elasticsearch: config: action: destructive_requires_name: true cluster: routing: allocation: disk: threshold_enabled: true watermark: flood_stage: 90% high: 85% low: 80% indices: id_field_data: enabled: false logger: org: elasticsearch: deprecation: ERROR network: host: 0.0.0.0 node: {} path: logs: /var/log/elasticsearch script: max_compilations_rate: 20000/1m transport: bind_host: 0.0.0.0 publish_port: 9300 xpack: ml: enabled: false security: authc: anonymous: authz_exception: true roles: [] username: _anonymous enabled: true http: ssl: certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt client_authentication: none enabled: true key: /usr/share/elasticsearch/config/elasticsearch.key transport: ssl: certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: - /usr/share/elasticsearch/config/ca.crt enabled: true key: /usr/share/elasticsearch/config/elasticsearch.key verification_mode: none enabled: false pipelines: custom001: description: Custom Pipeline processors: - set: field: tags value: custom001 - pipeline: name: common custom002: description: Custom Pipeline processors: - set: field: tags value: custom002 - pipeline: name: common custom003: description: Custom Pipeline processors: - set: field: tags value: custom003 - pipeline: name: common custom004: description: Custom Pipeline processors: - set: field: tags value: custom004 - pipeline: name: common custom005: description: Custom Pipeline processors: - set: field: tags value: custom005 - pipeline: name: common custom006: description: Custom Pipeline processors: - set: field: tags value: custom006 - pipeline: name: common custom007: description: Custom Pipeline processors: - set: field: tags value: custom007 - pipeline: name: common custom008: description: Custom Pipeline processors: - set: field: tags value: custom008 - pipeline: name: common custom009: description: Custom Pipeline processors: - set: field: tags value: custom009 - pipeline: name: common custom010: description: Custom Pipeline processors: - set: field: tags value: custom010 - pipeline: name: common index_settings: global_overrides: index_template: template: settings: index: lifecycle: name: global_overrides-logs number_of_replicas: default_placeholder policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-case: index_sorting: false index_template: composed_of: - case-mappings - case-settings index_patterns: - so-case* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: mapping: total_fields: limit: 1500 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc so-detection: index_sorting: false index_template: composed_of: - detection-mappings - detection-settings index_patterns: - so-detection* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: mapping: total_fields: limit: 1500 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc so-common: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings data_stream: {} index_patterns: - logs-*-so* priority: 1 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-common-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-endgame: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - endgame-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings index_patterns: - endgame* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-endgame-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-idh: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings index_patterns: - so-idh-* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-idh-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-import: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings - winlog-mappings data_stream: {} index_patterns: - logs-import-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: final_pipeline: .fleet_final_pipeline-1 lifecycle: name: so-import-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-kratos: close: 30 delete: 365 index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - container-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-kratos-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-kratos-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d warm: 7 so-logs: index_sorting: false index_template: composed_of: - so-data-streams-mappings - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-logs-mappings - so-logs-settings data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-*-* priority: 225 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-logs mapping: total_fields: limit: 5001 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-1password_x_item_usages: index_sorting: false index_template: composed_of: - logs-1password.item_usages@package - logs-1password.item_usages@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-1password.item_usages-* priority: 501 template: settings: index: lifecycle: name: so-logs-1password.item_usages-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-1password_x_signin_attempts: index_sorting: false index_template: composed_of: - logs-1password.signin_attempts@package - logs-1password.signin_attempts@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-1password.signin_attempts-* priority: 501 template: settings: index: lifecycle: name: so-logs-1password.signin_attempts-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-apache_x_access: index_sorting: false index_template: composed_of: - logs-apache.access@package - logs-apache.access@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-apache.access-* priority: 501 template: settings: index: lifecycle: name: so-logs-apache.access-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-apache_x_error: index_sorting: false index_template: composed_of: - logs-apache.error@package - logs-apache.error@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-apache.error-* priority: 501 template: settings: index: lifecycle: name: so-logs-apache.error-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-auditd_x_log: index_sorting: false index_template: composed_of: - logs-auditd.log@package - logs-auditd.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-auditd.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-auditd.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-auth0_x_logs: index_sorting: false index_template: composed_of: - logs-auth0.logs@package - logs-auth0.logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-auth0.logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-auth0.logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_cloudfront_logs: index_sorting: False index_template: index_patterns: - "logs-aws.cloudfront_logs-*" template: settings: index: lifecycle: name: so-logs-aws.cloudfront_logs-logs number_of_replicas: 0 composed_of: - "logs-aws.cloudfront_logs@package" - "logs-aws.cloudfront_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_cloudtrail: index_sorting: false index_template: composed_of: - logs-aws.cloudtrail@package - logs-aws.cloudtrail@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.cloudtrail-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.cloudtrail-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_cloudwatch_logs: index_sorting: false index_template: composed_of: - logs-aws.cloudwatch_logs@package - logs-aws.cloudwatch_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.cloudwatch_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.cloudwatch_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_ec2_logs: index_sorting: false index_template: composed_of: - logs-aws.ec2_logs@package - logs-aws.ec2_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.ec2_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.ec2_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_elb_logs: index_sorting: false index_template: composed_of: - logs-aws.elb_logs@package - logs-aws.elb_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.elb_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.elb_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_firewall_logs: index_sorting: false index_template: composed_of: - logs-aws.firewall_logs@package - logs-aws.firewall_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.firewall_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.firewall_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_guardduty: index_sorting: False index_template: index_patterns: - "logs-aws.guardduty-*" template: settings: index: lifecycle: name: so-logs-aws.guardduty-logs number_of_replicas: 0 composed_of: - "logs-aws.guardduty@package" - "logs-aws.guardduty@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_inspector: index_sorting: False index_template: index_patterns: - "logs-aws.inspector-*" template: settings: index: lifecycle: name: so-logs-aws.inspector-logs number_of_replicas: 0 composed_of: - "logs-aws.inspector@package" - "logs-aws.inspector@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_route53_public_logs: index_sorting: false index_template: composed_of: - logs-aws.route53_public_logs@package - logs-aws.route53_public_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.route53_public_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.route53_public_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_route53_resolver_logs: index_sorting: false index_template: composed_of: - logs-aws.route53_resolver_logs@package - logs-aws.route53_resolver_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.route53_resolver_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.route53_resolver_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_s3access: index_sorting: false