elasticsearch: enabled: False retention: retention_pct: 50 config: node: {} cluster: routing: allocation: disk: threshold_enabled: true watermark: low: 80% high: 85% flood_stage: 90% network: host: 0.0.0.0 path: logs: /var/log/elasticsearch action: destructive_requires_name: true transport: bind_host: 0.0.0.0 publish_port: 9300 xpack: ml: enabled: false security: enabled: true authc: anonymous: authz_exception: true roles: [] username: _anonymous transport: ssl: enabled: true verification_mode: none key: /usr/share/elasticsearch/config/elasticsearch.key certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt http: ssl: enabled: true client_authentication: none key: /usr/share/elasticsearch/config/elasticsearch.key certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt script: max_compilations_rate: 20000/1m indices: id_field_data: enabled: false logger: org: elasticsearch: deprecation: ERROR index_settings: so-logs: index_sorting: False index_template: index_patterns: - "logs-*-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5001 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "so-data-streams-mappings" - "so-logs-mappings" - "so-logs-settings" priority: 225 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-system.auth: index_sorting: False index_template: index_patterns: - "logs-system.auth*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.auth@package" - "logs-system.auth@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system.syslog: index_sorting: False index_template: index_patterns: - "logs-system.syslog*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.syslog@package" - "logs-system.syslog@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system.system: index_sorting: False index_template: index_patterns: - "logs-system.system*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.system@package" - "logs-system.system@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system.application: index_sorting: False index_template: index_patterns: - "logs-system.application*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.application@package" - "logs-system.application@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-system.security: index_sorting: False index_template: index_patterns: - "logs-system.security*" template: settings: index: number_of_replicas: 0 composed_of: - "event-mappings" - "logs-system.security@package" - "logs-system.security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows.forwarded: index_sorting: False index_template: index_patterns: - "logs-windows.forwarded*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.forwarded@package" - "logs-windows.forwarded@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows.powershell: index_sorting: False index_template: index_patterns: - "logs-windows.powershell-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.powershell@package" - "logs-windows.powershell@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows.powershell_operational: index_sorting: False index_template: index_patterns: - "logs-windows.powershell_operational-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.powershell_operational@package" - "logs-windows.powershell_operational@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-windows.sysmon_operational: index_sorting: False index_template: index_patterns: - "logs-windows.sysmon_operational-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-windows.sysmon_operational@package" - "logs-windows.sysmon_operational@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.cloudtrail: index_sorting: False index_template: index_patterns: - "logs-aws.cloudtrail-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.cloudtrail@package" - "logs-aws.cloudtrail@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.cloudwatch_logs: index_sorting: False index_template: index_patterns: - "logs-aws.cloudwatch_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.cloudwatch_logs@package" - "logs-aws.cloudwatch_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.ec2_logs: index_sorting: False index_template: index_patterns: - "logs-aws.ec2_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.ec2_logs@package" - "logs-aws.ec2_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.elb_logs: index_sorting: False index_template: index_patterns: - "logs-aws.elb_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.elb_logs@package" - "logs-aws.elb_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.firewall_logs: index_sorting: False index_template: index_patterns: - "logs-aws.firewall_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.firewall_logs@package" - "logs-aws.firewall_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.route53_public_logs: index_sorting: False index_template: index_patterns: - "logs-aws.route53_public_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.route53_public_logs@package" - "logs-aws.route53_public_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.route53_resolver_logs: index_sorting: False index_template: index_patterns: - "logs-aws.route53_resolver_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.route53_resolver_logs@package" - "logs-aws.route53_resolver_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.s3access: index_sorting: False index_template: index_patterns: - "logs-aws.s3access-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.s3access@package" - "logs-aws.s3access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.vpcflow: index_sorting: False index_template: index_patterns: - "logs-aws.vpcflow-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.vpcflow@package" - "logs-aws.vpcflow@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-aws.waf: index_sorting: False index_template: index_patterns: - "logs-aws.waf-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-aws.waf@package" - "logs-aws.waf@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.activitylogs: index_sorting: False index_template: index_patterns: - "logs-azure.activitylogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.activitylogs@package" - "logs-azure.activitylogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.application_gateway: index_sorting: False index_template: index_patterns: - "logs-azure.application_gateway-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.application_gateway@package" - "logs-azure.application_gateway@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.auditlogs: index_sorting: False index_template: index_patterns: - "logs-azure.auditlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.auditlogs@package" - "logs-azure.auditlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.eventhub: index_sorting: False index_template: index_patterns: - "logs-azure.eventhub-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.eventhub@package" - "logs-azure.eventhub@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.firewall_logs: index_sorting: False index_template: index_patterns: - "logs-azure.firewall_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.firewall_logs@package" - "logs-azure.firewall_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.identity_protection: index_sorting: False index_template: index_patterns: - "logs-azure.identity_protection-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.identity_protection@package" - "logs-azure.identity_protection@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.platformlogs: index_sorting: False index_template: index_patterns: - "logs-azure.platformlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.platformlogs@package" - "logs-azure.platformlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.provisioning: index_sorting: False index_template: index_patterns: - "logs-azure.provisioning-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.provisioning@package" - "logs-azure.provisioning@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.signinlogs: index_sorting: False index_template: index_patterns: - "logs-azure.signinlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.signinlogs@package" - "logs-azure.signinlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-azure.springcloudlogs: index_sorting: False index_template: index_patterns: - "logs-azure.springcloudlogs-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-azure.springcloudlogs@package" - "logs-azure.springcloudlogs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-cloudflare.audit: index_sorting: False index_template: index_patterns: - "logs-cloudflare.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-cloudflare.audit@package" - "logs-cloudflare.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-cloudflare.logpull: index_sorting: False index_template: index_patterns: - "logs-cloudflare.logpull-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-cloudflare.logpull@package" - "logs-cloudflare.logpull@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-fim.event: index_sorting: False index_template: index_patterns: - "logs-fim.event-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-fim.event@package" - "logs-fim.event@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github.audit: index_sorting: False index_template: index_patterns: - "logs-github.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.audit@package" - "logs-github.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github.code_scanning: index_sorting: False index_template: index_patterns: - "logs-github.code_scanning-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.code_scanning@package" - "logs-github.code_scanning@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github.dependabot: index_sorting: False index_template: index_patterns: - "logs-github.dependabot-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.dependabot@package" - "logs-github.dependabot@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github.issues: index_sorting: False index_template: index_patterns: - "logs-github.issues-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.issues@package" - "logs-github.issues@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-github.secret_scanning: index_sorting: False index_template: index_patterns: - "logs-github.secret_scanning-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-github.secret_scanning@package" - "logs-github.secret_scanning@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.access_transparency: index_sorting: False index_template: index_patterns: - "logs-google_workspace.access_transparency-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.access_transparency@package" - "logs-google_workspace.access_transparency@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.admin: index_sorting: False index_template: index_patterns: - "logs-google_workspace.admin-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.admin@package" - "logs-google_workspace.admin@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.alert: index_sorting: False index_template: index_patterns: - "logs-google_workspace.alert-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.alert@package" - "logs-google_workspace.alert@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.context_aware_access: index_sorting: False index_template: index_patterns: - "logs-google_workspace.context_aware_access-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.context_aware_access@package" - "logs-google_workspace.context_aware_access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.device: index_sorting: False index_template: index_patterns: - "logs-google_workspace.device-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.device@package" - "logs-google_workspace.device@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.drive: index_sorting: False index_template: index_patterns: - "logs-google_workspace.drive-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.drive@package" - "logs-google_workspace.drive@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.gcp: index_sorting: False index_template: index_patterns: - "logs-google_workspace.gcp-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.gcp@package" - "logs-google_workspace.gcp@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.group_enterprise: index_sorting: False index_template: index_patterns: - "logs-google_workspace.group_enterprise-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.group_enterprise@package" - "logs-google_workspace.group_enterprise@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.groups: index_sorting: False index_template: index_patterns: - "logs-google_workspace.groups-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.groups@package" - "logs-google_workspace.groups@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.login: index_sorting: False index_template: index_patterns: - "logs-google_workspace.login-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.login@package" - "logs-google_workspace.login@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.rules: index_sorting: False index_template: index_patterns: - "logs-google_workspace.rules-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.rules@package" - "logs-google_workspace.rules@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.saml: index_sorting: False index_template: index_patterns: - "logs-google_workspace.saml-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.saml@package" - "logs-google_workspace.saml@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.token: index_sorting: False index_template: index_patterns: - "logs-google_workspace.token-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.token@package" - "logs-google_workspace.token@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-google_workspace.user_accounts: index_sorting: False index_template: index_patterns: - "logs-google_workspace.user_accounts-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-google_workspace.user_accounts@package" - "logs-google_workspace.user_accounts@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-1password.item_usages: index_sorting: False index_template: index_patterns: - "logs-1password.item_usages-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-1password.item_usages@package" - "logs-1password.item_usages@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-1password.signin_attempts: index_sorting: False index_template: index_patterns: - "logs-1password.signin_attempts-*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-1password.signin_attempts@package" - "logs-1password.signin_attempts@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false so-logs-osquery-manager-actions: index_sorting: False index_template: index_patterns: - ".logs-osquery_manager.actions*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-osquery_manager.actions" priority: 501 _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-osquery-manager-action.responses: index_sorting: False index_template: index_patterns: - ".logs-osquery_manager.action.responses*" template: settings: index: number_of_replicas: 0 composed_of: - "logs-osquery_manager.action.responses" priority: 501 _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.apm_server: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.apm_server-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.apm_server@package" - "logs-elastic_agent.apm_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.auditbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.auditbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.auditbeat@package" - "logs-elastic_agent.auditbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.cloudbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.cloudbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.cloudbeat@package" - "logs-elastic_agent.cloudbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.endpoint_security: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.endpoint_security-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.endpoint_security@package" - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.filebeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.filebeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.filebeat@package" - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.fleet_server: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.fleet_server-*" template: settings: index: number_of_replicas: 0 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.fleet_server@package" - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.heartbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.heartbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.heartbeat@package" - "logs-elastic_agent.heartbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent: index_sorting: False index_template: index_patterns: - "logs-elastic_agent-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "event-mappings" - "logs-elastic_agent@package" - "logs-elastic_agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.metricbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.metricbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.metricbeat@package" - "logs-elastic_agent.metricbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.osquerybeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.osquerybeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc composed_of: - "event-mappings" - "logs-elastic_agent.osquerybeat@package" - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-logs-elastic_agent.packetbeat: index_sorting: False index_template: index_patterns: - "logs-elastic_agent.packetbeat-*" template: settings: index: number_of_replicas: 0 mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc mappings: _meta: package: name: elastic_agent managed_by: security_onion managed: true composed_of: - "logs-elastic_agent.packetbeat@package" - "logs-elastic_agent.packetbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true so-case: index_sorting: False index_template: index_patterns: - so-case* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 1500 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - case-mappings - case-settings priority: 500 so-common: warm: 7 close: 30 delete: 365 index_sorting: False index_template: data_stream: {} index_patterns: - logs-*-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings priority: 1 so-endgame: index_sorting: False index_template: index_patterns: - endgame* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - endgame-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings priority: 500 so-idh: warm: 7 close: 30 delete: 365 index_sorting: False index_template: index_patterns: - so-idh-* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings priority: 500 so-suricata: index_sorting: False index_template: data_stream: {} index_patterns: - logs-suricata-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-suricata-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-import: index_sorting: False index_template: data_stream: {} index_patterns: - logs-import-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-import-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-kratos: warm: 7 close: 30 delete: 365 index_sorting: False index_template: data_stream: hidden: false allow_custom_routing: false index_patterns: - logs-kratos-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-logstash: index_sorting: False index_template: index_patterns: - logs-logstash-default* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-logstash-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - logstash-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-redis: index_sorting: False index_template: index_patterns: - logs-redis-default* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-redis-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - redis-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-strelka: index_sorting: False index_template: data_stream: {} index_patterns: - logs-strelka-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - so-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - so-scan-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-syslog: index_sorting: False index_template: index_patterns: - logs-syslog-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {} so-zeek: index_sorting: False index_template: data_stream: {} index_patterns: - logs-zeek-so* template: mappings: dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string date_detection: false settings: index: lifecycle: name: so-zeek-logs mapping: total_fields: limit: 5000 sort: field: "@timestamp" order: desc refresh_interval: 30s number_of_shards: 2 number_of_replicas: 0 composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - zeek-mappings - common-settings - common-dynamic-mappings priority: 500 policy: phases: hot: min_age: 0ms actions: set_priority: priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb cold: min_age: 30d actions: set_priority: priority: 0 delete: min_age: 365d actions: delete: {}