CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-25 02:13:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
852a3f4a136fc2df476ea8bca7edbbabfa627e01
securityonion/salt/logstash/files/beats-template.json
Mike Reeves db5942993e Logstash Module - update configs
2018-04-18 14:52:23 -04:00

1297 lines
35 KiB
JSON
Raw Blame History

{
"index_patterns": [
"logstash-beats-*"
],
"mappings": {
"doc": {
"_meta": {
"version": "6.1.3"
},
"date_detection": false,
"dynamic_templates": [
{
"fields": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "fields.*"
}
},
{
"docker.container.labels": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "docker.container.labels.*"
}
},
{
"event_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "event_data.*"
}
},
{
"user_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "user_data.*"
}
},
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"beat": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"computer_name": {
"type": "text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"docker": {
"properties": {
"container": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"type": "object"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"error": {
"properties": {
"code": {
"type": "long"
},
"message": {
"norms": false,
"type": "text"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_data": {
"type": "object"
},
"event_id": {
"type": "long"
},
"fields": {
"type": "object"
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"kubernetes": {
"properties": {
"annotations": {
"type": "object"
},
"container": {
"properties": {
"image": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"labels": {
"type": "object"
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"pod": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"log_name": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"message_error": {
"ignore_above": 1024,
"type": "keyword"
},
"meta": {
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"instance_id": {
"ignore_above": 1024,
"type": "keyword"
},
"instance_name": {
"ignore_above": 1024,
"type": "keyword"
},
"machine_type": {
"ignore_above": 1024,
"type": "keyword"
},
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"process_id": {
"type": "long"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"record_number": {
"ignore_above": 1024,
"type": "keyword"
},
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"source_name": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"thread_id": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"type": "keyword"
},
"identifier": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"user_data": {
"type": "object"
},
"version": {
"type": "keyword"
},
"xml": {
"norms": false,
"type": "text"
},
"apache2": {
"properties": {
"access": {
"properties": {
"agent": {
"norms": false,
"type": "text"
},
"body_sent": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"geoip": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"http_version": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"response_code": {
"type": "long"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"major": {
"type": "long"
},
"minor": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"os_major": {
"type": "long"
},
"os_minor": {
"type": "long"
},
"os_name": {
"ignore_above": 1024,
"type": "keyword"
},
"patch": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"error": {
"properties": {
"client": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"type": "long"
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
},
"tid": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"auditd": {
"properties": {
"log": {
"properties": {
"a0": {
"ignore_above": 1024,
"type": "keyword"
},
"acct": {
"ignore_above": 1024,
"type": "keyword"
},
"geoip": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"item": {
"ignore_above": 1024,
"type": "keyword"
},
"items": {
"ignore_above": 1024,
"type": "keyword"
},
"new_auid": {
"ignore_above": 1024,
"type": "keyword"
},
"new_ses": {
"ignore_above": 1024,
"type": "keyword"
},
"old_auid": {
"ignore_above": 1024,
"type": "keyword"
},
"old_ses": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"ignore_above": 1024,
"type": "keyword"
},
"ppid": {
"ignore_above": 1024,
"type": "keyword"
},
"record_type": {
"ignore_above": 1024,
"type": "keyword"
},
"res": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
}
}
}
}
},
"fileset": {
"properties": {
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"icinga": {
"properties": {
"debug": {
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"main": {
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"startup": {
"properties": {
"facility": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"kafka": {
"properties": {
"log": {
"properties": {
"class": {
"norms": false,
"type": "text"
},
"component": {
"ignore_above": 1024,
"type": "keyword"
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"trace": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"norms": false,
"type": "text"
},
"message": {
"norms": false,
"type": "text"
}
}
}
}
}
}
},
"logstash": {
"properties": {
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"log_event": {
"type": "object"
},
"message": {
"norms": false,
"type": "text"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"norms": false,
"type": "text"
}
}
},
"slowlog": {
"properties": {
"event": {
"norms": false,
"type": "text"
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params": {
"norms": false,
"type": "text"
},
"plugin_params_object": {
"type": "object"
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"norms": false,
"type": "text"
},
"took_in_millis": {
"type": "long"
},
"took_in_nanos": {
"type": "long"
}
}
}
}
},
"mysql": {
"properties": {
"error": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"thread_id": {
"type": "long"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"properties": {
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"type": "long"
},
"ip": {
"ignore_above": 1024,
"type": "keyword"
},
"lock_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"query_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"rows_examined": {
"type": "long"
},
"rows_sent": {
"type": "long"
},
"timestamp": {
"type": "long"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"nginx": {
"properties": {
"access": {
"properties": {
"agent": {
"norms": false,
"type": "text"
},
"body_sent": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"geoip": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"http_version": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"response_code": {
"type": "long"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"major": {
"type": "long"
},
"minor": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"os_major": {
"type": "long"
},
"os_minor": {
"type": "long"
},
"os_name": {
"ignore_above": 1024,
"type": "keyword"
},
"patch": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"error": {
"properties": {
"connection_id": {
"type": "long"
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"pid": {
"type": "long"
},
"tid": {
"type": "long"
}
}
}
}
},
"offset": {
"type": "long"
},
"postgresql": {
"properties": {
"log": {
"properties": {
"database": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "float"
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"thread_id": {
"type": "long"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"prospector": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"read_timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"redis": {
"properties": {
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"norms": false,
"type": "text"
},
"pid": {
"type": "long"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"properties": {
"us": {
"type": "long"
}
}
},
"id": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"stream": {
"ignore_above": 1024,
"type": "keyword"
},
"system": {
"properties": {
"auth": {
"properties": {
"groupadd": {
"properties": {
"gid": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
},
"program": {
"ignore_above": 1024,
"type": "keyword"
},
"ssh": {
"properties": {
"dropped_ip": {
"type": "ip"
},
"event": {
"ignore_above": 1024,
"type": "keyword"
},
"geoip": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sudo": {
"properties": {
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"pwd": {
"ignore_above": 1024,
"type": "keyword"
},
"tty": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"useradd": {
"properties": {
"gid": {
"type": "long"
},
"home": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"shell": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"type": "long"
}
}
}
}
},
"syslog": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"ignore_above": 1024,
"type": "keyword"
},
"program": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"traefik": {
"properties": {
"access": {
"properties": {
"agent": {
"norms": false,
"type": "text"
},
"backend_url": {
"norms": false,
"type": "text"
},
"body_sent": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"frontend_name": {
"norms": false,
"type": "text"
},
"geoip": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"http_version": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"ignore_above": 1024,
"type": "keyword"
},
"request_count": {
"type": "long"
},
"response_code": {
"type": "long"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"user_agent": {
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"major": {
"type": "long"
},
"minor": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"os_major": {
"type": "long"
},
"os_minor": {
"type": "long"
},
"os_name": {
"ignore_above": 1024,
"type": "keyword"
},
"patch": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
},
"order": 1,
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": 10000
}
},
"number_of_replicas": 0,
"number_of_shards": 1,
"refresh_interval": "30s"
}
}
}
Reference in New Issue View Git Blame Copy Permalink