index_template: composed_of: - logs-aws.s3access@package - logs-aws.s3access@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.s3access-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.s3access-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_vpcflow: index_sorting: false index_template: composed_of: - logs-aws.vpcflow@package - logs-aws.vpcflow@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.vpcflow-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.vpcflow-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-aws_x_waf: index_sorting: false index_template: composed_of: - logs-aws.waf@package - logs-aws.waf@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-aws.waf-* priority: 501 template: settings: index: lifecycle: name: so-logs-aws.waf-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_activitylogs: index_sorting: false index_template: composed_of: - logs-azure.activitylogs@package - logs-azure.activitylogs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.activitylogs-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.activitylogs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_application_gateway: index_sorting: false index_template: composed_of: - logs-azure.application_gateway@package - logs-azure.application_gateway@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.application_gateway-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.application_gateway-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_auditlogs: index_sorting: false index_template: composed_of: - logs-azure.auditlogs@package - logs-azure.auditlogs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.auditlogs-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.auditlogs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_eventhub: index_sorting: false index_template: composed_of: - logs-azure.eventhub@package - logs-azure.eventhub@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.eventhub-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.eventhub-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_firewall_logs: index_sorting: false index_template: composed_of: - logs-azure.firewall_logs@package - logs-azure.firewall_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.firewall_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.firewall_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_identity_protection: index_sorting: false index_template: composed_of: - logs-azure.identity_protection@package - logs-azure.identity_protection@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.identity_protection-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.identity_protection-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_platformlogs: index_sorting: false index_template: composed_of: - logs-azure.platformlogs@package - logs-azure.platformlogs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.platformlogs-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.platformlogs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_provisioning: index_sorting: false index_template: composed_of: - logs-azure.provisioning@package - logs-azure.provisioning@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.provisioning-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.provisioning-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_signinlogs: index_sorting: false index_template: composed_of: - logs-azure.signinlogs@package - logs-azure.signinlogs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.signinlogs-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.signinlogs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-azure_x_springcloudlogs: index_sorting: false index_template: composed_of: - logs-azure.springcloudlogs@package - logs-azure.springcloudlogs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-azure.springcloudlogs-* priority: 501 template: settings: index: lifecycle: name: so-logs-azure.springcloudlogs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-barracuda_x_waf: index_sorting: false index_template: composed_of: - logs-barracuda.waf@package - logs-barracuda.waf@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-barracuda.waf-* priority: 501 template: settings: index: lifecycle: name: so-logs-barracuda.waf-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-carbonblack_edr_x_log: index_sorting: false index_template: composed_of: - logs-carbonblack_edr.log@package - logs-carbonblack_edr.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-carbonblack_edr.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-carbonblack_edr.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-checkpoint_x_firewall: index_sorting: False index_template: index_patterns: - "logs-checkpoint.firewall-*" template: settings: index: lifecycle: name: so-logs-checkpoint.firewall-logs number_of_replicas: 0 composed_of: - "logs-checkpoint.firewall@package" - "logs-checkpoint.firewall@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_asa_x_log: index_sorting: false index_template: composed_of: - logs-cisco_asa.log@package - logs-cisco_asa.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_asa.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_asa.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_duo_x_admin: index_sorting: false index_template: composed_of: - logs-cisco_duo.admin@package - logs-cisco_duo.admin@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_duo.admin-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_duo.admin-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_duo_x_auth: index_sorting: false index_template: composed_of: - logs-cisco_duo.auth@package - logs-cisco_duo.auth@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_duo.auth-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_duo.auth-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_duo_x_offline_enrollment: index_sorting: false index_template: composed_of: - logs-cisco_duo.offline_enrollment@package - logs-cisco_duo.offline_enrollment@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_duo.offline_enrollment-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_duo.offline_enrollment-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_duo_x_summary: index_sorting: false index_template: composed_of: - logs-cisco_duo.summary@package - logs-cisco_duo.summary@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_duo.summary-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_duo.summary-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_duo_x_telephony: index_sorting: false index_template: composed_of: - logs-cisco_duo.telephony@package - logs-cisco_duo.telephony@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_duo.telephony-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_duo.telephony-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_ftd_x_log: index_sorting: False index_template: index_patterns: - "logs-cisco_ftd.log-*" template: settings: index: lifecycle: name: so-logs-cisco_ftd.log-logs number_of_replicas: 0 composed_of: - "logs-cisco_ftd.log@package" - "logs-cisco_ftd.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_ios_x_log: index_sorting: False index_template: index_patterns: - "logs-cisco_ios.log-*" template: settings: index: lifecycle: name: so-logs-cisco_ios.log-logs number_of_replicas: 0 composed_of: - "logs-cisco_ios.log@package" - "logs-cisco_ios.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_ise_x_log: index_sorting: False index_template: index_patterns: - "logs-cisco_ise.log-*" template: settings: index: lifecycle: name: so-logs-cisco_ise.log-logs number_of_replicas: 0 composed_of: - "logs-cisco_ise.log@package" - "logs-cisco_ise.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_meraki_x_events: index_sorting: false index_template: composed_of: - logs-cisco_meraki.events@package - logs-cisco_meraki.events@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_meraki.events-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_meraki.events-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_meraki_x_log: index_sorting: false index_template: composed_of: - logs-cisco_meraki.log@package - logs-cisco_meraki.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_meraki.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_meraki.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cisco_umbrella_x_log: index_sorting: false index_template: composed_of: - logs-cisco_umbrella.log@package - logs-cisco_umbrella.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cisco_umbrella.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-cisco_umbrella.