CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
039d5c22ac8212c01bdd68a5e5afbcccb4b532a9
securityonion/salt/elasticsearch/defaults.yaml
reyesj2 039d5c22ac fix: crowdstrike integration 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2024-11-06 14:35:41 -06:00

12630 lines
337 KiB
YAML
Raw Blame History

elasticsearch:
enabled: false
version: 8.14.3
index_clean: true
config:
action:
destructive_requires_name: true
cluster:
routing:
allocation:
disk:
threshold_enabled: true
watermark:
flood_stage: 90%
high: 85%
low: 80%
indices:
id_field_data:
enabled: false
logger:
org:
elasticsearch:
deprecation: ERROR
network:
host: 0.0.0.0
node: {}
path:
logs: /var/log/elasticsearch
script:
max_compilations_rate: 20000/1m
transport:
bind_host: 0.0.0.0
publish_port: 9300
xpack:
ml:
enabled: false
security:
authc:
anonymous:
authz_exception: true
roles: []
username: _anonymous
enabled: true
http:
ssl:
certificate: /usr/share/elasticsearch/config/elasticsearch.crt
certificate_authorities:
- /usr/share/elasticsearch/config/ca.crt
client_authentication: none
enabled: true
key: /usr/share/elasticsearch/config/elasticsearch.key
transport:
ssl:
certificate: /usr/share/elasticsearch/config/elasticsearch.crt
certificate_authorities:
- /usr/share/elasticsearch/config/ca.crt
enabled: true
key: /usr/share/elasticsearch/config/elasticsearch.key
verification_mode: none
index_settings:
global_overrides:
index_template:
template:
settings:
index:
lifecycle:
name: global_overrides-logs
number_of_replicas: default_placeholder
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-case:
index_sorting: false
index_template:
composed_of:
- case-mappings
- case-settings
ignore_missing_component_templates: []
index_patterns:
- so-case*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
mapping:
total_fields:
limit: 1500
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
so-common:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-*-so*
priority: 1
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-common-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
warm: 7
so-detection:
index_sorting: false
index_template:
composed_of:
- detection-mappings
- detection-settings
ignore_missing_component_templates: []
index_patterns:
- so-detection*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
mapping:
total_fields:
limit: 1500
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
so-endgame:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- endgame-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
ignore_missing_component_templates: []
index_patterns:
- endgame*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-endgame-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-idh:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
ignore_missing_component_templates: []
index_patterns:
- so-idh-*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-idh-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
warm: 7
so-import:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-import-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
final_pipeline: .fleet_final_pipeline-1
lifecycle:
name: so-import-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-ip-mappings:
index_sorting: false
index_template:
composed_of:
- so-ip-mappings
ignore_missing_component_templates: []
index_patterns:
- so-ip*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
mapping:
total_fields:
limit: 1500
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
so-items:
index_sorting: false
index_template:
composed_of:
- so-items-mappings
ignore_missing_component_templates: []
index_patterns:
- .items-default-**
priority: 500
template:
mappings:
date_detection: false
settings:
index:
lifecycle:
name: so-items-logs
rollover_alias: .items-default
mapping:
total_fields:
limit: 10000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
routing:
allocation:
include:
_tier_preference: data_content
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions:
rollover:
max_size: 50gb
min_age: 0ms
so-kismet:
index_sorting: false
index_template:
composed_of:
- kismet-mappings
- source-mappings
- client-mappings
- device-mappings
- network-mappings
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-kismet-so*
priority: 501
template:
settings:
index:
lifecycle:
name: so-kismet-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-kratos:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-kratos-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-kratos-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
warm: 7
so-lists:
index_sorting: false
index_template:
composed_of:
- so-lists-mappings
ignore_missing_component_templates: []
index_patterns:
- .lists-default-**
priority: 500
template:
mappings:
date_detection: false
settings:
index:
lifecycle:
name: so-lists-logs
rollover_alias: .lists-default
mapping:
total_fields:
limit: 10000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
routing:
allocation:
include:
_tier_preference: data_content
sort:
field: '@timestamp'
order: desc
policy:
phases:
hot:
actions:
rollover:
max_size: 50gb
min_age: 0ms
so-logs:
index_sorting: false
index_template:
composed_of:
- so-data-streams-mappings
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-logs-mappings
- so-logs-settings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-*-*
priority: 225
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-logs
mapping:
total_fields:
limit: 5001
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-1password_x_item_usages:
index_sorting: false
index_template:
composed_of:
- logs-1password.item_usages@package
- logs-1password.item_usages@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-1password.item_usages@custom
index_patterns:
- logs-1password.item_usages-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-1password.item_usages-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-1password_x_signin_attempts:
index_sorting: false
index_template:
composed_of:
- logs-1password.signin_attempts@package
- logs-1password.signin_attempts@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-1password.signin_attempts@custom
index_patterns:
- logs-1password.signin_attempts-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-1password.signin_attempts-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-apache_x_access:
index_sorting: false
index_template:
composed_of:
- logs-apache.access@package
- logs-apache.access@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-apache.access@custom
index_patterns:
- logs-apache.access-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-apache.access-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-apache_x_error:
index_sorting: false
index_template:
composed_of:
- logs-apache.error@package
- logs-apache.error@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-apache.error@custom
index_patterns:
- logs-apache.error-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-apache.error-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-auditd_x_log:
index_sorting: false
index_template:
composed_of:
- logs-auditd.log@package
- logs-auditd.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-auditd.log@custom
index_patterns:
- logs-auditd.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-auditd.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-auth0_x_logs:
index_sorting: false
index_template:
composed_of:
- logs-auth0.logs@package
- logs-auth0.logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-auth0.logs@custom
index_patterns:
- logs-auth0.logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-auth0.logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_cloudfront_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.cloudfront_logs@package
- logs-aws.cloudfront_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.cloudfront_logs@custom
index_patterns:
- logs-aws.cloudfront_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.cloudfront_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_cloudtrail:
index_sorting: false
index_template:
composed_of:
- logs-aws.cloudtrail@package
- logs-aws.cloudtrail@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.cloudtrail@custom
index_patterns:
- logs-aws.cloudtrail-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.cloudtrail-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_cloudwatch_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.cloudwatch_logs@package
- logs-aws.cloudwatch_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.cloudwatch_logs@custom
index_patterns:
- logs-aws.cloudwatch_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.cloudwatch_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_ec2_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.ec2_logs@package
- logs-aws.ec2_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.ec2_logs@custom
index_patterns:
- logs-aws.ec2_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.ec2_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_elb_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.elb_logs@package
- logs-aws.elb_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.elb_logs@custom
index_patterns:
- logs-aws.elb_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.elb_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_firewall_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.firewall_logs@package
- logs-aws.firewall_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.firewall_logs@custom
index_patterns:
- logs-aws.firewall_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.firewall_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_guardduty:
index_sorting: false
index_template:
composed_of:
- logs-aws.guardduty@package
- logs-aws.guardduty@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.guardduty@custom
index_patterns:
- logs-aws.guardduty-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.guardduty-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_inspector:
index_sorting: false
index_template:
composed_of:
- logs-aws.inspector@package
- logs-aws.inspector@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.inspector@custom
index_patterns:
- logs-aws.inspector-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.inspector-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_route53_public_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.route53_public_logs@package
- logs-aws.route53_public_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.route53_public_logs@custom
index_patterns:
- logs-aws.route53_public_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.route53_public_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_route53_resolver_logs:
index_sorting: false
index_template:
composed_of:
- logs-aws.route53_resolver_logs@package
- logs-aws.route53_resolver_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.route53_resolver_logs@custom
index_patterns:
- logs-aws.route53_resolver_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.route53_resolver_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_s3access:
index_sorting: false
index_template:
composed_of:
- logs-aws.s3access@package
- logs-aws.s3access@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.s3access@custom
index_patterns:
- logs-aws.s3access-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.s3access-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_securityhub_findings:
index_sorting: false
index_template:
composed_of:
- logs-aws.securityhub_findings@package
- logs-aws.securityhub_findings@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.securityhub_findings@custom
index_patterns:
- logs-aws.securityhub_findings-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.securityhub_findings-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_securityhub_insights:
index_sorting: false
index_template:
composed_of:
- logs-aws.securityhub_insights@package
- logs-aws.securityhub_insights@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.securityhub_insights@custom
index_patterns:
- logs-aws.securityhub_insights-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.securityhub_insights-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_vpcflow:
index_sorting: false
index_template:
composed_of:
- logs-aws.vpcflow@package
- logs-aws.vpcflow@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.vpcflow@custom
index_patterns:
- logs-aws.vpcflow-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.vpcflow-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-aws_x_waf:
index_sorting: false
index_template:
composed_of:
- logs-aws.waf@package
- logs-aws.waf@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-aws.waf@custom
index_patterns:
- logs-aws.waf-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-aws.waf-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_activitylogs:
index_sorting: false
index_template:
composed_of:
- logs-azure.activitylogs@package
- logs-azure.activitylogs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.activitylogs@custom
index_patterns:
- logs-azure.activitylogs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.activitylogs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_application_gateway:
index_sorting: false
index_template:
composed_of:
- logs-azure.application_gateway@package
- logs-azure.application_gateway@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.application_gateway@custom
index_patterns:
- logs-azure.application_gateway-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.application_gateway-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_auditlogs:
index_sorting: false
index_template:
composed_of:
- logs-azure.auditlogs@package
- logs-azure.auditlogs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.auditlogs@custom
index_patterns:
- logs-azure.auditlogs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.auditlogs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_eventhub:
index_sorting: false
index_template:
composed_of:
- logs-azure.eventhub@package
- logs-azure.eventhub@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.eventhub@custom
index_patterns:
- logs-azure.eventhub-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.eventhub-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_firewall_logs:
index_sorting: false
index_template:
composed_of:
- logs-azure.firewall_logs@package
- logs-azure.firewall_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.firewall_logs@custom
index_patterns:
- logs-azure.firewall_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.firewall_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_identity_protection:
index_sorting: false
index_template:
composed_of:
- logs-azure.identity_protection@package
- logs-azure.identity_protection@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.identity_protection@custom
index_patterns:
- logs-azure.identity_protection-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.identity_protection-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_platformlogs:
index_sorting: false
index_template:
composed_of:
- logs-azure.platformlogs@package
- logs-azure.platformlogs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.platformlogs@custom
index_patterns:
- logs-azure.platformlogs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.platformlogs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_provisioning:
index_sorting: false
index_template:
composed_of:
- logs-azure.provisioning@package
- logs-azure.provisioning@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.provisioning@custom
index_patterns:
- logs-azure.provisioning-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.provisioning-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_signinlogs:
index_sorting: false
index_template:
composed_of:
- logs-azure.signinlogs@package
- logs-azure.signinlogs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.signinlogs@custom
index_patterns:
- logs-azure.signinlogs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.signinlogs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-azure_x_springcloudlogs:
index_sorting: false
index_template:
composed_of:
- logs-azure.springcloudlogs@package
- logs-azure.springcloudlogs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-azure.springcloudlogs@custom
index_patterns:
- logs-azure.springcloudlogs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-azure.springcloudlogs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-barracuda_x_waf:
index_sorting: false
index_template:
composed_of:
- logs-barracuda.waf@package
- logs-barracuda.waf@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-barracuda.waf@custom
index_patterns:
- logs-barracuda.waf-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-barracuda.waf-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-barracuda_cloudgen_firewall_x_log:
index_sorting: False
index_template:
ignore_missing_component_templates:
- logs-barracuda_cloudgen_firewall.log@custom
index_patterns:
- "logs-barracuda_cloudgen_firewall.log-*"
template:
settings:
index:
lifecycle:
name: so-logs-barracuda_cloudgen_firewall.log-logs
number_of_replicas: 0
composed_of:
- "logs-barracuda_cloudgen_firewall.log@package"
- "logs-barracuda_cloudgen_firewall.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-carbonblack_edr_x_log:
index_sorting: false
index_template:
composed_of:
- logs-carbonblack_edr.log@package
- logs-carbonblack_edr.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-carbonblack_edr.log@custom
index_patterns:
- logs-carbonblack_edr.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-carbonblack_edr.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cef_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cef.log@package
- logs-cef.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cef.log@custom
index_patterns:
- logs-cef.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cef.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-checkpoint_x_firewall:
index_sorting: false
index_template:
composed_of:
- logs-checkpoint.firewall@package
- logs-checkpoint.firewall@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-checkpoint.firewall@custom
index_patterns:
- logs-checkpoint.firewall-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-checkpoint.firewall-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_asa_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cisco_asa.log@package
- logs-cisco_asa.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_asa.log@custom
index_patterns:
- logs-cisco_asa.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_asa.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_duo_x_admin:
index_sorting: false
index_template:
composed_of:
- logs-cisco_duo.admin@package
- logs-cisco_duo.admin@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_duo.admin@custom
index_patterns:
- logs-cisco_duo.admin-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_duo.admin-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_duo_x_auth:
index_sorting: false
index_template:
composed_of:
- logs-cisco_duo.auth@package
- logs-cisco_duo.auth@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_duo.auth@custom
index_patterns:
- logs-cisco_duo.auth-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_duo.auth-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_duo_x_offline_enrollment:
index_sorting: false
index_template:
composed_of:
- logs-cisco_duo.offline_enrollment@package
- logs-cisco_duo.offline_enrollment@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_duo.offline_enrollment@custom
index_patterns:
- logs-cisco_duo.offline_enrollment-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_duo.offline_enrollment-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_duo_x_summary:
index_sorting: false
index_template:
composed_of:
- logs-cisco_duo.summary@package
- logs-cisco_duo.summary@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_duo.summary@custom
index_patterns:
- logs-cisco_duo.summary-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_duo.summary-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_duo_x_telephony:
index_sorting: false
index_template:
composed_of:
- logs-cisco_duo.telephony@package
- logs-cisco_duo.telephony@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_duo.telephony@custom
index_patterns:
- logs-cisco_duo.telephony-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_duo.telephony-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_ftd_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cisco_ftd.log@package
- logs-cisco_ftd.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_ftd.log@custom
index_patterns:
- logs-cisco_ftd.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_ftd.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_ios_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cisco_ios.log@package
- logs-cisco_ios.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_ios.log@custom
index_patterns:
- logs-cisco_ios.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_ios.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_ise_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cisco_ise.log@package
- logs-cisco_ise.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_ise.log@custom
index_patterns:
- logs-cisco_ise.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_ise.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_meraki_x_events:
index_sorting: false
index_template:
composed_of:
- logs-cisco_meraki.events@package
- logs-cisco_meraki.events@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_meraki.events@custom
index_patterns:
- logs-cisco_meraki.events-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_meraki.events-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_meraki_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cisco_meraki.log@package
- logs-cisco_meraki.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_meraki.log@custom
index_patterns:
- logs-cisco_meraki.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_meraki.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cisco_umbrella_x_log:
index_sorting: false
index_template:
composed_of:
- logs-cisco_umbrella.log@package
- logs-cisco_umbrella.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cisco_umbrella.log@custom
index_patterns:
- logs-cisco_umbrella.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cisco_umbrella.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_interface:
index_sorting: false
index_template:
composed_of:
- logs-citrix_adc.interface@package
- logs-citrix_adc.interface@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-citrix_adc.interface@custom
index_patterns:
- logs-citrix_adc.interface-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.interface-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_lbvserver:
index_sorting: false
index_template:
composed_of:
- logs-citrix_adc.lbvserver@package
- logs-citrix_adc.lbvserver@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-citrix_adc.lbvserver@custom
index_patterns:
- logs-citrix_adc.lbvserver-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.lbvserver-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_service:
index_sorting: false
index_template:
composed_of:
- logs-citrix_adc.service@package
- logs-citrix_adc.service@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-citrix_adc.service@custom
index_patterns:
- logs-citrix_adc.service-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.service-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_system:
index_sorting: false
index_template:
composed_of:
- logs-citrix_adc.system@package
- logs-citrix_adc.system@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-citrix_adc.system@custom
index_patterns:
- logs-citrix_adc.system-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.system-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_adc_x_vpn:
index_sorting: false
index_template:
composed_of:
- logs-citrix_adc.vpn@package
- logs-citrix_adc.vpn@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-citrix_adc.vpn@custom
index_patterns:
- logs-citrix_adc.vpn-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-citrix_adc.vpn-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-citrix_waf_x_log:
index_sorting: false
index_template:
composed_of:
- logs-citrix_waf.log@package
- logs-citrix_waf.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-citrix_waf.log@custom
index_patterns:
- logs-citrix_waf.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-citrix_waf.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare.audit@package
- logs-cloudflare.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cloudflare.audit@custom
index_patterns:
- logs-cloudflare.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_x_logpull:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare.logpull@package
- logs-cloudflare.logpull@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-cloudflare.logpull@custom
index_patterns:
- logs-cloudflare.logpull-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare.logpull-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_alert:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.alert-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.alert@package
- logs-crowdstrike.alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.alert@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_falcon:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.falcon-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.falcon@package
- logs-crowdstrike.falcon@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.falcon@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_fdr:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.fdr-*
template:
settings:
index:
number_of_replicas:
composed_of:
- logs-crowdstrike.fdr@package
- logs-crowdstrike.fdr@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.fdr@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_host:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.host-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.host@package
- logs-crowdstrike.host@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.host@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-darktrace_x_ai_analyst_alert:
index_sorting: false
index_template:
composed_of:
- logs-darktrace.ai_analyst_alert@package
- logs-darktrace.ai_analyst_alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-darktrace.ai_analyst_alert@custom
index_patterns:
- logs-darktrace.ai_analyst_alert-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-darktrace.ai_analyst_alert-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-darktrace_x_model_breach_alert:
index_sorting: false
index_template:
composed_of:
- logs-darktrace.model_breach_alert@package
- logs-darktrace.model_breach_alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-darktrace.model_breach_alert@custom
index_patterns:
- logs-darktrace.model_breach_alert-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-darktrace.model_breach_alert-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-darktrace_x_system_status_alert:
index_sorting: false
index_template:
composed_of:
- logs-darktrace.system_status_alert@package
- logs-darktrace.system_status_alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-darktrace.system_status_alert@custom
index_patterns:
- logs-darktrace.system_status_alert-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-darktrace.system_status_alert-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-detections_x_alerts:
index_sorting: false
index_template:
composed_of:
- so-data-streams-mappings
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-logs-mappings
- so-logs-settings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates: []
index_patterns:
- logs-detections.alerts-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-detections.alerts-so
mapping:
total_fields:
limit: 5001
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 1d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-elastic_agent@package
- logs-elastic_agent@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent@custom
index_patterns:
- logs-elastic_agent-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-elastic_agent-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_apm_server:
index_sorting: false
index_template:
composed_of:
- logs-elastic_agent.apm_server@package
- logs-elastic_agent.apm_server@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.apm_server@custom
index_patterns:
- logs-elastic_agent.apm_server-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-elastic_agent.apm_server-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_auditbeat:
index_sorting: false
index_template:
composed_of:
- logs-elastic_agent.auditbeat@package
- logs-elastic_agent.auditbeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.auditbeat@custom
index_patterns:
- logs-elastic_agent.auditbeat-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-elastic_agent.auditbeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_cloudbeat:
index_sorting: false
index_template:
composed_of:
- logs-elastic_agent.cloudbeat@package
- logs-elastic_agent.cloudbeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
ignore_missing_component_templates:
- logs-elastic_agent.cloudbeat@custom
index_patterns:
- logs-elastic_agent.cloudbeat-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-elastic_agent.cloudbeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_endpoint_security:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-elastic_agent.endpoint_security@package
- logs-elastic_agent.endpoint_security@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.endpoint_security@custom
index_patterns:
- logs-elastic_agent.endpoint_security-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-elastic_agent.endpoint_security-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_filebeat:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-elastic_agent.filebeat@package
- logs-elastic_agent.filebeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.filebeat@custom
index_patterns:
- logs-elastic_agent.filebeat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-elastic_agent.filebeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_fleet_server:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-elastic_agent.fleet_server@package
- logs-elastic_agent.fleet_server@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.fleet_server@custom
index_patterns:
- logs-elastic_agent.fleet_server-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-elastic_agent.fleet_server-logs
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_heartbeat:
index_sorting: false
index_template:
composed_of:
- logs-elastic_agent.heartbeat@package
- logs-elastic_agent.heartbeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
ignore_missing_component_templates:
- logs-elastic_agent.heartbeat@custom
index_patterns:
- logs-elastic_agent.heartbeat-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-elastic_agent.heartbeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_metricbeat:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-elastic_agent.metricbeat@package
- logs-elastic_agent.metricbeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.metricbeat@custom
index_patterns:
- logs-elastic_agent.metricbeat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-elastic_agent.metricbeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_osquerybeat:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-elastic_agent.osquerybeat@package
- logs-elastic_agent.osquerybeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.osquerybeat@custom
index_patterns:
- logs-elastic_agent.osquerybeat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-elastic_agent.osquerybeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-elastic_agent_x_packetbeat:
index_sorting: false
index_template:
composed_of:
- logs-elastic_agent.packetbeat@package
- logs-elastic_agent.packetbeat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-elastic_agent.packetbeat@custom
index_patterns:
- logs-elastic_agent.packetbeat-*
priority: 501
template:
mappings:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
settings:
index:
lifecycle:
name: so-logs-elastic_agent.packetbeat-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_alerts:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.alerts@custom
- logs-endpoint.alerts@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.alerts@custom
index_patterns:
- logs-endpoint.alerts-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.alerts-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_diagnostic_x_collection:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.diagnostic.collection@custom
- logs-endpoint.diagnostic.collection@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.diagnostic.collection@custom
index_patterns:
- .logs-endpoint.diagnostic.collection-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.diagnostic.collection-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_api:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.api@custom
- logs-endpoint.events.api@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.api@custom
index_patterns:
- logs-endpoint.events.api-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.api-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_file:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.file@custom
- logs-endpoint.events.file@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.file@custom
index_patterns:
- logs-endpoint.events.file-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.file-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_library:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.library@custom
- logs-endpoint.events.library@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.library@custom
index_patterns:
- logs-endpoint.events.library-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.library-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_network:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.network@custom
- logs-endpoint.events.network@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.network@custom
index_patterns:
- logs-endpoint.events.network-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.network-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_process:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.process@custom
- logs-endpoint.events.process@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.process@custom
index_patterns:
- logs-endpoint.events.process-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.process-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_registry:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.registry@custom
- logs-endpoint.events.registry@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.registry@custom
index_patterns:
- logs-endpoint.events.registry-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.registry-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-endpoint_x_events_x_security:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-endpoint.events.security@custom
