elasticsearch: es_port: 9200 esheap: 4049m esclustername: default-cluster-name log_size_limit: 95 #used for curator index_settings: so-beats: shards: 1 warm: 7 close: 30 delete: 365 so-firewall: shards: 1 warm: 7 close: 30 delete: 365 so-flow: shards: 1 warm: 7 close: 30 delete: 365 so-ids: shards: 1 warm: 7 close: 30 delete: 365 so-import: shards: 1 warm: 7 close: 73000 delete: 73001 so-osquery: shards: 1 warm: 7 close: 30 delete: 365 so-ossec: shards: 1 warm: 7 close: 30 delete: 365 so-strelka: shards: 1 warm: 7 close: 30 delete: 365 so-syslog: shards: 1 warm: 7 close: 30 delete: 365 so-zeek: shards: 5 warm: 7 close: 45 delete: 365 cluster_settings: cluster: max_voting_config_exclusions: 10 auto_shrink_voting_configuration: true election: duration: 500ms initial_timeout: 100ms max_timeout: 10s back_off_time: 100ms strategy: supports_voting_only no_master_block: write persistent_tasks: allocation: enable: all recheck_interval: 30s blocks: read_only_allow_delete: false read_only: false remote: node: attr: "" initial_connect_timeout: 30s #connect: true #DEPRECATION connections_per_cluster: 3 follower_lag: timeout: 90000ms routing: use_adaptive_replica_selection: true rebalance: enable: all allocation: node_concurrent_incoming_recoveries: 2 include: _tier: "" node_initial_primaries_recoveries: 4 same_shard: host: false total_shards_per_node: "-1" require: _tier: "" #shard_state: #DEPRECATION #reroute: #DEPRECATION #priority: NORMAL #DEPRECATION type: balanced disk: threshold_enabled: true watermark: flood_stage.frozen.max_headroom: 20GB flood_stage: 98% high: 98% low: 95% enable_for_single_data_node: false flood_stage.frozen: 95% #include_relocations: true #DEPRECATION reroute_interval: 60s awareness: attributes: [] balance: index: 0.55 threshold: 1.0 shard: 0.45 enable: all node_concurrent_outgoing_recoveries: 2 allow_rebalance: indices_all_active cluster_concurrent_rebalance: 2 node_concurrent_recoveries: 2 exclude: _tier: "" indices: tombstones: size: 500 close: enable: true max_shards_per_node.frozen: 3000 nodes: reconnect_interval: 10s service: slow_master_task_logging_threshold: 10s slow_task_logging_threshold: 30s publish: timeout: 30000ms info_timeout: 10000ms name: {{ grains.host }} # Will change if true cluster fault_detection: leader_check: interval: 1000ms timeout: 10000ms retry_count: 3 follower_check: interval: 1000ms timeout: 10000ms retry_count: 3 #join: #DEPRECATION #timeout: 60000ms #DEPRECATION max_shards_per_node: 1000 #initial_master_nodes: [] # ERROR setting [cluster.initial_master_nodes] is not allowed when [discovery.type] is set to [single-node] snapshot: info: max_concurrent_fetches: 5 info: update: interval: 30s timeout: 15s stack: templates: enabled: true logger: level: INFO bootstrap: memory_lock: false #system_call_filter: true #DEPRECATION ctrlhandler: true #processors: 8 #DEPRECATION ingest: user_agent: cache_size: 1000 geoip: cache_size: 1000 downloader: enabled: false endpoint: https://geoip.elastic.co/v1/database poll: interval: 3d grok: watchdog: max_execution_time: 1s interval: 1s network: host: - 0.0.0.0 tcp: reuse_address: true keep_count: "-1" #connect_timeout: 30s #DEPRECATION keep_interval: "-1" no_delay: true keep_alive: true receive_buffer_size: "-1b" keep_idle: "-1" send_buffer_size: "-1b" bind_host: - 0.0.0.0 server: true breaker: inflight_requests: limit: 100% overhead: 2.0 publish_host: - 0.0.0.0 pidfile: "" path: data: [] logs: /var/log/elasticsearch shared_data: "" home: /usr/share/elasticsearch repo: [] search: default_search_timeout: "-1" highlight: term_vector_multi_value: true default_allow_partial_results: true max_open_scroll_context: 500 max_buckets: 65536 low_level_cancellation: true allow_expensive_queries: true keep_alive_interval: 1m remote: node: attr: "" #initial_connect_timeout: 30s #DEPRECATION #connect: true #DEPRECATION #connections_per_cluster: 3 #DEPRECATION default_keep_alive: 5m max_keep_alive: 24h aggs: rewrite_to_filter_by_filter: true security: manager: filter_bad_defaults: true transform: task_thread_pool: queue_size: 4 size: 4 ccr: wait_for_metadata_timeout: 60s indices: recovery: recovery_activity_timeout: 60s chunk_size: 1mb internal_action_timeout: 60s max_bytes_per_sec: 40mb max_concurrent_file_chunks: 5 auto_follow: wait_for_metadata_timeout: 60s repositories: fs: #compress: false #DEPRECATION chunk_size: 9223372036854775807b location: "" url: supported_protocols: - http - https - ftp - file - jar allowed_urls: [] url: "http:" action: auto_create_index: true search: shard_count: limit: 9223372036854775807 destructive_requires_name: true client: type: node transport: ignore_cluster_name: false nodes_sampler_interval: 5s sniff: false ping_timeout: 5s enrich: max_force_merge_attempts: 3 cleanup_period: 15m fetch_size: 10000 coordinator_proxy: max_concurrent_requests: 8 max_lookups_per_request: 128 queue_capacity: 1024 max_concurrent_policy_executions: 50 xpack: #flattened: #DEPRECATION #enabled: true #DEPRECATION watcher: execution: scroll: size: 0 timeout: "" default_throttle_period: 5s internal: ops: bulk: default_timeout: "" index: default_timeout: "" search: default_timeout: "" thread_pool: queue_size: 1000 size: 40 index: rest: direct_access: "" use_ilm_index_management: true #history: #DEPRECATION #cleaner_service: #DEPRECATION #enabled: true #DEPRECATION trigger: schedule: ticker: tick_interval: 500ms enabled: true input: search: default_timeout: "" encrypt_sensitive_data: false transform: search: default_timeout: "" stop: timeout: 30s watch: scroll: size: 0 bulk: concurrent_requests: 0 flush_interval: 1s size: 1mb actions: 1 actions: bulk: default_timeout: "" index: default_timeout: "" #eql: #DEPRECATION #enabled: true #DEPRECATION #data_frame: #DEPRECATION #enabled: true #DEPRECATION #ilm: #DEPRECATION #enabled: true #DEPRECATION monitoring: migration: decommission_alerts: false collection: cluster: stats: timeout: 10s node: stats: timeout: 10s indices: [] ccr: stats: timeout: 10s enrich: stats: timeout: 10s index: stats: timeout: 10s recovery: active_only: false timeout: 10s interval: 10s enabled: false ml: job: stats: timeout: 10s history: duration: 168h elasticsearch: collection: enabled: true #enabled: true #DEPRECATION graph: enabled: true searchable: snapshot: allocate_on_rolling_restart: false cache: range_size: 32mb sync: max_files: 10000 interval: 60s shutdown_timeout: 10s recovery_range_size: 128kb shared_cache: recovery_range_size: 128kb region_size: 16mb size: 0 min_time_delta: 60s decay: interval: 60s size.max_headroom: "-1" range_size: 16mb max_freq: 100 rollup: #enabled: true #DEPRECATION task_thread_pool: queue_size: "-1" size: 1 #sql: #DEPRECATION #enabled: true #DEPRECATION