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-citrix_adc_x_interface: index_sorting: False index_template: index_patterns: - "logs-citrix_adc.interface-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.interface-logs number_of_replicas: 0 composed_of: - "logs-citrix_adc.interface@package" - "logs-citrix_adc.interface@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-citrix_adc_x_lbvserver: index_sorting: False index_template: index_patterns: - "logs-citrix_adc.lbvserver-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.lbvserver-logs number_of_replicas: 0 composed_of: - "logs-citrix_adc.lbvserver@package" - "logs-citrix_adc.lbvserver@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-citrix_adc_x_service: index_sorting: False index_template: index_patterns: - "logs-citrix_adc.service-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.service-logs number_of_replicas: 0 composed_of: - "logs-citrix_adc.service@package" - "logs-citrix_adc.service@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-citrix_adc_x_system: index_sorting: False index_template: index_patterns: - "logs-citrix_adc.system-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.system-logs number_of_replicas: 0 composed_of: - "logs-citrix_adc.system@package" - "logs-citrix_adc.system@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-citrix_adc_x_vpn: index_sorting: False index_template: index_patterns: - "logs-citrix_adc.vpn-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.vpn-logs number_of_replicas: 0 composed_of: - "logs-citrix_adc.vpn@package" - "logs-citrix_adc.vpn@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-citrix_waf_x_log: index_sorting: False index_template: index_patterns: - "logs-citrix_waf.log-*" template: settings: index: lifecycle: name: so-logs-citrix_waf.log-logs number_of_replicas: 0 composed_of: - "logs-citrix_waf.log@package" - "logs-citrix_waf.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cloudflare_x_audit: index_sorting: false index_template: composed_of: - logs-cloudflare.audit@package - logs-cloudflare.audit@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cloudflare.audit-* priority: 501 template: settings: index: lifecycle: name: so-logs-cloudflare.audit-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-cloudflare_x_logpull: index_sorting: false index_template: composed_of: - logs-cloudflare.logpull@package - logs-cloudflare.logpull@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-cloudflare.logpull-* priority: 501 template: settings: index: lifecycle: name: so-logs-cloudflare.logpull-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-crowdstrike_x_falcon: index_sorting: false index_template: composed_of: - logs-crowdstrike.falcon@package - logs-crowdstrike.falcon@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-crowdstrike.falcon-* priority: 501 template: settings: index: lifecycle: name: so-logs-crowdstrike.falcon-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-crowdstrike_x_fdr: index_sorting: false index_template: composed_of: - logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-crowdstrike.fdr-* priority: 501 template: settings: index: lifecycle: name: so-logs-crowdstrike.fdr-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-darktrace_x_ai_analyst_alert: index_sorting: false index_template: composed_of: - logs-darktrace.ai_analyst_alert@package - logs-darktrace.ai_analyst_alert@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-darktrace.ai_analyst_alert-* priority: 501 template: settings: index: lifecycle: name: so-logs-darktrace.ai_analyst_alert-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-darktrace_x_model_breach_alert: index_sorting: false index_template: composed_of: - logs-darktrace.model_breach_alert@package - logs-darktrace.model_breach_alert@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-darktrace.model_breach_alert-* priority: 501 template: settings: index: lifecycle: name: so-logs-darktrace.model_breach_alert-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-darktrace_x_system_status_alert: index_sorting: false index_template: composed_of: - logs-darktrace.system_status_alert@package - logs-darktrace.system_status_alert@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-darktrace.system_status_alert-* priority: 501 template: settings: index: lifecycle: name: so-logs-darktrace.system_status_alert-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent@package - logs-elastic_agent@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_apm_server: index_sorting: false index_template: composed_of: - logs-elastic_agent.apm_server@package - logs-elastic_agent.apm_server@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.apm_server-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.apm_server-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_auditbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.auditbeat@package - logs-elastic_agent.auditbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.auditbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.auditbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_cloudbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.cloudbeat@package - logs-elastic_agent.cloudbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 index_patterns: - logs-elastic_agent.cloudbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.cloudbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_endpoint_security: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.endpoint_security@package - logs-elastic_agent.endpoint_security@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.endpoint_security-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.endpoint_security-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_filebeat: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.filebeat@package - logs-elastic_agent.filebeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.filebeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.filebeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_fleet_server: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.fleet_server@package - logs-elastic_agent.fleet_server@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.fleet_server-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.fleet_server-logs number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_heartbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.heartbeat@package - logs-elastic_agent.heartbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 index_patterns: - logs-elastic_agent.heartbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.heartbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_metricbeat: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.metricbeat@package - logs-elastic_agent.metricbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.metricbeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.metricbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_osquerybeat: index_sorting: false index_template: composed_of: - event-mappings - logs-elastic_agent.osquerybeat@package - logs-elastic_agent.osquerybeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.osquerybeat-* priority: 501 template: settings: index: lifecycle: name: so-logs-elastic_agent.osquerybeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-elastic_agent_x_packetbeat: index_sorting: false index_template: composed_of: - logs-elastic_agent.packetbeat@package - logs-elastic_agent.packetbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-elastic_agent.packetbeat-* priority: 501 template: mappings: _meta: managed: true managed_by: security_onion package: name: elastic_agent settings: index: lifecycle: name: so-logs-elastic_agent.packetbeat-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_alerts: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.alerts@custom - logs-endpoint.alerts@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.alerts-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.alerts-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_diagnostic_x_collection: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.diagnostic.collection@custom - logs-endpoint.diagnostic.collection@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - .logs-endpoint.diagnostic.collection-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.diagnostic.collection-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_api: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.api@custom - logs-endpoint.events.api@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.api-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.api-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_file: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.file@custom - logs-endpoint.events.file@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.file-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.file-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_library: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.library@custom - logs-endpoint.events.library@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.library-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.library-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_network: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.network@custom - logs-endpoint.events.network@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.network-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.network-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_process: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.process@custom - logs-endpoint.events.process@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.process-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.process-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_registry: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.registry-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.registry-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-endpoint_x_events_x_security: index_sorting: false index_template: composed_of: - event-mappings - logs-endpoint.events.security@custom - logs-endpoint.events.security@package - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-endpoint.events.security-* priority: 501 template: settings: index: lifecycle: name: so-logs-endpoint.events.security-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 sort: field: '@timestamp' order: desc policy: _meta: managed: true managed_by: security_onion package: name: elastic_agent phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-f5_bigip_x_log: index_sorting: false index_template: composed_of: - logs-f5_bigip.log@package - logs-f5_bigip.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-f5_bigip.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-f5_bigip.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fim_x_event: index_sorting: false index_template: composed_of: - logs-fim.event@package - logs-fim.event@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fim.event-* priority: 501 template: settings: index: lifecycle: name: so-logs-fim.event-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fireeye_x_nx: index_sorting: false index_template: composed_of: - logs-fireeye.nx@package - logs-fireeye.nx@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fireeye.nx-* priority: 501 template: settings: index: lifecycle: name: so-logs-fireeye.nx-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fortinet_fortigate_x_log: index_sorting: false index_template: composed_of: - logs-fortinet_fortigate.log@package - logs-fortinet_fortigate.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fortinet_fortigate.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-fortinet_fortigate.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fortinet_x_clientendpoint: index_sorting: false index_template: composed_of: - logs-fortinet.clientendpoint@package - logs-fortinet.clientendpoint@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fortinet.clientendpoint-* priority: 501 template: settings: index: lifecycle: name: so-logs-fortinet.clientendpoint-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fortinet_x_firewall: index_sorting: false index_template: composed_of: - logs-fortinet.firewall@package - logs-fortinet.firewall@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fortinet.firewall-* priority: 501 template: settings: index: lifecycle: name: so-logs-fortinet.firewall-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fortinet_x_fortimail: index_sorting: false index_template: composed_of: - logs-fortinet.fortimail@package - logs-fortinet.fortimail@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fortinet.fortimail-* priority: 501 template: settings: index: lifecycle: name: so-logs-fortinet.fortimail-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-fortinet_x_fortimanager: index_sorting: false index_template: composed_of: - logs-fortinet.fortimanager@package - logs-fortinet.fortimanager@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-fortinet.fortimanager-* priority: 501 template: settings: index: lifecycle: name: so-logs-fortinet.fortimanager-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-gcp_x_audit: index_sorting: false index_template: composed_of: - logs-gcp.audit@package - logs-gcp.audit@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-gcp.audit-* priority: 501 template: settings: index: lifecycle: name: so-logs-gcp.audit-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-gcp_x_dns: index_sorting: false index_template: composed_of: - logs-gcp.dns@package - logs-gcp.dns@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-gcp.dns-* priority: 501 template: settings: index: lifecycle: name: so-logs-gcp.dns-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-gcp_x_firewall: index_sorting: false index_template: composed_of: - logs-gcp.firewall@package - logs-gcp.firewall@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-gcp.firewall-* priority: 501 template: settings: index: lifecycle: name: so-logs-gcp.firewall-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-gcp_x_loadbalancing_logs: index_sorting: false index_template: composed_of: - logs-gcp.loadbalancing_logs@package - logs-gcp.loadbalancing_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-gcp.loadbalancing_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-gcp.loadbalancing_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-gcp_x_vpcflow: index_sorting: false index_template: composed_of: - logs-gcp.vpcflow@package - logs-gcp.vpcflow@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-gcp.vpcflow-* priority: 501 template: settings: index: lifecycle: name: so-logs-gcp.vpcflow-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-github_x_audit: index_sorting: false index_template: composed_of: - logs-github.audit@package - logs-github.audit@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-github.audit-* priority: 501 template: settings: index: lifecycle: name: so-logs-github.audit-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-github_x_code_scanning: index_sorting: false index_template: composed_of: - logs-github.code_scanning@package - logs-github.code_scanning@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-github.code_scanning-* priority: 501 template: settings: index: lifecycle: name: so-logs-github.code_scanning-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-github_x_dependabot: index_sorting: false index_template: composed_of: - logs-github.dependabot@package - logs-github.dependabot@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-github.dependabot-* priority: 501 template: settings: index: lifecycle: name: so-logs-github.dependabot-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-github_x_issues: index_sorting: false index_template: composed_of: - logs-github.issues@package - logs-github.issues@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-github.issues-* priority: 501 template: settings: index: lifecycle: name: so-logs-github.issues-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-github_x_secret_scanning: index_sorting: false index_template: composed_of: - logs-github.secret_scanning@package - logs-github.secret_scanning@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-github.secret_scanning-* priority: 501 template: settings: index: lifecycle: name: so-logs-github.secret_scanning-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_access_transparency: index_sorting: false index_template: composed_of: - logs-google_workspace.access_transparency@package - logs-google_workspace.access_transparency@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.access_transparency-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.access_transparency-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_admin: index_sorting: false index_template: composed_of: - logs-google_workspace.admin@package - logs-google_workspace.admin@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.admin-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.admin-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_alert: index_sorting: false index_template: composed_of: - logs-google_workspace.alert@package - logs-google_workspace.alert@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.alert-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.alert-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_context_aware_access: index_sorting: false index_template: composed_of: - logs-google_workspace.context_aware_access@package - logs-google_workspace.context_aware_access@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.context_aware_access-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.context_aware_access-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_device: index_sorting: false index_template: composed_of: - logs-google_workspace.device@package - logs-google_workspace.device@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.device-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.device-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_drive: index_sorting: false index_template: composed_of: - logs-google_workspace.drive@package - logs-google_workspace.drive@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.drive-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.drive-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_gcp: index_sorting: false index_template: composed_of: - logs-google_workspace.gcp@package - logs-google_workspace.gcp@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.gcp-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.gcp-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_group_enterprise: index_sorting: false index_template: composed_of: - logs-google_workspace.group_enterprise@package - logs-google_workspace.group_enterprise@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.group_enterprise-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.group_enterprise-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_groups: index_sorting: false index_template: composed_of: - logs-google_workspace.groups@package - logs-google_workspace.groups@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.groups-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.groups-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_login: index_sorting: false index_template: composed_of: - logs-google_workspace.login@package - logs-google_workspace.login@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.login-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.login-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_rules: index_sorting: false index_template: composed_of: - logs-google_workspace.rules@package - logs-google_workspace.rules@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.rules-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.rules-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_saml: index_sorting: false index_template: composed_of: - logs-google_workspace.saml@package - logs-google_workspace.saml@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.saml-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.saml-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_token: index_sorting: false index_template: composed_of: - logs-google_workspace.token@package - logs-google_workspace.token@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.token-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.token-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-google_workspace_x_user_accounts: index_sorting: false index_template: composed_of: - logs-google_workspace.user_accounts@package - logs-google_workspace.user_accounts@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-google_workspace.user_accounts-* priority: 501 template: settings: index: lifecycle: name: so-logs-google_workspace.user_accounts-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: composed_of: - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-http_endpoint.generic-* priority: 501 template: settings: index: lifecycle: name: so-logs-http_endpoint.generic-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-httpjson_x_generic: index_sorting: false index_template: composed_of: - logs-httpjson.generic@package - logs-httpjson.generic@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-httpjson.generic-* priority: 501 template: settings: index: lifecycle: name: so-logs-httpjson.generic-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-iis_x_access: index_sorting: False index_template: index_patterns: - "logs-iis.access-*" template: settings: index: lifecycle: name: so-logs-iis.access-logs number_of_replicas: 0 composed_of: - "logs-iis.access@package" - "logs-iis.access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-iis_x_error: index_sorting: False index_template: index_patterns: - "logs-iis.error-*" template: settings: index: lifecycle: name: so-logs-iis.error-logs number_of_replicas: 0 composed_of: - "logs-iis.error@package" - "logs-iis.error@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-juniper_srx_x_log: index_sorting: false index_template: composed_of: - logs-juniper_srx.log@package - logs-juniper_srx.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-juniper_srx.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-juniper_srx.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-juniper_x_junos: index_sorting: false index_template: composed_of: - logs-juniper.junos@package - logs-juniper.junos@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-juniper.junos-* priority: 501 template: settings: index: lifecycle: name: so-logs-juniper.junos-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-juniper_x_netscreen: index_sorting: false index_template: composed_of: - logs-juniper.netscreen@package - logs-juniper.netscreen@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-juniper.netscreen-* priority: 501 template: settings: index: lifecycle: name: so-logs-juniper.netscreen-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-juniper_x_srx: index_sorting: false index_template: composed_of: - logs-juniper.srx@package - logs-juniper.srx@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-juniper.srx-* priority: 501 template: settings: index: lifecycle: name: so-logs-juniper.srx-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-kafka_log_x_generic: index_sorting: false index_template: composed_of: - logs-kafka_log.generic@package - logs-kafka_log.generic@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-kafka_log.generic-* priority: 501 template: settings: index: lifecycle: name: so-logs-kafka_log.generic-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-lastpass_x_detailed_shared_folder: index_sorting: false index_template: composed_of: - logs-lastpass.detailed_shared_folder@package - logs-lastpass.detailed_shared_folder@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-lastpass.detailed_shared_folder-* priority: 501 template: settings: index: lifecycle: name: so-logs-lastpass.detailed_shared_folder-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-lastpass_x_event_report: index_sorting: false index_template: composed_of: - logs-lastpass.event_report@package - logs-lastpass.event_report@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-lastpass.event_report-* priority: 501 template: settings: index: lifecycle: name: so-logs-lastpass.event_report-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-lastpass_x_user: index_sorting: false index_template: composed_of: - logs-lastpass.user@package - logs-lastpass.user@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-lastpass.user-* priority: 501 template: settings: index: lifecycle: name: so-logs-lastpass.user-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-m365_defender_x_event: index_sorting: false index_template: composed_of: - logs-m365_defender.event@package - logs-m365_defender.event@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-m365_defender.event-* priority: 501 template: settings: index: lifecycle: name: so-logs-m365_defender.event-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-m365_defender_x_incident: index_sorting: false index_template: composed_of: - logs-m365_defender.incident@package - logs-m365_defender.incident@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-m365_defender.incident-* priority: 501 template: settings: index: lifecycle: name: so-logs-m365_defender.incident-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-m365_defender_x_log: index_sorting: false index_template: composed_of: - logs-m365_defender.log@package - logs-m365_defender.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-m365_defender.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-m365_defender.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-microsoft_defender_endpoint_x_log: index_sorting: false index_template: composed_of: - logs-microsoft_defender_endpoint.log@package - logs-microsoft_defender_endpoint.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-microsoft_defender_endpoint.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-microsoft_defender_endpoint.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-microsoft_dhcp_x_log: index_sorting: false index_template: composed_of: - logs-microsoft_dhcp.log@package - logs-microsoft_dhcp.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-microsoft_dhcp.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-microsoft_dhcp.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-microsoft_sqlserver_x_audit: index_sorting: False index_template: index_patterns: - "logs-microsoft_sqlserver.audit-*" template: settings: index: lifecycle: name: so-logs-microsoft_sqlserver.audit-logs number_of_replicas: 0 composed_of: - "logs-microsoft_sqlserver.audit@package" - "logs-microsoft_sqlserver.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-microsoft_sqlserver_x_log: index_sorting: False index_template: index_patterns: - "logs-microsoft_sqlserver.log-*" template: settings: index: lifecycle: name: so-logs-microsoft_sqlserver.log-logs number_of_replicas: 0 composed_of: - "logs-microsoft_sqlserver.log@package" - "logs-microsoft_sqlserver.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mysql_x_error: index_sorting: False index_template: index_patterns: - "logs-mysql.error-*" template: settings: index: lifecycle: name: so-logs-mysql.error-logs number_of_replicas: 0 composed_of: - "logs-mysql.error@package" - "logs-mysql.error@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mysql_x_slowlog: index_sorting: False index_template: index_patterns: - "logs-mysql.slowlog-*" template: settings: index: lifecycle: name: so-logs-mysql.slowlog-logs number_of_replicas: 0 composed_of: - "logs-mysql.slowlog@package" - "logs-mysql.slowlog@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_audit_events: index_sorting: false index_template: composed_of: - logs-mimecast.audit_events@package - logs-mimecast.audit_events@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.audit_events-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.audit_events-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_dlp_logs: index_sorting: false index_template: composed_of: - logs-mimecast.dlp_logs@package - logs-mimecast.dlp_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.dlp_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.dlp_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_siem_logs: index_sorting: false index_template: composed_of: - logs-mimecast.siem_logs@package - logs-mimecast.siem_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.siem_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.siem_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_threat_intel_malware_customer: index_sorting: false index_template: composed_of: - logs-mimecast.threat_intel_malware_customer@package - logs-mimecast.threat_intel_malware_customer@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.threat_intel_malware_customer-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.threat_intel_malware_customer-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_threat_intel_malware_grid: index_sorting: false index_template: composed_of: - logs-mimecast.threat_intel_malware_grid@package - logs-mimecast.threat_intel_malware_grid@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.threat_intel_malware_grid-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.threat_intel_malware_grid-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_ttp_ap_logs: index_sorting: false index_template: composed_of: - logs-mimecast.ttp_ap_logs@package - logs-mimecast.ttp_ap_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.ttp_ap_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.ttp_ap_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_ttp_ip_logs: index_sorting: false index_template: composed_of: - logs-mimecast.ttp_ip_logs@package - logs-mimecast.ttp_ip_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.ttp_ip_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.ttp_ip_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-mimecast_x_ttp_url_logs: index_sorting: false index_template: composed_of: - logs-mimecast.ttp_url_logs@package - logs-mimecast.ttp_url_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-mimecast.ttp_url_logs-* priority: 501 template: settings: index: lifecycle: name: so-logs-mimecast.ttp_url_logs-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-netflow_x_log: index_sorting: false index_template: composed_of: - logs-netflow.log@package - logs-netflow.