_metrics: *indexSettings so-metrics-endpoint_x_policy: *indexSettings so-metrics-nginx_x_stubstatus: *indexSettings so-metrics-vsphere_x_datastore: *indexSettings so-metrics-vsphere_x_host: *indexSettings so-metrics-vsphere_x_virtualmachine: *indexSettings so-case: *indexSettings so-common: *indexSettings so-endgame: *indexSettings so-idh: *indexSettings so-suricata: *indexSettings so-suricata_x_alerts: *indexSettings so-import: *indexSettings so-kratos: *indexSettings so-hydra: *indexSettings so-kismet: *indexSettings so-logstash: *indexSettings so-redis: *indexSettings so-strelka: *indexSettings so-syslog: *indexSettings so-zeek: *indexSettings so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. forcedType: bool advanced: True readonly: True helpLink: elasticsearch index_template: ignore_missing_component_templates: description: Ignore component templates if they aren't in Elasticsearch. advanced: True readonly: True helpLink: elasticsearch index_patterns: description: Patterns for matching multiple indices or tables. advanced: True readonly: True helpLink: elasticsearch template: settings: index: mode: description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage. advanced: True readonly: True helpLink: elasticsearch number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. advanced: True readonly: True helpLink: elasticsearch composed_of: description: The index template is composed of these component templates. advanced: True readonly: True helpLink: elasticsearch priority: description: The priority of the index template. advanced: True readonly: True helpLink: elasticsearch data_stream: hidden: description: Hide the data stream. forcedType: bool advanced: True readonly: True helpLink: elasticsearch allow_custom_routing: description: Allow custom routing for the data stream. forcedType: bool advanced: True readonly: True helpLink: elasticsearch so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings so_roles: so-manager: &soroleSettings config: node: roles: description: List of Elasticsearch roles that the node should have. Blank assumes all roles forcedType: "[]string" global: False advanced: True helpLink: elasticsearch so-managersearch: *soroleSettings so-standalone: *soroleSettings so-searchnode: *soroleSettings so-heavynode: *soroleSettings so-eval: *soroleSettings so-import: *soroleSettings