searchable_snapshots: cache_fetch_async_thread_pool: core: 0 max: 24 keep_alive: 30s cache_prewarming_thread_pool: core: 0 max: 16 keep_alive: 30s license: upload: types: - standard - gold - platinum - enterprise - trial self_generated: type: basic #logstash: #DEPRECATION #enabled: true #DEPRECATION notification: pagerduty: default_account: "" email: default_account: "" html: sanitization: allow: - body - head - _tables - _links - _blocks - _formatting - img:embedded disallow: [] enabled: true reporting: retries: 40 warning: enabled: true interval: 15s jira: default_account: "" slack: default_account: "" security: operator_privileges: enabled: false dls_fls: enabled: true dls: bitset: cache: size: 10% ttl: 2h transport: filter: allow: [] deny: [] enabled: true ssl: enabled: true verification_mode: none certificate_authorities: /usr/share/elasticsearch/config/ca.crt key: /usr/share/elasticsearch/config/elasticsearch.key certificate: /usr/share/elasticsearch/config/elasticsearch.crt ssl: diagnose: trust: true enabled: true crypto: thread_pool: queue_size: 1000 size: 4 filter: always_allow_bound_address: true encryption: algorithm: AES/CTR/NoPadding audit: enabled: false logfile: emit_node_id: true emit_node_host_name: false emit_node_name: false events: emit_request_body: false include: - ACCESS_DENIED - ACCESS_GRANTED - ANONYMOUS_ACCESS_DENIED - AUTHENTICATION_FAILED - CONNECTION_DENIED - TAMPERED_REQUEST - RUN_AS_DENIED - RUN_AS_GRANTED - SECURITY_CONFIG_CHANGE exclude: [] emit_node_host_address: false authc: password_hashing: algorithm: bcrypt success_cache: size: 10000 enabled: true expire_after_access: 1h api_key: doc_cache: ttl: 5m cache: hash_algo: ssha256 max_keys: 10000 ttl: 24h delete: interval: 24h timeout: "-1" enabled: false hashing: algorithm: pbkdf2 anonymous: authz_exception: true roles: - superuser username: anonymous_user run_as: enabled: true reserved_realm: enabled: true service_token: cache: hash_algo: ssha256 max_tokens: 100000 ttl: 20m token: delete: interval: 30m timeout: "-1" enabled: false thread_pool: queue_size: 1000 size: 1 timeout: 20m fips_mode: enabled: false encryption_key: length: 128 algorithm: AES http: filter: allow: [] deny: [] enabled: true ssl: enabled: true client_authentication: none key: /usr/share/elasticsearch/config/elasticsearch.key certificate: /usr/share/elasticsearch/config/elasticsearch.crt certificate_authorities: /usr/share/elasticsearch/config/ca.crt automata: max_determinized_states: 100000 cache: size: 10000 ttl: 48h enabled: true user: "" authz: store: privileges: cache: ttl: 24h max_size: 10000 roles: #index: #DEPRECATION #cache: #DEPRECATION #ttl: 20m #DEPRECATION #max_size: 10000 #DEPRECATION cache: max_size: 10000 negative_lookup_cache: max_size: 10000 field_permissions: cache: max_size_in_bytes: 104857600 transform: num_transform_failure_retries: 10 #enabled: true #DEPRECATION #vectors: #DEPRECATION #enabled: true #DEPRECATION ccr: enabled: true ccr_thread_pool: queue_size: 100 size: 32 idp: privileges: application: "" cache: size: 100 ttl: 90m metadata: signing: keystore: alias: "" slo_endpoint: post: "https:" redirect: "https:" defaults: nameid_format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient authn_expiry: 5m allowed_nameid_formats: - urn:oasis:names:tc:SAML:2.0:nameid-format:transient contact: given_name: "" email: "" surname: "" organization: display_name: "" name: "" url: "http:" sso_endpoint: post: "https:" redirect: "https:" entity_id: "" signing: keystore: alias: "" sp: cache: size: 1000 ttl: 60m wildcard: path: wildcard_services.json enabled: false #slm: #enabled: true #DEPRECATION #enrich: #DEPRECATION #enabled: true #DEPRECATION http: default_connection_timeout: 10s proxy: host: "" scheme: "" port: 0 whitelist: - "*" default_read_timeout: 10s max_response_size: 10mb autoscaling: memory: monitor: timeout: 15s ml: max_anomaly_records: 500 enable_config_migration: true max_open_jobs: 512 min_disk_space_off_heap: 5gb use_auto_machine_memory_percent: false inference_model: cache_size: 40% time_to_live: 5m nightly_maintenance_requests_per_second: "-1.0" node_concurrent_job_allocations: 2 max_model_memory_limit: 0b enabled: false max_lazy_ml_nodes: 0 max_ml_node_size: 0b max_machine_memory_percent: 30 persist_results_max_retries: 20 autodetect_process: true max_inference_processors: 50 process_connect_timeout: 10s rest: action: multi: allow_explicit_index: true cache: recycler: page: limit: heap: 10% type: CONCURRENT weight: longs: 1.0 ints: 1.0 bytes: 1.0 objects: 0.1 async_search: index_cleanup_interval: 1h reindex: remote: whitelist: [] resource: reload: enabled: true interval: low: 60s high: 5s medium: 30s thread_pool: force_merge: queue_size: "-1" size: 1 fetch_shard_started: core: 1 max: 16 keep_alive: 5m #listener: #DEPRECATION #queue_size: "-1" #DEPRECATION #size: 4 #DEPRECATION refresh: core: 1 max: 4 keep_alive: 5m system_write: queue_size: 1000 size: 4 generic: core: 4 max: 128 keep_alive: 30s warmer: core: 1 max: 4 keep_alive: 5m search: #max_queue_size: 1000 #DEPRECATION queue_size: 1000 size: 13 #auto_queue_frame_size: 2000 #DEPRECATION #target_response_time: 1s #DEPRECATION #min_queue_size: 1000 #DEPRECATION fetch_shard_store: core: 1 max: 16 keep_alive: 5m flush: core: 1 max: 4 keep_alive: 5m management: core: 1 max: 5 keep_alive: 5m analyze: queue_size: 16 size: 1 get: queue_size: 1000 size: 8 system_read: queue_size: 2000 size: 4 estimated_time_interval: 200ms write: queue_size: 10000 size: 8 snapshot: core: 1 max: 4 keep_alive: 5m search_throttled: #max_queue_size: 100 #DEPRECATION queue_size: 100 size: 1 #auto_queue_frame_size: 200 #DEPRECATION #target_response_time: 1s #DEPRECATION #min_queue_size: 100 #DEPRECATION index: codec: default recovery: type: "" store: type: "" fs: fs_lock: native preload: [] snapshot: uncached_chunk_size: "-1b" cache: excluded_file_types: [] monitor: jvm: gc: enabled: true overhead: warn: 50 debug: 10 info: 25 refresh_interval: 1s refresh_interval: 1s process: refresh_interval: 1s os: refresh_interval: 1s fs: health: enabled: true refresh_interval: 120s slow_path_logging_threshold: 5s refresh_interval: 1s runtime_fields: grok: watchdog: max_execution_time: 1s interval: 1s transport: tcp: reuse_address: true keep_count: "-1" #connect_timeout: 30s #DEPRECATION keep_interval: "-1" #compress: false #DEPRECATION #port: 9300-9400 #DEPRECATION no_delay: true keep_alive: true receive_buffer_size: "-1b" keep_idle: "-1" send_buffer_size: "-1b" bind_host: - 0.0.0.0 connect_timeout: 30s compress: false ping_schedule: "-1" connections_per_node: recovery: 2 state: 1 bulk: 3 reg: 6 ping: 1 tracer: include: [] exclude: - internal:discovery/zen/fd* - internal:coordination/fault_detection/* - cluster:monitor/nodes/liveness type: security4 slow_operation_logging_threshold: 5s type.default: netty4 features: x-pack: true port: 9300-9400 host: [] publish_port: 9300 #tcp_no_delay: true #DEPRECATION publish_host: {{ grains.host }} netty: receive_predictor_size: 64kb receive_predictor_max: 64kb worker_count: 8 receive_predictor_min: 64kb boss_count: 1 script: allowed_contexts: none # ERROR have to set to none - should be list #max_compilations_rate: 20000/1m #DEPRECATION #cache: #DEPRECATION #max_size: 100 #DEPRECATION #expire: 0ms #DEPRECATION painless: regex: enabled: limited limit-factor: 6 max_size_in_bytes: 65535 allowed_types: none # ERROR have to set to none - should be list disable_max_compilations_rate: false indexing_pressure: memory: limit: 10% node: #data: true #DEPRECATION # roles: # - data_frozen # - data_warm # - transform ERROR # - data # - remote_cluster_client # - data_cold # - data_content # - data_hot # - ingest # - master #max_local_storage_nodes: 1 #DEPRECATION processors: 8 store: allow_mmap: true #ingest: true #DEPRECATION #master: true #DEPRECATION pidfile: "" #transform: true #DEPRECATION #remote_cluster_client: true #DEPRECATION enable_lucene_segment_infos_trace: false #local_storage: true #DEPRECATION name: {{ grains.host }} id: seed: 0 #voting_only: false #DEPRECATION attr: #transform: ERROR # node: true ERROR xpack: installed: "" box_type: hot portsfile: false #ml: true #DEPRECATION indices: replication: retry_timeout: 60s initial_retry_backoff_bound: 50ms cache: cleanup_interval: 1m mapping: dynamic_timeout: 30s max_in_flight_updates: 10 memory: interval: 5s max_index_buffer_size: "-1" shard_inactive_time: 5m index_buffer_size: 10% min_index_buffer_size: 48mb breaker: request: limit: 60% type: memory overhead: 1.0 total: limit: 95% use_real_memory: true accounting: limit: 100% overhead: 1.0 fielddata: limit: 40% type: memory overhead: 1.03 type: hierarchy query: bool: max_nested_depth: 20 max_clause_count: 1500 query_string: analyze_wildcard: false allowLeadingWildcard: true id_field_data: enabled: true recovery: recovery_activity_timeout: 1800000ms retry_delay_network: 5s internal_action_timeout: 15m retry_delay_state_sync: 500ms internal_action_long_timeout: 1800000ms max_concurrent_operations: 1 max_bytes_per_sec: 40mb max_concurrent_file_chunks: 2 requests: cache: size: 1% expire: 1ms #0ms - ERROR when set to 0ms, set to 1ms and ERROR gone store: delete: shard: timeout: 30s analysis: hunspell: dictionary: ignore_case: false lazy: false queries: cache: count: 10000 size: 10% all_segments: false lifecycle: history_index_enabled: true poll_interval: 10m step: master_timeout: 30s fielddata: cache: size: "-1b" plugin: mandatory: [] slm: minimum_interval: 15m retention_schedule: 0 30 1 * * ? retention_duration: 1h history_index_enabled: true discovery: #seed_hosts: [] # ERROR - it is forbidden to set both [discovery.seed_hosts] and [discovery.zen.ping.unicast.hosts] unconfigured_bootstrap_timeout: 3s request_peers_timeout: 3000ms zen: #commit_timeout: 30s #DEPRECATION #no_master_block: write #DEPRECATION #join_retry_delay: 100ms #DEPRECATION #join_retry_attempts: 3 #DEPRECATION #ping: #unicast: #concurrent_connects: 10 # ERROR forbidden to set both [discovery.seed_resolver.max_concurrent_resolvers] and [discovery.zen.ping.unicast.concurrent_connects] #hosts: [] # ERROR - it is forbidden to set both [discovery.seed_hosts] and [discovery.zen.ping.unicast.hosts] #hosts.resolve_timeout: 5s # ERROR forbidden to set both [discovery.seed_resolver.timeout] and [discovery.zen.ping.unicast.hosts.resolve_timeout] #master_election: #DEPRECATION #ignore_non_master_pings: false #DEPRECATION #wait_for_joins_timeout: 30000ms #DEPRECATION #send_leave_request: true #DEPRECATION ping_timeout: 3s #bwc_ping_timeout: 3s #DEPRECATION #join_timeout: 60000ms #DEPRECATION #publish_diff: #enable: true #DEPRECATION #publish: #DEPRECATION #max_pending_cluster_states: 25 #DEPRECATION #minimum_master_nodes: "-1" #DEPRECATION #unsafe_rolling_upgrades_enabled: true #DEPRECATION #hosts_provider: # ERROR forbidden to set both [discovery.seed_providers] and [discovery.zen.hosts_provider] has to be commented out #publish_timeout: 30s #DEPRECATION #fd: #DEPRECATION #connect_on_network_disconnect: false #DEPRECATION #ping_interval: 1s #DEPRECATION #ping_retries: 3 #DEPRECATION #register_connection_listener: true #DEPRECATION #ping_timeout: 30s #DEPRECATION #max_pings_from_another_master: 3 #DEPRECATION initial_state_timeout: 30s cluster_formation_warning_timeout: 10000ms #seed_providers: # ERROR forbidden to set both [discovery.seed_providers] and [discovery.zen.hosts_provider] has to be commented out type: zen # ERROR java.lang.IllegalArgumentException: node with [discovery.type] set to [single-node] must be master-eligible # test turning off #seed_resolver: #max_concurrent_resolvers: 10 # ERROR forbidden to set both [discovery.seed_resolver.max_concurrent_resolvers] and [discovery.zen.ping.unicast.concurrent_connects] #timeout: 5s # forbidden to set both [discovery.seed_resolver.timeout] and [discovery.zen.ping.unicast.hosts.resolve_timeout] find_peers_interval: 1000ms probe: connect_timeout: 30s handshake_timeout: 30s http: cors: max-age: 1728000 allow-origin: "" allow-headers: X-Requested-With,Content-Type,Content-Length allow-credentials: false allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE enabled: false max_chunk_size: 8kb compression_level: 3 max_initial_line_length: 4kb type: security4 pipelining: max_events: 10000 type.default: netty4 #content_type: #DEPRECATION #required: true #DEPRECATION host: [] publish_port: "-1" read_timeout: 0ms max_content_length: 100mb netty: receive_predictor_size: 64kb max_composite_buffer_components: 69905 worker_count: 0 tcp: reuse_address: true keep_count: "-1" keep_interval: "-1" no_delay: true keep_alive: true receive_buffer_size: "-1b" keep_idle: "-1" send_buffer_size: "-1b" bind_host: [] client_stats: enabled: true reset_cookies: false max_warning_header_count: "-1" tracer: include: [] exclude: [] max_warning_header_size: "-1b" detailed_errors: enabled: true port: 9200-9300 max_header_size: 8kb #tcp_no_delay: true #DEPRECATION compression: false publish_host: [] gateway: #recover_after_master_nodes: 0 #DEPRECATION #expected_nodes: "-1" #DEPRECATION recover_after_data_nodes: "-1" expected_data_nodes: "-1" write_dangling_indices_info: true slow_write_logging_threshold: 10s recover_after_time: 0ms #expected_master_nodes: "-1" #DEPRECATION #recover_after_nodes: "-1" #DEPRECATION #auto_import_dangling_indices: false #DEPRECATION snapshot: refresh_repo_uuid_on_restore: true max_concurrent_operations: 1000