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-netflow.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-netflow.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-nginx_x_access: index_sorting: False index_template: index_patterns: - "logs-nginx.access-*" template: settings: index: lifecycle: name: so-logs-nginx.access-logs number_of_replicas: 0 composed_of: - "logs-nginx.access@package" - "logs-nginx.access@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-nginx_x_error: index_sorting: False index_template: index_patterns: - "logs-nginx.error-*" template: settings: index: lifecycle: name: so-logs-nginx.error-logs number_of_replicas: 0 composed_of: - "logs-nginx.error@package" - "logs-nginx.error@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-nginx_x_stubstatus: index_sorting: False index_template: index_patterns: - "metrics-nginx.stubstatus-*" template: settings: index: lifecycle: name: so-metrics-nginx.stubstatus-logs number_of_replicas: 0 composed_of: - "metrics-nginx.stubstatus@package" - "metrics-nginx.stubstatus@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-o365_x_audit: index_sorting: false index_template: composed_of: - logs-o365.audit@package - logs-o365.audit@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-o365.audit-* priority: 501 template: settings: index: lifecycle: name: so-logs-o365.audit-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-okta_x_system: index_sorting: false index_template: composed_of: - logs-okta.system@package - logs-okta.system@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-okta.system-* priority: 501 template: settings: index: lifecycle: name: so-logs-okta.system-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-osquery-manager-action_x_responses: index_sorting: false index_template: _meta: managed: true managed_by: security_onion package: name: elastic_agent composed_of: - logs-osquery_manager.action.responses index_patterns: - .logs-osquery_manager.action.responses* priority: 501 template: settings: index: number_of_replicas: 0 so-logs-osquery-manager-actions: index_sorting: false index_template: _meta: managed: true managed_by: security_onion package: name: elastic_agent composed_of: - logs-osquery_manager.actions index_patterns: - .logs-osquery_manager.actions* priority: 501 template: settings: index: number_of_replicas: 0 so-logs-panw_x_panos: index_sorting: false index_template: composed_of: - logs-panw.panos@package - logs-panw.panos@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-panw.panos-* priority: 501 template: settings: index: lifecycle: name: so-logs-panw.panos-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-pfsense_x_log: index_sorting: false index_template: composed_of: - logs-pfsense.log@package - logs-pfsense.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-pfsense.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-pfsense.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_clicks_blocked: index_sorting: False index_template: index_patterns: - "logs-proofpoint_tap.clicks_blocked-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.clicks_blocked-logs number_of_replicas: 0 composed_of: - "logs-proofpoint_tap.clicks_blocked@package" - "logs-proofpoint_tap.clicks_blocked@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_clicks_permitted: index_sorting: False index_template: index_patterns: - "logs-proofpoint_tap.clicks_permitted-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.clicks_permitted-logs number_of_replicas: 0 composed_of: - "logs-proofpoint_tap.clicks_permitted@package" - "logs-proofpoint_tap.clicks_permitted@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_message_blocked: index_sorting: False index_template: index_patterns: - "logs-proofpoint_tap.message_blocked-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.message_blocked-logs number_of_replicas: 0 composed_of: - "logs-proofpoint_tap.message_blocked@package" - "logs-proofpoint_tap.message_blocked@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_message_delivered: index_sorting: False index_template: index_patterns: - "logs-proofpoint_tap.message_delivered-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.message_delivered-logs number_of_replicas: 0 composed_of: - "logs-proofpoint_tap.message_delivered@package" - "logs-proofpoint_tap.message_delivered@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-pulse_connect_secure_x_log: index_sorting: false index_template: composed_of: - logs-pulse_connect_secure.log@package - logs-pulse_connect_secure.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-pulse_connect_secure.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-pulse_connect_secure.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sentinel_one_x_activity: index_sorting: false index_template: composed_of: - logs-sentinel_one.activity@package - logs-sentinel_one.activity@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sentinel_one.activity-* priority: 501 template: settings: index: lifecycle: name: so-logs-sentinel_one.activity-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sentinel_one_x_agent: index_sorting: false index_template: composed_of: - logs-sentinel_one.agent@package - logs-sentinel_one.agent@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sentinel_one.agent-* priority: 501 template: settings: index: lifecycle: name: so-logs-sentinel_one.agent-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sentinel_one_x_alert: index_sorting: false index_template: composed_of: - logs-sentinel_one.alert@package - logs-sentinel_one.alert@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sentinel_one.alert-* priority: 501 template: settings: index: lifecycle: name: so-logs-sentinel_one.alert-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sentinel_one_x_group: index_sorting: false index_template: composed_of: - logs-sentinel_one.group@package - logs-sentinel_one.group@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sentinel_one.group-* priority: 501 template: settings: index: lifecycle: name: so-logs-sentinel_one.group-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sentinel_one_x_threat: index_sorting: false index_template: composed_of: - logs-sentinel_one.threat@package - logs-sentinel_one.threat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sentinel_one.threat-* priority: 501 template: settings: index: lifecycle: name: so-logs-sentinel_one.threat-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-snort_x_log: index_sorting: False index_template: index_patterns: - "logs-snort.log-*" template: settings: index: lifecycle: name: so-logs-snort.log-logs number_of_replicas: 0 composed_of: - "logs-snort.log@package" - "logs-snort.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-snyk_x_audit: index_sorting: false index_template: composed_of: - logs-snyk.audit@package - logs-snyk.audit@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-snyk.audit-* priority: 501 template: settings: index: lifecycle: name: so-logs-snyk.audit-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-snyk_x_vulnerabilities: index_sorting: false index_template: composed_of: - logs-snyk.vulnerabilities@package - logs-snyk.vulnerabilities@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-snyk.vulnerabilities-* priority: 501 template: settings: index: lifecycle: name: so-logs-snyk.vulnerabilities-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sonicwall_firewall_x_log: index_sorting: false index_template: composed_of: - logs-sonicwall_firewall.log@package - logs-sonicwall_firewall.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sonicwall_firewall.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-sonicwall_firewall.