elasticsearch: enabled: false version: 8.18.8 index_clean: true config: action: destructive_requires_name: true cluster: routing: allocation: disk: threshold_enabled: true watermark: flood_stage: 90% high: 85% low: 80% indices: id_field_data: enabled: false logger: org: elasticsearch: deprecation: ERROR network: host: 0.0.0.0 node: {} path: logs: /var/log/elasticsearch script: max_compilations_rate: 20000/1m transport: bind_host: 0.0.0.0 publish_port: 9300 xpack: ml: enabled: false security: authc: anonymous: authz_exception: true roles: [] username: _anonymous enabled: true http: ssl: certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt client_authentication: none enabled: true key: /usr/share/elasticsearch/config/elasticsearch.key transport: ssl: certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt enabled: true key: /usr/share/elasticsearch/config/elasticsearch.key verification_mode: none index_settings: global_overrides: index_template: template: settings: index: lifecycle: name: global_overrides-logs number_of_replicas: default_placeholder policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-case: index_sorting: false index_template: composed_of: - case-mappings - case-settings ignore_missing_component_templates: [] index_patterns: - so-case* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-case-logs mapping: total_fields: limit: 1500 number_of_replicas: 0 auto_expand_replicas: 0-2 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: hot: actions: {} min_age: 0ms so-common: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-*-so* priority: 1 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-common-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-detection: index_sorting: false index_template: composed_of: - detection-mappings - detection-settings ignore_missing_component_templates: [] index_patterns: - so-detection* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-detection-logs mapping: total_fields: limit: 1500 number_of_replicas: 0 auto_expand_replicas: 0-2 number_of_shards: 1 refresh_interval: 1s sort: field: '@timestamp' order: desc policy: phases: hot: actions: {} min_age: 0ms so-assistant-chat: index_sorting: false index_template: composed_of: - assistant-chat-mappings - assistant-chat-settings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - so-assistant-chat* priority: 501 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-assistant-chat-logs mapping: total_fields: limit: 1500 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 1s sort: field: '@timestamp' order: desc policy: phases: hot: actions: {} min_age: 0ms so-assistant-session: index_sorting: false index_template: composed_of: - assistant-session-mappings - assistant-session-settings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - so-assistant-session* priority: 501 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-assistant-session-logs mapping: total_fields: limit: 1500 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 1s sort: field: '@timestamp' order: desc policy: phases: hot: actions: {} min_age: 0ms so-endgame: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - endgame-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings ignore_missing_component_templates: [] index_patterns: - endgame* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-endgame-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-idh: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings ignore_missing_component_templates: [] index_patterns: - so-idh-* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-idh-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-import: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings - hash-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-import-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: final_pipeline: .fleet_final_pipeline-1 lifecycle: name: so-import-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-ip-mappings: index_sorting: false index_template: composed_of: - so-ip-mappings ignore_missing_component_templates: [] index_patterns: - so-ip* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: mapping: total_fields: limit: 1500 lifecycle: name: so-ip-mappings-logs number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: hot: actions: {} min_age: 0ms so-items: index_sorting: false index_template: composed_of: - so-items-mappings ignore_missing_component_templates: [] index_patterns: - .items-default-** priority: 500 template: mappings: date_detection: false settings: index: lifecycle: name: so-items-logs rollover_alias: .items-default mapping: total_fields: limit: 10000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s routing: allocation: include: _tier_preference: data_content sort: field: '@timestamp' order: desc policy: phases: hot: actions: rollover: max_size: 50gb min_age: 0ms so-kismet: index_sorting: false index_template: composed_of: - kismet-mappings - source-mappings - client-mappings - device-mappings - network-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - logs-kismet-so* priority: 501 template: settings: index: lifecycle: name: so-kismet-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-kratos: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - logs-kratos-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-kratos-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-hydra: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - logs-hydra-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-hydra-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-lists: index_sorting: false index_template: composed_of: - so-lists-mappings ignore_missing_component_templates: [] index_patterns: - .lists-default-** priority: 500 template: mappings: date_detection: false settings: index: lifecycle: name: so-lists-logs rollover_alias: .lists-default mapping: total_fields: limit: 10000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s routing: allocation: include: _tier_preference: data_content sort: field: '@timestamp' order: desc policy: phases: hot: actions: rollover: max_size: 50gb min_age: 0ms so-logs: index_sorting: false index_template: composed_of: - so-data-streams-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-logs-mappings - so-logs-settings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - logs-*-* priority: 225 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-logs mapping: total_fields: limit: 5001 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-detections_x_alerts: index_sorting: false index_template: composed_of: - so-data-streams-mappings - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-logs-mappings - so-logs-settings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: [] index_patterns: - logs-detections.alerts-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-detections.alerts-so mapping: total_fields: limit: 5001 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 1d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent@package - logs-elastic_agent@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent@custom index_patterns: - logs-elastic_agent-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: codec: best_compression lifecycle: name: so-logs-elastic_agent-logs mapping: total_fields: limit: 5000 ignore_malformed: true number_of_replicas: 0 sort: field: '@timestamp' order: desc query: default_field: - cloud.account.id - cloud.availability_zone - cloud.instance.id - cloud.instance.name - cloud.machine.type - cloud.provider - cloud.region - cloud.project.id - cloud.image.id - container.id - container.image.name - container.name - host.architecture - host.hostname - host.id - host.mac - host.name - host.os.family - host.os.kernel - host.os.name - host.os.platform - host.os.version - host.os.build - host.os.codename - host.type - ecs.version - agent.build.original - agent.ephemeral_id - agent.id - agent.name - agent.type - agent.version - log.level - message - elastic_agent.id - elastic_agent.process - elastic_agent.version - component.id - component.type - component.binary - component.state - component.old_state - unit.id - unit.type - unit.state - unit.old_state policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-elastic-agent-monitor: index_sorting: false index_template: composed_of: - event-mappings - so-elastic-agent-monitor - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-agentmonitor-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-elastic-agent-monitor-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_apm_server: index_sorting: false index_template: composed_of: - logs-elastic_agent.apm_server@package - logs-elastic_agent.apm_server@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.apm_server@custom index_patterns: - logs-elastic_agent.apm_server-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.apm_server-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_auditbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.auditbeat@package - logs-elastic_agent.auditbeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.auditbeat@custom index_patterns: - logs-elastic_agent.auditbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.auditbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_cloudbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.cloudbeat@package - logs-elastic_agent.cloudbeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: - logs-elastic_agent.cloudbeat@custom index_patterns: - logs-elastic_agent.cloudbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.cloudbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_endpoint_security: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.endpoint_security@package - logs-elastic_agent.endpoint_security@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.endpoint_security@custom index_patterns: - logs-elastic_agent.endpoint_security-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.endpoint_security-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_filebeat: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.filebeat@package - logs-elastic_agent.filebeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.filebeat@custom index_patterns: - logs-elastic_agent.filebeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.filebeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_fleet_server: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.fleet_server@package - logs-elastic_agent.fleet_server@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.fleet_server@custom index_patterns: - logs-elastic_agent.fleet_server-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.fleet_server-logs number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_heartbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.heartbeat@package - logs-elastic_agent.heartbeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: - logs-elastic_agent.heartbeat@custom index_patterns: - logs-elastic_agent.heartbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.heartbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_metricbeat: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.metricbeat@package - logs-elastic_agent.metricbeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.metricbeat@custom index_patterns: - logs-elastic_agent.metricbeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.metricbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_osquerybeat: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.osquerybeat@package - logs-elastic_agent.osquerybeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.osquerybeat@custom index_patterns: - logs-elastic_agent.osquerybeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.osquerybeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_packetbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.packetbeat@package - logs-elastic_agent.packetbeat@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elastic_agent.packetbeat@custom