CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b6986d5c61b4faea24c9c0fd5fdb5285ce8f0190
securityonion/salt/elasticsearch/defaults.yaml
weslambert e02bdffe34 Fix typos
2023-06-23 16:10:22 -04:00

2793 lines
78 KiB
YAML
Raw Blame History

elasticsearch:
enabled: False
retention:
retention_pct: 50
config:
node: {}
cluster:
routing:
allocation:
disk:
threshold_enabled: true
watermark:
low: 80%
high: 85%
flood_stage: 90%
network:
host: 0.0.0.0
path:
logs: /var/log/elasticsearch
action:
destructive_requires_name: true
transport:
bind_host: 0.0.0.0
publish_port: 9300
xpack:
ml:
enabled: false
security:
enabled: true
authc:
anonymous:
authz_exception: true
roles: []
username: _anonymous
transport:
ssl:
enabled: true
verification_mode: none
key: /usr/share/elasticsearch/config/elasticsearch.key
certificate: /usr/share/elasticsearch/config/elasticsearch.crt
certificate_authorities:
- /usr/share/elasticsearch/config/ca.crt
http:
ssl:
enabled: true
client_authentication: none
key: /usr/share/elasticsearch/config/elasticsearch.key
certificate: /usr/share/elasticsearch/config/elasticsearch.crt
certificate_authorities:
- /usr/share/elasticsearch/config/ca.crt
script:
max_compilations_rate: 20000/1m
indices:
id_field_data:
enabled: false
logger:
org:
elasticsearch:
deprecation: ERROR
index_settings:
so-logs:
index_sorting: False
index_template:
index_patterns:
- "logs-*-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5001
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "so-data-streams-mappings"
- "so-logs-mappings"
- "so-logs-settings"
priority: 225
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-system.auth:
index_sorting: False
index_template:
index_patterns:
- "logs-system.auth*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.auth@package"
- "logs-system.auth@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.syslog:
index_sorting: False
index_template:
index_patterns:
- "logs-system.syslog*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.syslog@package"
- "logs-system.syslog@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.system:
index_sorting: False
index_template:
index_patterns:
- "logs-system.system*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.system@package"
- "logs-system.system@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.application:
index_sorting: False
index_template:
index_patterns:
- "logs-system.application*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.application@package"
- "logs-system.application@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.security:
index_sorting: False
index_template:
index_patterns:
- "logs-system.security*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.security@package"
- "logs-system.security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.forwarded:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.forwarded*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.forwarded@package"
- "logs-windows.forwarded@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.powershell:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.powershell-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.powershell@package"
- "logs-windows.powershell@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.powershell_operational:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.powershell_operational-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.powershell_operational@package"
- "logs-windows.powershell_operational@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.sysmon_operational:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.sysmon_operational-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.sysmon_operational@package"
- "logs-windows.sysmon_operational@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.cloudtrail:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.cloudtrail-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.cloudtrail@package"
- "logs-aws.cloudtrail@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.cloudwatch_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.cloudwatch_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.cloudwatch_logs@package"
- "logs-aws.cloudwatch_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.ec2_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.ec2_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.ec2_logs@package"
- "logs-aws.ec2_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.elb_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.elb_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.elb_logs@package"
- "logs-aws.elb_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.firewall_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.firewall_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.firewall_logs@package"
- "logs-aws.firewall_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.route53_public_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.route53_public_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.route53_public_logs@package"
- "logs-aws.route53_public_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.route53_resolver_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.route53_resolver_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.route53_resolver_logs@package"
- "logs-aws.route53_resolver_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.s3access:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.s3access-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.s3access@package"
- "logs-aws.s3access@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.vpcflow:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.vpcflow-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.vpcflow@package"
- "logs-aws.vpcflow@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.waf:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.waf-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.waf@package"
- "logs-aws.waf@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.activitylogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.activitylogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.activitylogs@package"
- "logs-azure.activitylogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.application_gateway:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.application_gateway-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.application_gateway@package"
- "logs-azure.application_gateway@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.auditlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.auditlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.auditlogs@package"
- "logs-azure.auditlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.eventhub:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.eventhub-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.eventhub@package"
- "logs-azure.eventhub@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.firewall_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.firewall_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.firewall_logs@package"
- "logs-azure.firewall_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.identity_protection:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.identity_protection-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.identity_protection@package"
- "logs-azure.identity_protection@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.platformlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.platformlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.platformlogs@package"
- "logs-azure.platformlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.provisioning:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.provisioning-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.provisioning@package"