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sophos_central_x_alert: index_sorting: false index_template: composed_of: - logs-sophos_central.alert@package - logs-sophos_central.alert@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sophos_central.alert-* priority: 501 template: settings: index: lifecycle: name: so-logs-sophos_central.alert-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sophos_central_x_event: index_sorting: false index_template: composed_of: - logs-sophos_central.event@package - logs-sophos_central.event@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sophos_central.event-* priority: 501 template: settings: index: lifecycle: name: so-logs-sophos_central.event-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sophos_x_utm: index_sorting: false index_template: composed_of: - logs-sophos.utm@package - logs-sophos.utm@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sophos.utm-* priority: 501 template: settings: index: lifecycle: name: so-logs-sophos.utm-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-sophos_x_xg: index_sorting: false index_template: composed_of: - logs-sophos.xg@package - logs-sophos.xg@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-sophos.xg-* priority: 501 template: settings: index: lifecycle: name: so-logs-sophos.xg-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-symantec_endpoint_x_log: index_sorting: false index_template: composed_of: - logs-symantec_endpoint.log@package - logs-symantec_endpoint.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-symantec_endpoint.log-* priority: 501 template: settings: index: lifecycle: name: so-logs-symantec_endpoint.log-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_application: index_sorting: false index_template: composed_of: - event-mappings - logs-system.application@package - logs-system.application@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-system.application* priority: 501 template: settings: index: lifecycle: name: so-logs-system.application-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_auth: index_sorting: false index_template: composed_of: - event-mappings - logs-system.auth@package - logs-system.auth@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-system.auth* priority: 501 template: settings: index: lifecycle: name: so-logs-system.auth-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_security: index_sorting: false index_template: composed_of: - event-mappings - logs-system.security@package - logs-system.security@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-system.security* priority: 501 template: settings: index: lifecycle: name: so-logs-system.security-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_syslog: index_sorting: false index_template: composed_of: - event-mappings - logs-system.syslog@package - logs-system.syslog@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-system.syslog* priority: 501 template: settings: index: lifecycle: name: so-logs-system.syslog-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-system_x_system: index_sorting: false index_template: composed_of: - event-mappings - logs-system.system@package - logs-system.system@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-system.system* priority: 501 template: settings: index: lifecycle: name: so-logs-system.system-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-tenable_sc_x_asset: index_sorting: false index_template: composed_of: - logs-tenable_sc.asset@package - logs-tenable_sc.asset@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-tenable_sc.asset-* priority: 501 template: settings: index: lifecycle: name: so-logs-tenable_sc.asset-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-tenable_sc_x_plugin: index_sorting: false index_template: composed_of: - logs-tenable_sc.plugin@package - logs-tenable_sc.plugin@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-tenable_sc.plugin-* priority: 501 template: settings: index: lifecycle: name: so-logs-tenable_sc.plugin-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-tenable_sc_x_vulnerability: index_sorting: false index_template: composed_of: - logs-tenable_sc.vulnerability@package - logs-tenable_sc.vulnerability@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-tenable_sc.vulnerability-* priority: 501 template: settings: index: lifecycle: name: so-logs-tenable_sc.vulnerability-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_abusech_x_malware: index_sorting: false index_template: composed_of: - logs-ti_abusech.malware@package - logs-ti_abusech.malware@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_abusech.malware-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_abusech.malware-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_abusech_x_malwarebazaar: index_sorting: false index_template: composed_of: - logs-ti_abusech.malwarebazaar@package - logs-ti_abusech.malwarebazaar@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_abusech.malwarebazaar-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_abusech.malwarebazaar-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_abusech_x_threatfox: index_sorting: false index_template: composed_of: - logs-ti_abusech.threatfox@package - logs-ti_abusech.threatfox@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_abusech.threatfox-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_abusech.threatfox-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_abusech_x_url: index_sorting: false index_template: composed_of: - logs-ti_abusech.url@package - logs-ti_abusech.url@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_abusech.url-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_abusech.url-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_anomali_x_threatstream: index_sorting: False index_template: index_patterns: - "logs-ti_anomali.threatstream-*" template: settings: index: lifecycle: name: so-logs-ti_anomali.threatstream-logs number_of_replicas: 0 composed_of: - "logs-ti_anomali.threatstream@package" - "logs-ti_anomali.threatstream@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_cybersixgill_x_threat: index_sorting: False index_template: index_patterns: - "logs-ti_cybersixgill.threat-*" template: settings: index: lifecycle: name: so-logs-ti_cybersixgill.threat-logs number_of_replicas: 0 composed_of: - "logs-ti_cybersixgill.threat@package" - "logs-ti_cybersixgill.threat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_misp_x_threat: index_sorting: false index_template: composed_of: - logs-ti_misp.threat@package - logs-ti_misp.threat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_misp.threat-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_misp.threat-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_misp_x_threat_attributes: index_sorting: false index_template: composed_of: - logs-ti_misp.threat_attributes@package - logs-ti_misp.threat_attributes@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_misp.threat_attributes-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_misp.threat_attributes-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_otx_x_pulses_subscribed: index_sorting: false index_template: composed_of: - logs-ti_otx.pulses_subscribed@package - logs-ti_otx.pulses_subscribed@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_otx.pulses_subscribed-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_otx.pulses_subscribed-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_otx_x_threat: index_sorting: false index_template: composed_of: - logs-ti_otx.threat@package - logs-ti_otx.threat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_otx.threat-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_otx.threat-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_recordedfuture_x_latest_ioc-template: index_sorting: false index_template: composed_of: - logs-ti_recordedfuture.latest_ioc-template@package - logs-ti_recordedfuture.latest_ioc-template@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_recordedfuture.latest_ioc-template-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_recordedfuture.latest_ioc-template-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_recordedfuture_x_threat: index_sorting: false index_template: composed_of: - logs-ti_recordedfuture.threat@package - logs-ti_recordedfuture.threat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-ti_recordedfuture.threat-* priority: 501 template: settings: index: lifecycle: name: so-logs-ti_recordedfuture.threat-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-ti_threatq_x_threat: index_sorting: False index_template: index_patterns: - "logs-ti_threatq.threat-*" template: settings: index: lifecycle: name: so-logs-ti_threatq.threat-logs number_of_replicas: 0 composed_of: - "logs-ti_threatq.threat@package" - "logs-ti_threatq.threat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-vsphere_x_log: index_sorting: False index_template: index_patterns: - "logs-vsphere.log-*" template: settings: index: lifecycle: name: so-logs-vsphere.log-logs number_of_replicas: 0 composed_of: - "logs-vsphere.log@package" - "logs-vsphere.log@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_forwarded: index_sorting: false index_template: composed_of: - logs-windows.forwarded@package - logs-windows.forwarded@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-windows.forwarded* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.forwarded-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_powershell: index_sorting: false index_template: composed_of: - logs-windows.powershell@package - logs-windows.powershell@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-windows.powershell-* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.powershell-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_powershell_operational: index_sorting: false index_template: composed_of: - logs-windows.powershell_operational@package - logs-windows.powershell_operational@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-windows.powershell_operational-* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.powershell_operational-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-windows_x_sysmon_operational: index_sorting: false index_template: composed_of: - logs-windows.sysmon_operational@package - logs-windows.sysmon_operational@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-windows.sysmon_operational-* priority: 501 template: settings: index: lifecycle: name: so-logs-windows.sysmon_operational-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-winlog_x_winlog: index_sorting: False index_template: index_patterns: - "logs-winlog.winlog-*" template: settings: index: lifecycle: name: so-logs-winlog.winlog-logs number_of_replicas: 0 composed_of: - "logs-winlog.winlog@package" - "logs-winlog.winlog@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zia_x_alerts: index_sorting: false index_template: composed_of: - logs-zscaler_zia.alerts@package - logs-zscaler_zia.alerts@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zia.alerts-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zia.alerts-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zia_x_dns: index_sorting: false index_template: composed_of: - logs-zscaler_zia.dns@package - logs-zscaler_zia.dns@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zia.dns-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zia.dns-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zia_x_firewall: index_sorting: false index_template: composed_of: - logs-zscaler_zia.firewall@package - logs-zscaler_zia.firewall@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zia.firewall-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zia.firewall-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zia_x_tunnel: index_sorting: false index_template: composed_of: - logs-zscaler_zia.tunnel@package - logs-zscaler_zia.tunnel@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zia.tunnel-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zia.tunnel-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zia_x_web: index_sorting: false index_template: composed_of: - logs-zscaler_zia.web@package - logs-zscaler_zia.web@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zia.web-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zia.web-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zpa_x_app_connector_status: index_sorting: false index_template: composed_of: - logs-zscaler_zpa.app_connector_status@package - logs-zscaler_zpa.app_connector_status@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zpa.app_connector_status-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zpa.app_connector_status-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zpa_x_audit: index_sorting: false index_template: composed_of: - logs-zscaler_zpa.audit@package - logs-zscaler_zpa.audit@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zpa.audit-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zpa.audit-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zpa_x_browser_access: index_sorting: false index_template: composed_of: - logs-zscaler_zpa.browser_access@package - logs-zscaler_zpa.browser_access@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zpa.browser_access-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zpa.browser_access-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zpa_x_user_activity: index_sorting: false index_template: composed_of: - logs-zscaler_zpa.user_activity@package - logs-zscaler_zpa.user_activity@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zpa.user_activity-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zpa.user_activity-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logs-zscaler_zpa_x_user_status: index_sorting: false index_template: composed_of: - logs-zscaler_zpa.user_status@package - logs-zscaler_zpa.user_status@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false index_patterns: - logs-zscaler_zpa.user_status-* priority: 501 template: settings: index: lifecycle: name: so-logs-zscaler_zpa.user_status-logs number_of_replicas: 0 policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-endpoint_x_metadata: index_sorting: False index_template: index_patterns: - "metrics-endpoint.metadata-*" template: settings: index: lifecycle: name: so-metrics-endpoint.metadata-logs number_of_replicas: 0 composed_of: - "metrics-endpoint.metadata@package" - "metrics-endpoint.metadata@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-endpoint_x_metrics: index_sorting: False index_template: index_patterns: - "metrics-endpoint.metrics-*" template: settings: index: lifecycle: name: so-metrics-endpoint.metrics-logs number_of_replicas: 0 composed_of: - "metrics-endpoint.metrics@package" - "metrics-endpoint.metrics@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-endpoint_x_policy: index_sorting: False index_template: index_patterns: - "metrics-endpoint.policy-*" template: settings: index: lifecycle: name: so-metrics-endpoint.policy-logs number_of_replicas: 0 composed_of: - "metrics-endpoint.policy@package" - "metrics-endpoint.policy@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-vsphere_x_datastore: index_sorting: False index_template: index_patterns: - "metrics-vsphere.datastore-*" template: settings: index: lifecycle: name: so-metrics-vsphere.datastore-logs number_of_replicas: 0 composed_of: - "metrics-vsphere.datastore@package" - "metrics-vsphere.datastore@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-vsphere_x_host: index_sorting: False index_template: index_patterns: - "metrics-vsphere.host-*" template: settings: index: lifecycle: name: so-metrics-vsphere.host-logs number_of_replicas: 0 composed_of: - "metrics-vsphere.host@package" - "metrics-vsphere.host@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-metrics-vsphere_x_virtualmachine: index_sorting: False index_template: index_patterns: - "metrics-vsphere.virtualmachine-*" template: settings: index: lifecycle: name: so-metrics-vsphere.virtualmachine-logs number_of_replicas: 0 composed_of: - "metrics-vsphere.virtualmachine@package" - "metrics-vsphere.virtualmachine@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-logstash: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - logstash-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings index_patterns: - logs-logstash-default* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-logstash-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-redis: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - redis-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings index_patterns: - logs-redis-default* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-redis-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-strelka: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - so-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - so-scan-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings data_stream: {} index_patterns: - logs-strelka-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-strelka-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-suricata: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings data_stream: {} index_patterns: - logs-suricata-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-suricata-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 1d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-syslog: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - common-settings - common-dynamic-mappings data_stream: {} index_patterns: - logs-syslog-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-syslog-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d so-zeek: index_sorting: false index_template: composed_of: - agent-mappings - dtc-agent-mappings - base-mappings - dtc-base-mappings - client-mappings - dtc-client-mappings - cloud-mappings - container-mappings - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings - dtc-dns-mappings - ecs-mappings - dtc-ecs-mappings - error-mappings - event-mappings - dtc-event-mappings - file-mappings - dtc-file-mappings - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - log-mappings - network-mappings - dtc-network-mappings - observer-mappings - dtc-observer-mappings - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings - server-mappings - service-mappings - dtc-service-mappings - source-mappings - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - vulnerability-mappings - zeek-mappings - common-settings - common-dynamic-mappings data_stream: {} index_patterns: - logs-zeek-so* priority: 500 template: mappings: date_detection: false dynamic_templates: - strings_as_keyword: mapping: ignore_above: 1024 type: keyword match_mapping_type: string settings: index: lifecycle: name: so-zeek-logs mapping: total_fields: limit: 5000 number_of_replicas: 0 number_of_shards: 2 refresh_interval: 30s sort: field: '@timestamp' order: desc policy: phases: cold: actions: set_priority: priority: 0 min_age: 30d delete: actions: delete: {} min_age: 365d hot: actions: rollover: max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 min_age: 0ms warm: actions: set_priority: priority: 50 min_age: 30d retention: retention_pct: 50 so_roles: so-eval: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client so-heavynode: config: node: roles: - master - data - data_hot - remote_cluster_client - ingest so-import: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client so-manager: config: node: roles: - master - data - remote_cluster_client - transform so-managersearch: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client so-searchnode: config: node: roles: - data - data_hot - ingest - transform so-standalone: config: node: roles: - master - data - data_hot - ingest - transform - remote_cluster_client