index_patterns: - logs-elastic_agent.packetbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.packetbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elasticsearch_x_server: index_sorting: false index_template: composed_of: - logs-elasticsearch.server@package - logs-elasticsearch.server@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-elasticsearch.server@custom index_patterns: - logs-elasticsearch.server-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elasticsearch.server-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_actions: index_sorting: false index_template: composed_of: - .logs-endpoint.actions@package - .logs-endpoint.actions@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - .logs-endpoint.actions@custom index_patterns: - logs-endpoint.actions-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.actions-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_action_x_responses: index_sorting: false index_template: composed_of: - .logs-endpoint.action.responses@package - .logs-endpoint.action.responses@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - .logs-endpoint.action.responses@custom index_patterns: - logs-endpoint.action.responses-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.actions-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_alerts: index_sorting: false index_template: composed_of: - logs-endpoint.alerts@package - logs-endpoint.alerts@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.alerts@custom index_patterns: - logs-endpoint.alerts-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.alerts-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_diagnostic_x_collection: index_sorting: false index_template: composed_of: - .logs-endpoint.diagnostic.collection@package - .logs-endpoint.diagnostic.collection@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - .logs-endpoint.diagnostic.collection@custom index_patterns: - .logs-endpoint.diagnostic.collection-* priority: 501 template: settings: index: codec: best_compression lifecycle: name: so-logs-endpoint.diagnostic.collection-logs mapping: total_fields: limit: 5000 ignore_malformed: true number_of_replicas: 0 sort: field: '@timestamp' order: desc query: default_field: - ecs.version - event.action - event.category - event.code - event.dataset - event.hash - event.id - event.kind - event.module - event.outcome - event.provider - event.type policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_api: index_sorting: false index_template: composed_of: - logs-endpoint.events.api@package - logs-endpoint.events.api@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.api@custom index_patterns: - logs-endpoint.events.api-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.api-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_file: index_sorting: false index_template: composed_of: - logs-endpoint.events.file@package - logs-endpoint.events.file@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.file@custom index_patterns: - logs-endpoint.events.file-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.file-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_library: index_sorting: false index_template: composed_of: - logs-endpoint.events.library@package - logs-endpoint.events.library@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.library@custom index_patterns: - logs-endpoint.events.library-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.library-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_network: index_sorting: false index_template: composed_of: - logs-endpoint.events.network@package - logs-endpoint.events.network@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.network@custom index_patterns: - logs-endpoint.events.network-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.network-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_process: index_sorting: false index_template: composed_of: - logs-endpoint.events.process@package - logs-endpoint.events.process@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.process@custom index_patterns: - logs-endpoint.events.process-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.process-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_registry: index_sorting: false index_template: composed_of: - logs-endpoint.events.registry@package - logs-endpoint.events.registry@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.registry@custom index_patterns: - logs-endpoint.events.registry-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.registry-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_security: index_sorting: false index_template: composed_of: - logs-endpoint.events.security@package - logs-endpoint.events.security@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-endpoint.events.security@custom index_patterns: - logs-endpoint.events.security-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.security-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_heartbeat: index_sorting: false index_template: composed_of: - .logs-endpoint.heartbeat@package - .logs-endpoint.heartbeat@custom - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - .logs-endpoint.heartbeat@custom index_patterns: - .logs-endpoint.heartbeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.heartbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: composed_of: - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* priority: 501 template: settings: index: lifecycle: name: so-logs-http_endpoint.generic-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-httpjson_x_generic: index_sorting: false index_template: composed_of: - logs-httpjson.generic@package - logs-httpjson.generic@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-httpjson.generic@custom index_patterns: - logs-httpjson.generic-* priority: 501 template: settings: index: lifecycle: name: so-logs-httpjson.generic-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-osquery-manager-action_x_responses: index_sorting: false index_template: _meta: managed: true managed_by: security_onion package: name: elastic_agent composed_of: - logs-osquery_manager.action.responses ignore_missing_component_templates: [] index_patterns: - .logs-osquery_manager.action.responses* priority: 501 template: settings: index: number_of_replicas: 0 so-logs-osquery-manager_x_action_x_responses: index_sorting: false index_template: _meta: managed: true managed_by: security_onion package: name: elastic_agent data_stream: allow_custom_routing: false hidden: false composed_of: - logs-osquery_manager.action.responses@package - logs-osquery_manager.action.responses@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: - logs-osquery_manager.action.responses@custom index_patterns: - logs-osquery_manager.action.responses* priority: 501 template: settings: lifecycle: name: so-logs-osquery-manager.action.responses-logs index: number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-osquery-manager-actions: index_sorting: false index_template: _meta: managed: true managed_by: security_onion package: name: elastic_agent composed_of: - logs-osquery_manager.actions ignore_missing_component_templates: [] index_patterns: - .logs-osquery_manager.actions-* priority: 501 template: settings: index: number_of_replicas: 0 so-logs-osquery-manager_x_result: index_sorting: false index_template: _meta: managed: true managed_by: security_onion package: name: elastic_agent data_stream: allow_custom_routing: false hidden: false composed_of: - logs-osquery_manager.result@package - logs-osquery_manager.result@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: - logs-osquery_manager.result@custom index_patterns: - logs-osquery_manager.result* priority: 501 template: settings: index: lifecycle: name: so-logs-osquery-manager.result-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-soc: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-soc-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-logs-soc-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-logs-system_x_application: index_sorting: false index_template: composed_of: - event-mappings - logs-system.application@package - logs-system.application@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-system.application@custom index_patterns: - logs-system.application* priority: 501 template: settings: index: lifecycle: name: so-logs-system.application-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_auth: index_sorting: false index_template: composed_of: - event-mappings - logs-system.auth@package - logs-system.auth@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-system.auth@custom index_patterns: - logs-system.auth* priority: 501 template: settings: index: lifecycle: name: so-logs-system.auth-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_security: index_sorting: false index_template: composed_of: - event-mappings - logs-system.security@package - logs-system.security@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-system.security@custom index_patterns: - logs-system.security* priority: 501 template: settings: index: lifecycle: name: so-logs-system.security-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_syslog: index_sorting: false index_template: composed_of: - event-mappings - logs-system.syslog@package - logs-system.syslog@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-system.syslog@custom index_patterns: - logs-system.syslog* priority: 501 template: settings: index: lifecycle: name: so-logs-system.syslog-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_system: index_sorting: false index_template: composed_of: - event-mappings - logs-system.system@package - logs-system.system@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-system.system@custom index_patterns: - logs-system.system* priority: 501 template: settings: index: lifecycle: name: so-logs-system.system-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_forwarded: index_sorting: false index_template: composed_of: - logs-windows.forwarded@package - logs-windows.forwarded@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-windows.forwarded@custom index_patterns: - logs-windows.forwarded* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.forwarded-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_powershell: index_sorting: false index_template: composed_of: - logs-windows.powershell@package - logs-windows.powershell@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-windows.powershell@custom index_patterns: - logs-windows.powershell-* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.powershell-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_powershell_operational: index_sorting: false index_template: composed_of: - logs-windows.powershell_operational@package - logs-windows.powershell_operational@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-windows.powershell_operational@custom index_patterns: - logs-windows.powershell_operational-* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.powershell_operational-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_sysmon_operational: index_sorting: false index_template: composed_of: - logs-windows.sysmon_operational@package - logs-windows.sysmon_operational@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-windows.sysmon_operational@custom index_patterns: - logs-windows.sysmon_operational-* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.sysmon_operational-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-winlog_x_winlog: index_sorting: false index_template: composed_of: - logs-winlog.winlog@package - logs-winlog.winlog@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* priority: 501 template: settings: index: lifecycle: name: so-logs-winlog.winlog-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logstash: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - logstash-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings ignore_missing_component_templates: [] index_patterns: - logs-logstash-default* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-logstash-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-endpoint_x_metadata: index_sorting: false index_template: composed_of: - metrics-endpoint.metadata@package - metrics-endpoint.metadata@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - metrics-endpoint.metadata@custom index_patterns: - metrics-endpoint.metadata-* priority: 501 template: settings: index: lifecycle: name: so-metrics-endpoint.metadata-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-endpoint_x_metrics: index_sorting: false index_template: composed_of: - metrics-endpoint.metrics@package - metrics-endpoint.metrics@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - metrics-endpoint.metrics@custom index_patterns: - metrics-endpoint.metrics-* priority: 501 template: settings: index: lifecycle: name: so-metrics-endpoint.metrics-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-endpoint_x_policy: index_sorting: false index_template: composed_of: - metrics-endpoint.policy@package - metrics-endpoint.policy@custom - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - metrics-endpoint.policy@custom index_patterns: - metrics-endpoint.policy-* priority: 501 template: settings: index: lifecycle: name: so-metrics-endpoint.policy-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-fleet_server_x_agent_status: index_sorting: false index_template: composed_of: - metrics@tsdb-settings - metrics-fleet_server.agent_status@package - metrics-fleet_server.agent_status@custom - ecs@mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - metrics-fleet_server.agent_status@custom index_patterns: - metrics-fleet_server.agent_status-* priority: 501 template: settings: index: mode: time_series number_of_replicas: 0 so-metrics-fleet_server_x_agent_versions: index_sorting: false index_template: composed_of: - metrics@tsdb-settings - metrics-fleet_server.agent_versions@package - metrics-fleet_server.agent_versions@custom - ecs@mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - metrics-fleet_server.agent_versions@custom index_patterns: - metrics-fleet_server.agent_versions-* priority: 501 template: settings: index: mode: time_series number_of_replicas: 0 so-redis: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - redis-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings ignore_missing_component_templates: [] index_patterns: - logs-redis-default* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-redis-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-strelka: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - so-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - so-scan-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - hash-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-strelka-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-strelka-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-suricata: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - hash-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-suricata-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-suricata-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-suricata_x_alerts: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - hash-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-suricata.alerts-* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-suricata.alerts-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 1d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-syslog: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-syslog-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-syslog-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-zeek: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - zeek-mappings - common-settings - common-dynamic-mappings - hash-mappings data_stream: {} ignore_missing_component_templates: [] index_patterns: - logs-zeek-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-zeek-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 2 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 60d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d pipelines: custom001: description: Custom Pipeline processors: - set: field: tags value: custom001 - pipeline: name: common custom002: description: Custom Pipeline processors: - set: field: tags value: custom002 - pipeline: name: common custom003: description: Custom Pipeline processors: - set: field: tags value: custom003 - pipeline: name: common custom004: description: Custom Pipeline processors: - set: field: tags value: custom004 - pipeline: name: common custom005: description: Custom Pipeline processors: - set: field: tags value: custom005 - pipeline: name: common custom006: description: Custom Pipeline processors: - set: field: tags value: custom006 - pipeline: name: common custom007: description: Custom Pipeline processors: - set: field: tags value: custom007 - pipeline: name: common custom008: description: Custom Pipeline processors: - set: field: tags value: custom008 - pipeline: name: common custom009: description: Custom Pipeline processors: - set: field: tags value: custom009 - pipeline: name: common custom010: description: Custom Pipeline processors: - set: field: tags value: custom010 - pipeline: name: common retention: retention_pct: 50 so_roles: so-eval: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client so-heavynode: config: node: roles: - master - data - data_hot - remote_cluster_client - ingest so-import: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client so-manager: config: node: roles: - master - data - remote_cluster_client - transform so-managerhype: config: node: roles: - master - data - remote_cluster_client - transform so-managersearch: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client so-searchnode: config: node: roles: - data - data_hot - ingest - transform so-standalone: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client