securityonion/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja

{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %}
{
        "index_patterns": [
          "so-syslog*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "dtc-agent-mappings",
          "base-mappings",
          "dtc-base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "dtc-dns-mappings",
          "ecs-mappings",
          "dtc-ecs-mappings",
          "error-mappings",
          "event-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "dtc-file-mappings",
          "group-mappings",
          "host-mappings",
          "dtc-host-mappings",
          "http-mappings",
          "dtc-http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-network-mappings",
          "observer-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "dtc-process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "dtc-rule-mappings",
          "server-mappings",
          "service-mappings",
          "dtc-service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "dtc-user_agent-mappings",
          "user-mappings",
          "dtc-user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }