{ "template": { "settings": { "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", "char_filter": [ "whitespace_no_way" ], "filter": [ "lowercase", "trim" ], "tokenizer": "keyword" } }, "char_filter": { "whitespace_no_way": { "type": "pattern_replace", "pattern": "(\\s)+", "replacement": "$1" } }, "filter": { "path_hierarchy_pattern_filter": { "type": "pattern_capture", "preserve_original": true, "patterns": [ "((?:[^\\\\]*\\\\)*)(.*)", "((?:[^/]*/)*)(.*)" ] } }, "tokenizer": { "path_tokenizer": { "type": "path_hierarchy", "delimiter": "\\" } } }, "index": { "lifecycle": { "name": "logs" }, "codec": "best_compression", "mapping": { "total_fields": { "limit": "10000" } }, "query": { "default_field": [ "cloud.account.id", "cloud.availability_zone", "cloud.instance.id", "cloud.instance.name", "cloud.machine.type", "cloud.provider", "cloud.region", "cloud.project.id", "cloud.image.id", "container.id", "container.image.name", "container.name", "host.architecture", "host.domain", "host.hostname", "host.id", "host.mac", "host.name", "host.os.family", "host.os.kernel", "host.os.name", "host.os.platform", "host.os.version", "host.os.build", "host.os.codename", "host.type", "log.level", "message", "elastic_agent.id", "elastic_agent.process", "elastic_agent.version" ] } } }, "mappings": { "dynamic": false, "properties": { "cloud": { "properties": { "availability_zone": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "image": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "instance": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "provider": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "machine": { "properties": { "type": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "project": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "region": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "account": { "properties": { "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } } } }, "container": { "properties": { "image": { "properties": { "name": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "name": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "labels": { "type": "object" } } }, "@timestamp": { "type": "date" }, "ecs": { "properties": { "version": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "log": { "properties": { "level": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "data_stream": { "properties": { "namespace": { "type": "constant_keyword" }, "type": { "type": "constant_keyword" }, "dataset": { "type": "constant_keyword" } } }, "host": { "properties": { "hostname": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "os": { "properties": { "build": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "kernel": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "codename": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"}, "text": { "type": "text" } } }, "family": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "version": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "platform": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "domain": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "ip": { "type": "ip" }, "containerized": { "type": "boolean" }, "name": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "type": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "mac": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "architecture": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } } } }, "elastic_agent": { "properties": { "process": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "id": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "version": { "ignore_above": 1024, "type": "keyword" , "fields": { "security": { "type": "text", "analyzer": "es_security_analyzer"} } }, "snapshot": { "type": "boolean" } } }, "event": { "properties": { "dataset": { "type": "constant_keyword" } } }, "message": { "type": "text" } } } }, "_meta": { "package": { "name": "elastic_agent" }, "managed_by": "fleet", "managed": true } }