- logs-endpoint.events.security@package
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-endpoint.events.security@custom
index_patterns:
- logs-endpoint.events.security-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-endpoint.events.security-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
sort:
field: '@timestamp'
order: desc
policy:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-f5_bigip_x_log:
index_sorting: false
index_template:
composed_of:
- logs-f5_bigip.log@package
- logs-f5_bigip.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-f5_bigip.log@custom
index_patterns:
- logs-f5_bigip.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-f5_bigip.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fim_x_event:
index_sorting: false
index_template:
composed_of:
- logs-fim.event@package
- logs-fim.event@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fim.event@custom
index_patterns:
- logs-fim.event-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fim.event-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fireeye_x_nx:
index_sorting: false
index_template:
composed_of:
- logs-fireeye.nx@package
- logs-fireeye.nx@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fireeye.nx@custom
index_patterns:
- logs-fireeye.nx-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fireeye.nx-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fortinet_fortigate_x_log:
index_sorting: false
index_template:
composed_of:
- logs-fortinet_fortigate.log@package
- logs-fortinet_fortigate.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fortinet_fortigate.log@custom
index_patterns:
- logs-fortinet_fortigate.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fortinet_fortigate.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fortinet_x_clientendpoint:
index_sorting: false
index_template:
composed_of:
- logs-fortinet.clientendpoint@package
- logs-fortinet.clientendpoint@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fortinet.clientendpoint@custom
index_patterns:
- logs-fortinet.clientendpoint-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fortinet.clientendpoint-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fortinet_x_firewall:
index_sorting: false
index_template:
composed_of:
- logs-fortinet.firewall@package
- logs-fortinet.firewall@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fortinet.firewall@custom
index_patterns:
- logs-fortinet.firewall-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fortinet.firewall-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fortinet_x_fortimail:
index_sorting: false
index_template:
composed_of:
- logs-fortinet.fortimail@package
- logs-fortinet.fortimail@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fortinet.fortimail@custom
index_patterns:
- logs-fortinet.fortimail-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fortinet.fortimail-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-fortinet_x_fortimanager:
index_sorting: false
index_template:
composed_of:
- logs-fortinet.fortimanager@package
- logs-fortinet.fortimanager@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-fortinet.fortimanager@custom
index_patterns:
- logs-fortinet.fortimanager-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-fortinet.fortimanager-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-gcp_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-gcp.audit@package
- logs-gcp.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-gcp.audit@custom
index_patterns:
- logs-gcp.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-gcp.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-gcp_x_dns:
index_sorting: false
index_template:
composed_of:
- logs-gcp.dns@package
- logs-gcp.dns@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-gcp.dns@custom
index_patterns:
- logs-gcp.dns-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-gcp.dns-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-gcp_x_firewall:
index_sorting: false
index_template:
composed_of:
- logs-gcp.firewall@package
- logs-gcp.firewall@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-gcp.firewall@custom
index_patterns:
- logs-gcp.firewall-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-gcp.firewall-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-gcp_x_loadbalancing_logs:
index_sorting: false
index_template:
composed_of:
- logs-gcp.loadbalancing_logs@package
- logs-gcp.loadbalancing_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-gcp.loadbalancing_logs@custom
index_patterns:
- logs-gcp.loadbalancing_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-gcp.loadbalancing_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-gcp_x_vpcflow:
index_sorting: false
index_template:
composed_of:
- logs-gcp.vpcflow@package
- logs-gcp.vpcflow@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-gcp.vpcflow@custom
index_patterns:
- logs-gcp.vpcflow-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-gcp.vpcflow-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-github_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-github.audit@package
- logs-github.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-github.audit@custom
index_patterns:
- logs-github.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-github.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-github_x_code_scanning:
index_sorting: false
index_template:
composed_of:
- logs-github.code_scanning@package
- logs-github.code_scanning@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-github.code_scanning@custom
index_patterns:
- logs-github.code_scanning-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-github.code_scanning-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-github_x_dependabot:
index_sorting: false
index_template:
composed_of:
- logs-github.dependabot@package
- logs-github.dependabot@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-github.dependabot@custom
index_patterns:
- logs-github.dependabot-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-github.dependabot-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-github_x_issues:
index_sorting: false
index_template:
composed_of:
- logs-github.issues@package
- logs-github.issues@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-github.issues@custom
index_patterns:
- logs-github.issues-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-github.issues-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-github_x_secret_scanning:
index_sorting: false
index_template:
composed_of:
- logs-github.secret_scanning@package
- logs-github.secret_scanning@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-github.secret_scanning@custom
index_patterns:
- logs-github.secret_scanning-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-github.secret_scanning-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_access_transparency:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.access_transparency@package
- logs-google_workspace.access_transparency@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.access_transparency@custom
index_patterns:
- logs-google_workspace.access_transparency-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.access_transparency-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_admin:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.admin@package
- logs-google_workspace.admin@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.admin@custom
index_patterns:
- logs-google_workspace.admin-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.admin-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_alert:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.alert@package
- logs-google_workspace.alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.alert@custom
index_patterns:
- logs-google_workspace.alert-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.alert-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_context_aware_access:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.context_aware_access@package
- logs-google_workspace.context_aware_access@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.context_aware_access@custom
index_patterns:
- logs-google_workspace.context_aware_access-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.context_aware_access-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_device:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.device@package
- logs-google_workspace.device@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.device@custom
index_patterns:
- logs-google_workspace.device-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.device-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_drive:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.drive@package
- logs-google_workspace.drive@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.drive@custom
index_patterns:
- logs-google_workspace.drive-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.drive-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_gcp:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.gcp@package
- logs-google_workspace.gcp@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.gcp@custom
index_patterns:
- logs-google_workspace.gcp-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.gcp-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_group_enterprise:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.group_enterprise@package
- logs-google_workspace.group_enterprise@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.group_enterprise@custom
index_patterns:
- logs-google_workspace.group_enterprise-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.group_enterprise-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_groups:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.groups@package
- logs-google_workspace.groups@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.groups@custom
index_patterns:
- logs-google_workspace.groups-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.groups-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_login:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.login@package
- logs-google_workspace.login@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.login@custom
index_patterns:
- logs-google_workspace.login-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.login-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_rules:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.rules@package
- logs-google_workspace.rules@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.rules@custom
index_patterns:
- logs-google_workspace.rules-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.rules-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_saml:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.saml@package
- logs-google_workspace.saml@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.saml@custom
index_patterns:
- logs-google_workspace.saml-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.saml-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_token:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.token@package
- logs-google_workspace.token@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.token@custom
index_patterns:
- logs-google_workspace.token-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.token-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-google_workspace_x_user_accounts:
index_sorting: false
index_template:
composed_of:
- logs-google_workspace.user_accounts@package
- logs-google_workspace.user_accounts@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-google_workspace.user_accounts@custom
index_patterns:
- logs-google_workspace.user_accounts-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-google_workspace.user_accounts-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-http_endpoint_x_generic:
index_sorting: false
index_template:
composed_of:
- logs-http_endpoint.generic@package
- logs-http_endpoint.generic@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-http_endpoint.generic@package
- logs-http_endpoint.generic@custom
index_patterns:
- logs-http_endpoint.generic-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-http_endpoint.generic-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-httpjson_x_generic:
index_sorting: false
index_template:
composed_of:
- logs-httpjson.generic@package
- logs-httpjson.generic@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-httpjson.generic@custom
index_patterns:
- logs-httpjson.generic-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-httpjson.generic-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-iis_x_access:
index_sorting: false
index_template:
composed_of:
- logs-iis.access@package
- logs-iis.access@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-iis.access@custom
index_patterns:
- logs-iis.access-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-iis.access-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-iis_x_error:
index_sorting: false
index_template:
composed_of:
- logs-iis.error@package
- logs-iis.error@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-iis.error@custom
index_patterns:
- logs-iis.error-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-iis.error-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-imperva_cloud_waf_x_event:
index_sorting: False
index_template:
ignore_missing_component_templates:
- logs-imperva_cloud_waf.event@custom
index_patterns:
- "logs-imperva_cloud_waf.event-*"
template:
settings:
index:
lifecycle:
name: so-logs-imperva_cloud_waf.event-logs
number_of_replicas: 0
composed_of:
- "logs-imperva_cloud_waf.event@package"
- "logs-imperva_cloud_waf.event@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-juniper_srx_x_log:
index_sorting: false
index_template:
composed_of:
- logs-juniper_srx.log@package
- logs-juniper_srx.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-juniper_srx.log@custom
index_patterns:
- logs-juniper_srx.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-juniper_srx.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-juniper_x_junos:
index_sorting: false
index_template:
composed_of:
- logs-juniper.junos@package
- logs-juniper.junos@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-juniper.junos@custom
index_patterns:
- logs-juniper.junos-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-juniper.junos-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-juniper_x_netscreen:
index_sorting: false
index_template:
composed_of:
- logs-juniper.netscreen@package
- logs-juniper.netscreen@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-juniper.netscreen@custom
index_patterns:
- logs-juniper.netscreen-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-juniper.netscreen-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-juniper_x_srx:
index_sorting: false
index_template:
composed_of:
- logs-juniper.srx@package
- logs-juniper.srx@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-juniper.srx@custom
index_patterns:
- logs-juniper.srx-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-juniper.srx-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-kafka_log_x_generic:
index_sorting: false
index_template:
composed_of:
- logs-kafka_log.generic@package
- logs-kafka_log.generic@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-kafka_log.generic@custom
index_patterns:
- logs-kafka_log.generic-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-kafka_log.generic-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-lastpass_x_detailed_shared_folder:
index_sorting: false
index_template:
composed_of:
- logs-lastpass.detailed_shared_folder@package
- logs-lastpass.detailed_shared_folder@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-lastpass.detailed_shared_folder@custom
index_patterns:
- logs-lastpass.detailed_shared_folder-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-lastpass.detailed_shared_folder-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-lastpass_x_event_report:
index_sorting: false
index_template:
composed_of:
- logs-lastpass.event_report@package
- logs-lastpass.event_report@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-lastpass.event_report@custom
index_patterns:
- logs-lastpass.event_report-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-lastpass.event_report-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-lastpass_x_user:
index_sorting: false
index_template:
composed_of:
- logs-lastpass.user@package
- logs-lastpass.user@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-lastpass.user@custom
index_patterns:
- logs-lastpass.user-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-lastpass.user-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-m365_defender_x_event:
index_sorting: false
index_template:
composed_of:
- logs-m365_defender.event@package
- logs-m365_defender.event@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-m365_defender.event@custom
index_patterns:
- logs-m365_defender.event-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-m365_defender.event-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-m365_defender_x_incident:
index_sorting: false
index_template:
composed_of:
- logs-m365_defender.incident@package
- logs-m365_defender.incident@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-m365_defender.incident@custom
index_patterns:
- logs-m365_defender.incident-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-m365_defender.incident-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-m365_defender_x_log:
index_sorting: false
index_template:
composed_of:
- logs-m365_defender.log@package
- logs-m365_defender.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-m365_defender.log@custom
index_patterns:
- logs-m365_defender.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-m365_defender.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-microsoft_defender_endpoint_x_log:
index_sorting: false
index_template:
composed_of:
- logs-microsoft_defender_endpoint.log@package
- logs-microsoft_defender_endpoint.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-microsoft_defender_endpoint.log@custom
index_patterns:
- logs-microsoft_defender_endpoint.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-microsoft_defender_endpoint.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-microsoft_dhcp_x_log:
index_sorting: false
index_template:
composed_of:
- logs-microsoft_dhcp.log@package
- logs-microsoft_dhcp.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-microsoft_dhcp.log@custom
index_patterns:
- logs-microsoft_dhcp.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-microsoft_dhcp.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-microsoft_sqlserver_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-microsoft_sqlserver.audit@package
- logs-microsoft_sqlserver.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-microsoft_sqlserver.audit@custom
index_patterns:
- logs-microsoft_sqlserver.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-microsoft_sqlserver.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-microsoft_sqlserver_x_log:
index_sorting: false
index_template:
composed_of:
- logs-microsoft_sqlserver.log@package
- logs-microsoft_sqlserver.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-microsoft_sqlserver.log@custom
index_patterns:
- logs-microsoft_sqlserver.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-microsoft_sqlserver.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_audit_events:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.audit_events@package
- logs-mimecast.audit_events@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.audit_events@custom
index_patterns:
- logs-mimecast.audit_events-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.audit_events-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_dlp_logs:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.dlp_logs@package
- logs-mimecast.dlp_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.dlp_logs@custom
index_patterns:
- logs-mimecast.dlp_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.dlp_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_siem_logs:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.siem_logs@package
- logs-mimecast.siem_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.siem_logs@custom
index_patterns:
- logs-mimecast.siem_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.siem_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_threat_intel_malware_customer:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.threat_intel_malware_customer@package
- logs-mimecast.threat_intel_malware_customer@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.threat_intel_malware_customer@custom
index_patterns:
- logs-mimecast.threat_intel_malware_customer-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.threat_intel_malware_customer-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_threat_intel_malware_grid:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.threat_intel_malware_grid@package
- logs-mimecast.threat_intel_malware_grid@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.threat_intel_malware_grid@custom
index_patterns:
- logs-mimecast.threat_intel_malware_grid-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.threat_intel_malware_grid-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_ttp_ap_logs:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.ttp_ap_logs@package
- logs-mimecast.ttp_ap_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.ttp_ap_logs@custom
index_patterns:
- logs-mimecast.ttp_ap_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.ttp_ap_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_ttp_ip_logs:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.ttp_ip_logs@package
- logs-mimecast.ttp_ip_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.ttp_ip_logs@custom
index_patterns:
- logs-mimecast.ttp_ip_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.ttp_ip_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mimecast_x_ttp_url_logs:
index_sorting: false
index_template:
composed_of:
- logs-mimecast.ttp_url_logs@package
- logs-mimecast.ttp_url_logs@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mimecast.ttp_url_logs@custom
index_patterns:
- logs-mimecast.ttp_url_logs-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mimecast.ttp_url_logs-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mysql_x_error:
index_sorting: false
index_template:
composed_of:
- logs-mysql.error@package
- logs-mysql.error@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mysql.error@custom
index_patterns:
- logs-mysql.error-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mysql.error-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-mysql_x_slowlog:
index_sorting: false
index_template:
composed_of:
- logs-mysql.slowlog@package
- logs-mysql.slowlog@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-mysql.slowlog@custom
index_patterns:
- logs-mysql.slowlog-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-mysql.slowlog-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-netflow_x_log:
index_sorting: false
index_template:
composed_of:
- logs-netflow.log@package
- logs-netflow.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-netflow.log@custom
index_patterns:
- logs-netflow.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-netflow.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-nginx_x_access:
index_sorting: false
index_template:
composed_of:
- logs-nginx.access@package
- logs-nginx.access@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-nginx.access@custom
index_patterns:
- logs-nginx.access-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-nginx.access-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-nginx_x_error:
index_sorting: false
index_template:
composed_of:
- logs-nginx.error@package
- logs-nginx.error@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-nginx.error@custom
index_patterns:
- logs-nginx.error-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-nginx.error-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-o365_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-o365.audit@package
- logs-o365.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-o365.audit@custom
index_patterns:
- logs-o365.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-o365.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-okta_x_system:
index_sorting: false
index_template:
composed_of:
- logs-okta.system@package
- logs-okta.system@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-okta.system@custom
index_patterns:
- logs-okta.system-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-okta.system-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-osquery-manager-action_x_responses:
index_sorting: false
index_template:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
composed_of:
- logs-osquery_manager.action.responses
ignore_missing_component_templates: []
index_patterns:
- .logs-osquery_manager.action.responses*
priority: 501
template:
settings:
index:
number_of_replicas: 0
so-logs-osquery-manager-actions:
index_sorting: false
index_template:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
composed_of:
- logs-osquery_manager.actions
ignore_missing_component_templates: []
index_patterns:
- .logs-osquery_manager.actions*
priority: 501
template:
settings:
index:
number_of_replicas: 0
so-logs-panw_x_panos:
index_sorting: false
index_template:
composed_of:
- logs-panw.panos@package
- logs-panw.panos@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-panw.panos@custom
index_patterns:
- logs-panw.panos-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-panw.panos-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-pfsense_x_log:
index_sorting: false
index_template:
composed_of:
- logs-pfsense.log@package
- logs-pfsense.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-pfsense.log@custom
index_patterns:
- logs-pfsense.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-pfsense.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-proofpoint_tap_x_clicks_blocked:
index_sorting: false
index_template:
composed_of:
- logs-proofpoint_tap.clicks_blocked@package
- logs-proofpoint_tap.clicks_blocked@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-proofpoint_tap.clicks_blocked@custom
index_patterns:
- logs-proofpoint_tap.clicks_blocked-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-proofpoint_tap.clicks_blocked-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-proofpoint_tap_x_clicks_permitted:
index_sorting: false
index_template:
composed_of:
- logs-proofpoint_tap.clicks_permitted@package
- logs-proofpoint_tap.clicks_permitted@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-proofpoint_tap.clicks_permitted@custom
index_patterns:
- logs-proofpoint_tap.clicks_permitted-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-proofpoint_tap.clicks_permitted-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-proofpoint_tap_x_message_blocked:
index_sorting: false
index_template:
composed_of:
- logs-proofpoint_tap.message_blocked@package
- logs-proofpoint_tap.message_blocked@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-proofpoint_tap.message_blocked@custom
index_patterns:
- logs-proofpoint_tap.message_blocked-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-proofpoint_tap.message_blocked-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-proofpoint_tap_x_message_delivered:
index_sorting: false
index_template:
composed_of:
- logs-proofpoint_tap.message_delivered@package
- logs-proofpoint_tap.message_delivered@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-proofpoint_tap.message_delivered@custom
index_patterns:
- logs-proofpoint_tap.message_delivered-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-proofpoint_tap.message_delivered-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-pulse_connect_secure_x_log:
index_sorting: false
index_template:
composed_of:
- logs-pulse_connect_secure.log@package
- logs-pulse_connect_secure.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-pulse_connect_secure.log@custom
index_patterns:
- logs-pulse_connect_secure.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-pulse_connect_secure.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sentinel_one_x_activity:
index_sorting: false
index_template:
composed_of:
- logs-sentinel_one.activity@package
- logs-sentinel_one.activity@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sentinel_one.activity@custom
index_patterns:
- logs-sentinel_one.activity-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sentinel_one.activity-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sentinel_one_x_agent:
index_sorting: false
index_template:
composed_of:
- logs-sentinel_one.agent@package
- logs-sentinel_one.agent@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sentinel_one.agent@custom
index_patterns:
- logs-sentinel_one.agent-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sentinel_one.agent-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sentinel_one_x_alert:
index_sorting: false
index_template:
composed_of:
- logs-sentinel_one.alert@package
- logs-sentinel_one.alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sentinel_one.alert@custom
index_patterns:
- logs-sentinel_one.alert-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sentinel_one.alert-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sentinel_one_x_group:
index_sorting: false
index_template:
composed_of:
- logs-sentinel_one.group@package
- logs-sentinel_one.group@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sentinel_one.group@custom
index_patterns:
- logs-sentinel_one.group-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sentinel_one.group-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sentinel_one_x_threat:
index_sorting: false
index_template:
composed_of:
- logs-sentinel_one.threat@package
- logs-sentinel_one.threat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sentinel_one.threat@custom
index_patterns:
- logs-sentinel_one.threat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sentinel_one.threat-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-snort_x_log:
index_sorting: false
index_template:
composed_of:
- logs-snort.log@package
- logs-snort.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-snort.log@custom
index_patterns:
- logs-snort.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-snort.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-snyk_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-snyk.audit@package
- logs-snyk.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-snyk.audit@custom
index_patterns:
- logs-snyk.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-snyk.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-snyk_x_vulnerabilities:
index_sorting: false
index_template:
composed_of:
- logs-snyk.vulnerabilities@package
- logs-snyk.vulnerabilities@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-snyk.vulnerabilities@custom
index_patterns:
- logs-snyk.vulnerabilities-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-snyk.vulnerabilities-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-soc:
close: 30
delete: 365
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-soc-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-logs-soc-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
warm: 7
so-logs-sonicwall_firewall_x_log:
index_sorting: false
index_template:
composed_of:
- logs-sonicwall_firewall.log@package
- logs-sonicwall_firewall.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sonicwall_firewall.log@custom
index_patterns:
- logs-sonicwall_firewall.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sonicwall_firewall.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sophos_central_x_alert:
index_sorting: false
index_template:
composed_of:
- logs-sophos_central.alert@package
- logs-sophos_central.alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sophos_central.alert@custom
index_patterns:
- logs-sophos_central.alert-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sophos_central.alert-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sophos_central_x_event:
index_sorting: false
index_template:
composed_of:
- logs-sophos_central.event@package
- logs-sophos_central.event@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sophos_central.event@custom
index_patterns:
- logs-sophos_central.event-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sophos_central.event-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sophos_x_utm:
index_sorting: false
index_template:
composed_of:
- logs-sophos.utm@package
- logs-sophos.utm@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sophos.utm@custom
index_patterns:
- logs-sophos.utm-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sophos.utm-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-sophos_x_xg:
index_sorting: false
index_template:
composed_of:
- logs-sophos.xg@package
- logs-sophos.xg@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-sophos.xg@custom
index_patterns:
- logs-sophos.xg-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-sophos.xg-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-symantec_endpoint_x_log:
index_sorting: false
index_template:
composed_of:
- logs-symantec_endpoint.log@package
- logs-symantec_endpoint.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-symantec_endpoint.log@custom
index_patterns:
- logs-symantec_endpoint.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-symantec_endpoint.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-system_x_application:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-system.application@package
- logs-system.application@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-system-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-system.application@custom
index_patterns:
- logs-system.application*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-system.application-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-system_x_auth:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-system.auth@package
- logs-system.auth@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-system-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-system.auth@custom
index_patterns:
- logs-system.auth*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-system.auth-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-system_x_security:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-system.security@package
- logs-system.security@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-system-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-system.security@custom
index_patterns:
- logs-system.security*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-system.security-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-system_x_syslog:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-system.syslog@package
- logs-system.syslog@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-system-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-system.syslog@custom
index_patterns:
- logs-system.syslog*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-system.syslog-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-system_x_system:
index_sorting: false
index_template:
composed_of:
- event-mappings
- logs-system.system@package
- logs-system.system@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
- so-system-mappings
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-system.system@custom
index_patterns:
- logs-system.system*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-system.system-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_io_x_asset:
index_sorting: False
index_template:
index_patterns:
- "logs-tenable_io.asset-*"
template:
settings:
index:
lifecycle:
name: so-logs-tenable_io.asset-logs
number_of_replicas: 0
composed_of:
- "logs-tenable_io.asset@package"
- "logs-tenable_io.asset@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-tenable_io.asset@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_io_x_plugin:
index_sorting: False
index_template:
index_patterns:
- "logs-tenable_io.plugin-*"
template:
settings:
index:
lifecycle:
name: so-logs-tenable_io.plugin-logs
number_of_replicas: 0
composed_of:
- "logs-tenable_io.plugin@package"
- "logs-tenable_io.plugin@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-tenable_io.plugin@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_io_x_scan:
index_sorting: False
index_template:
index_patterns:
- "logs-tenable_io.scan-*"
template:
settings:
index:
lifecycle:
name: so-logs-tenable_io.scan-logs
number_of_replicas: 0
composed_of:
- "logs-tenable_io.scan@package"
- "logs-tenable_io.scan@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-tenable_io.scan@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_io_x_vulnerability:
index_sorting: False
index_template:
index_patterns:
- "logs-tenable_io.vulnerability-*"
template:
settings:
index:
lifecycle:
name: so-logs-tenable_io.vulnerability-logs
number_of_replicas: 0
composed_of:
- "logs-tenable_io.vulnerability@package"
- "logs-tenable_io.vulnerability@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-tenable_io.vulnerability@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 30d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_sc_x_asset:
index_sorting: false
index_template:
composed_of:
- logs-tenable_sc.asset@package
- logs-tenable_sc.asset@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-tenable_sc.asset@custom
index_patterns:
- logs-tenable_sc.asset-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-tenable_sc.asset-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_sc_x_plugin:
index_sorting: false
index_template:
composed_of:
- logs-tenable_sc.plugin@package
- logs-tenable_sc.plugin@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-tenable_sc.plugin@custom
index_patterns:
- logs-tenable_sc.plugin-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-tenable_sc.plugin-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-tenable_sc_x_vulnerability:
index_sorting: false
index_template:
composed_of:
- logs-tenable_sc.vulnerability@package
- logs-tenable_sc.vulnerability@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-tenable_sc.vulnerability@custom
index_patterns:
- logs-tenable_sc.vulnerability-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-tenable_sc.vulnerability-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_abusech_x_malware:
index_sorting: false
index_template:
composed_of:
- logs-ti_abusech.malware@package
- logs-ti_abusech.malware@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_abusech.malware@custom
index_patterns:
- logs-ti_abusech.malware-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_abusech.malware-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_abusech_x_malwarebazaar:
index_sorting: false
index_template:
composed_of:
- logs-ti_abusech.malwarebazaar@package
- logs-ti_abusech.malwarebazaar@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_abusech.malwarebazaar@custom
index_patterns:
- logs-ti_abusech.malwarebazaar-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_abusech.malwarebazaar-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_abusech_x_threatfox:
index_sorting: false
index_template:
composed_of:
- logs-ti_abusech.threatfox@package
- logs-ti_abusech.threatfox@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_abusech.threatfox@custom
index_patterns:
- logs-ti_abusech.threatfox-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_abusech.threatfox-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_abusech_x_url:
index_sorting: false
index_template:
composed_of:
- logs-ti_abusech.url@package
- logs-ti_abusech.url@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_abusech.url@custom
index_patterns:
- logs-ti_abusech.url-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_abusech.url-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_anomali_x_threatstream:
index_sorting: false
index_template:
composed_of:
- logs-ti_anomali.threatstream@package
- logs-ti_anomali.threatstream@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_anomali.threatstream@custom
index_patterns:
- logs-ti_anomali.threatstream-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_anomali.threatstream-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_cybersixgill_x_threat:
index_sorting: false
index_template:
composed_of:
- logs-ti_cybersixgill.threat@package
- logs-ti_cybersixgill.threat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_cybersixgill.threat@custom
index_patterns:
- logs-ti_cybersixgill.threat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_cybersixgill.threat-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_misp_x_threat:
index_sorting: false
index_template:
composed_of:
- logs-ti_misp.threat@package
- logs-ti_misp.threat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_misp.threat@custom
index_patterns:
- logs-ti_misp.threat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_misp.threat-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_misp_x_threat_attributes:
index_sorting: false
index_template:
composed_of:
- logs-ti_misp.threat_attributes@package
- logs-ti_misp.threat_attributes@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_misp.threat_attributes@custom
index_patterns:
- logs-ti_misp.threat_attributes-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_misp.threat_attributes-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_otx_x_pulses_subscribed:
index_sorting: false
index_template:
composed_of:
- logs-ti_otx.pulses_subscribed@package
- logs-ti_otx.pulses_subscribed@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_otx.pulses_subscribed@custom
index_patterns:
- logs-ti_otx.pulses_subscribed-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_otx.pulses_subscribed-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_otx_x_threat:
index_sorting: false
index_template:
composed_of:
- logs-ti_otx.threat@package
- logs-ti_otx.threat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_otx.threat@custom
index_patterns:
- logs-ti_otx.threat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_otx.threat-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_recordedfuture_x_latest_ioc-template:
index_sorting: false
index_template:
composed_of:
- logs-ti_recordedfuture.latest_ioc-template@package
- logs-ti_recordedfuture.latest_ioc-template@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_recordedfuture.latest_ioc-template@custom
index_patterns:
- logs-ti_recordedfuture.latest_ioc-template-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_recordedfuture.latest_ioc-template-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_recordedfuture_x_threat:
index_sorting: false
index_template:
composed_of:
- logs-ti_recordedfuture.threat@package
- logs-ti_recordedfuture.threat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_recordedfuture.threat@custom
index_patterns:
- logs-ti_recordedfuture.threat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_recordedfuture.threat-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-ti_threatq_x_threat:
index_sorting: false
index_template:
composed_of:
- logs-ti_threatq.threat@package
- logs-ti_threatq.threat@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-ti_threatq.threat@custom
index_patterns:
- logs-ti_threatq.threat-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-ti_threatq.threat-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trend_micro_vision_one_x_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-trend_micro_vision_one.alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-trend_micro_vision_one.alert@package"
- "logs-trend_micro_vision_one.alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
ignore_missing_component_templates:
- "logs-trend_micro_vision_one.alert@custom"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trend_micro_vision_one_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-trend_micro_vision_one.audit-*"
template:
settings:
index:
number_of_replicas: 0
ignore_missing_component_templates:
- "logs-trend_micro_vision_one.audit@custom"
composed_of:
- "logs-trend_micro_vision_one.audit@package"
- "logs-trend_micro_vision_one.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trend_micro_vision_one_x_detection:
index_sorting: False
index_template:
index_patterns:
- "logs-trend_micro_vision_one.detection-*"
template:
settings:
index:
number_of_replicas: 0
ignore_missing_component_templates:
- "logs-trend_micro_vision_one.detection@custom"
composed_of:
- "logs-trend_micro_vision_one.detection@package"
- "logs-trend_micro_vision_one.detection@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trendmicro_x_deep_security:
index_sorting: False
index_template:
index_patterns:
- "logs-trendmicro.deep_security-*"
template:
settings:
index:
number_of_replicas: 0
ignore_missing_component_templates:
- "logs-trendmicro.deep_security@custom"
composed_of:
- "logs-trendmicro.deep_security@package"
- "logs-trendmicro.deep_security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-vsphere_x_log:
index_sorting: false
index_template:
composed_of:
- logs-vsphere.log@package
- logs-vsphere.log@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-vsphere.log@custom
index_patterns:
- logs-vsphere.log-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-vsphere.log-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-windows_x_forwarded:
index_sorting: false
index_template:
composed_of:
- logs-windows.forwarded@package
- logs-windows.forwarded@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-windows.forwarded@custom
index_patterns:
- logs-windows.forwarded*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-windows.forwarded-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-windows_x_powershell:
index_sorting: false
index_template:
composed_of:
- logs-windows.powershell@package
- logs-windows.powershell@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-windows.powershell@custom
index_patterns:
- logs-windows.powershell-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-windows.powershell-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-windows_x_powershell_operational:
index_sorting: false
index_template:
composed_of:
- logs-windows.powershell_operational@package
- logs-windows.powershell_operational@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-windows.powershell_operational@custom
index_patterns:
- logs-windows.powershell_operational-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-windows.powershell_operational-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-windows_x_sysmon_operational:
index_sorting: false
index_template:
composed_of:
- logs-windows.sysmon_operational@package
- logs-windows.sysmon_operational@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-windows.sysmon_operational@custom
index_patterns:
- logs-windows.sysmon_operational-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-windows.sysmon_operational-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-winlog_x_winlog:
index_sorting: false
index_template:
composed_of:
- logs-winlog.winlog@package
- logs-winlog.winlog@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-winlog.winlog@package
- logs-winlog.winlog@custom
index_patterns:
- logs-winlog.winlog-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-winlog.winlog-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zia_x_alerts:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zia.alerts@package
- logs-zscaler_zia.alerts@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zia.alerts@custom
index_patterns:
- logs-zscaler_zia.alerts-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zia.alerts-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zia_x_dns:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zia.dns@package
- logs-zscaler_zia.dns@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zia.dns@custom
index_patterns:
- logs-zscaler_zia.dns-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zia.dns-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zia_x_firewall:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zia.firewall@package
- logs-zscaler_zia.firewall@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zia.firewall@custom
index_patterns:
- logs-zscaler_zia.firewall-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zia.firewall-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zia_x_tunnel:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zia.tunnel@package
- logs-zscaler_zia.tunnel@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zia.tunnel@custom
index_patterns:
- logs-zscaler_zia.tunnel-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zia.tunnel-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zia_x_web:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zia.web@package
- logs-zscaler_zia.web@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zia.web@custom
index_patterns:
- logs-zscaler_zia.web-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zia.web-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zpa_x_app_connector_status:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zpa.app_connector_status@package
- logs-zscaler_zpa.app_connector_status@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zpa.app_connector_status@custom
index_patterns:
- logs-zscaler_zpa.app_connector_status-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zpa.app_connector_status-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zpa_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zpa.audit@package
- logs-zscaler_zpa.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zpa.audit@custom
index_patterns:
- logs-zscaler_zpa.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zpa.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zpa_x_browser_access:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zpa.browser_access@package
- logs-zscaler_zpa.browser_access@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zpa.browser_access@custom
index_patterns:
- logs-zscaler_zpa.browser_access-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zpa.browser_access-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zpa_x_user_activity:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zpa.user_activity@package
- logs-zscaler_zpa.user_activity@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zpa.user_activity@custom
index_patterns:
- logs-zscaler_zpa.user_activity-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zpa.user_activity-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-zscaler_zpa_x_user_status:
index_sorting: false
index_template:
composed_of:
- logs-zscaler_zpa.user_status@package
- logs-zscaler_zpa.user_status@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- logs-zscaler_zpa.user_status@custom
index_patterns:
- logs-zscaler_zpa.user_status-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-zscaler_zpa.user_status-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logstash:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- logstash-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
ignore_missing_component_templates: []
index_patterns:
- logs-logstash-default*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-logstash-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-endpoint_x_metadata:
index_sorting: false
index_template:
composed_of:
- metrics-endpoint.metadata@package
- metrics-endpoint.metadata@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-endpoint.metadata@custom
index_patterns:
- metrics-endpoint.metadata-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-endpoint.metadata-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-endpoint_x_metrics:
index_sorting: false
index_template:
composed_of:
- metrics-endpoint.metrics@package
- metrics-endpoint.metrics@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-endpoint.metrics@custom
index_patterns:
- metrics-endpoint.metrics-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-endpoint.metrics-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-endpoint_x_policy:
index_sorting: false
index_template:
composed_of:
- metrics-endpoint.policy@package
- metrics-endpoint.policy@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-endpoint.policy@custom
index_patterns:
- metrics-endpoint.policy-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-endpoint.policy-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-fleet_server_x_agent_status:
index_sorting: false
index_template:
composed_of:
- metrics@tsdb-settings
- metrics-fleet_server.agent_status@package
- metrics-fleet_server.agent_status@custom
- ecs@mappings
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-fleet_server.agent_status@custom
index_patterns:
- metrics-fleet_server.agent_status-*
priority: 501
template:
settings:
index:
mode: time_series
number_of_replicas: 0
so-metrics-fleet_server_x_agent_versions:
index_sorting: false
index_template:
composed_of:
- metrics@tsdb-settings
- metrics-fleet_server.agent_versions@package
- metrics-fleet_server.agent_versions@custom
- ecs@mappings
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-fleet_server.agent_versions@custom
index_patterns:
- metrics-fleet_server.agent_versions-*
priority: 501
template:
settings:
index:
mode: time_series
number_of_replicas: 0
so-metrics-nginx_x_stubstatus:
index_sorting: false
index_template:
composed_of:
- metrics-nginx.stubstatus@package
- metrics-nginx.stubstatus@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-nginx.stubstatus@custom
index_patterns:
- metrics-nginx.stubstatus-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-nginx.stubstatus-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-vsphere_x_datastore:
index_sorting: false
index_template:
composed_of:
- metrics-vsphere.datastore@package
- metrics-vsphere.datastore@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-vsphere.datastore@custom
index_patterns:
- metrics-vsphere.datastore-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-vsphere.datastore-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-vsphere_x_host:
index_sorting: false
index_template:
composed_of:
- metrics-vsphere.host@package
- metrics-vsphere.host@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-vsphere.host@custom
index_patterns:
- metrics-vsphere.host-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-vsphere.host-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-metrics-vsphere_x_virtualmachine:
index_sorting: false
index_template:
composed_of:
- metrics-vsphere.virtualmachine@package
- metrics-vsphere.virtualmachine@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
allow_custom_routing: false
hidden: false
ignore_missing_component_templates:
- metrics-vsphere.virtualmachine@custom
index_patterns:
- metrics-vsphere.virtualmachine-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-metrics-vsphere.virtualmachine-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-redis:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- redis-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
ignore_missing_component_templates: []
index_patterns:
- logs-redis-default*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-redis-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-strelka:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- so-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- so-scan-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-strelka-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-strelka-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-suricata:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- suricata-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-suricata-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-suricata-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 1d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-suricata_x_alerts:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- suricata-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-suricata.alerts-*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-suricata.alerts-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 1d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-syslog:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-syslog-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-syslog-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-zeek:
index_sorting: false
index_template:
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- zeek-mappings
- common-settings
- common-dynamic-mappings
data_stream: {}
ignore_missing_component_templates: []
index_patterns:
- logs-zeek-so*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
lifecycle:
name: so-zeek-logs
mapping:
total_fields:
limit: 5000
number_of_replicas: 0
number_of_shards: 2
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
pipelines:
custom001:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom001
- pipeline:
name: common
custom002:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom002
- pipeline:
name: common
custom003:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom003
- pipeline:
name: common
custom004:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom004
- pipeline:
name: common
custom005:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom005
- pipeline:
name: common
custom006:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom006
- pipeline:
name: common
custom007:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom007
- pipeline:
name: common
custom008:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom008
- pipeline:
name: common
custom009:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom009
- pipeline:
name: common
custom010:
description: Custom Pipeline
processors:
- set:
field: tags
value: custom010
- pipeline:
name: common
retention:
retention_pct: 50
so_roles:
so-eval:
config:
node:
roles:
- master
- data
- data_hot
- ingest
- transform
- remote_cluster_client
so-heavynode:
config:
node:
roles:
- master
- data
- data_hot
- remote_cluster_client
- ingest
so-import:
config:
node:
roles:
- master
- data
- data_hot
- ingest
- transform
- remote_cluster_client
so-manager:
config:
node:
roles:
- master
- data
- remote_cluster_client
- transform
so-managersearch:
config:
node:
roles:
- master
- data
- data_hot
- ingest
- transform
- remote_cluster_client
so-searchnode:
config:
node:
roles:
- data
- data_hot
- ingest
- transform
so-standalone:
config:
node:
roles:
- master
- data
- data_hot
- ingest
- transform
- remote_cluster_client
Reference in New Issue View Git Blame Copy Permalink