- "logs-azure.provisioning@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.signinlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.signinlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.signinlogs@package"
- "logs-azure.signinlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.springcloudlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.springcloudlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.springcloudlogs@package"
- "logs-azure.springcloudlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cloudflare.audit:
index_sorting: False
index_template:
index_patterns:
- "logs-cloudflare.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-cloudflare.audit@package"
- "logs-cloudflare.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cloudflare.logpull:
index_sorting: False
index_template:
index_patterns:
- "logs-cloudflare.logpull-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-cloudflare.logpull@package"
- "logs-cloudflare.logpull@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fim.event:
index_sorting: False
index_template:
index_patterns:
- "logs-fim.event-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fim.event@package"
- "logs-fim.event@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.audit:
index_sorting: False
index_template:
index_patterns:
- "logs-github.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.audit@package"
- "logs-github.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.code_scanning:
index_sorting: False
index_template:
index_patterns:
- "logs-github.code_scanning-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.code_scanning@package"
- "logs-github.code_scanning@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.dependabot:
index_sorting: False
index_template:
index_patterns:
- "logs-github.dependabot-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.dependabot@package"
- "logs-github.dependabot@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.issues:
index_sorting: False
index_template:
index_patterns:
- "logs-github.issues-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.issues@package"
- "logs-github.issues@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.secret_scanning:
index_sorting: False
index_template:
index_patterns:
- "logs-github.secret_scanning-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.secret_scanning@package"
- "logs-github.secret_scanning@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.access_transparency:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.access_transparency-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.access_transparency@package"
- "logs-google_workspace.access_transparency@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.admin:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.admin-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.admin@package"
- "logs-google_workspace.admin@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.alert:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.alert@package"
- "logs-google_workspace.alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.context_aware_access:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.context_aware_access-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.context_aware_access@package"
- "logs-google_workspace.context_aware_access@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.device:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.device-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.device@package"
- "logs-google_workspace.device@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.drive:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.drive-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.drive@package"
- "logs-google_workspace.drive@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.gcp:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.gcp-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.gcp@package"
- "logs-google_workspace.gcp@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.group_enterprise:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.group_enterprise-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.group_enterprise@package"
- "logs-google_workspace.group_enterprise@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.groups:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.groups-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.groups@package"
- "logs-google_workspace.groups@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.login:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.login-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.login@package"
- "logs-google_workspace.login@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.rules:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.rules-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.rules@package"
- "logs-google_workspace.rules@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.saml:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.saml-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.saml@package"
- "logs-google_workspace.saml@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.token:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.token-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.token@package"
- "logs-google_workspace.token@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.user_accounts:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.user_accounts-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.user_accounts@package"
- "logs-google_workspace.user_accounts@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-1password.item_usages:
index_sorting: False
index_template:
index_patterns:
- "logs-1password.item_usages-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-1password.item_usages@package"
- "logs-1password.item_usages@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-1password.signin_attempts:
index_sorting: False
index_template:
index_patterns:
- "logs-1password.signin_attempts-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-1password.signin_attempts@package"
- "logs-1password.signin_attempts@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-osquery-manager-actions:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.actions*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.actions"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-osquery-manager-action.responses:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.action.responses*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.action.responses"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.apm_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.apm_server-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.apm_server@package"
- "logs-elastic_agent.apm_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.auditbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.auditbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.auditbeat@package"
- "logs-elastic_agent.auditbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.cloudbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.cloudbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.cloudbeat@package"
- "logs-elastic_agent.cloudbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.endpoint_security:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.endpoint_security-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.endpoint_security@package"
- "logs-elastic_agent.endpoint_security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.filebeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.filebeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.filebeat@package"
- "logs-elastic_agent.filebeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.fleet_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.fleet_server-*"
template:
settings:
index:
number_of_replicas: 0
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.fleet_server@package"
- "logs-elastic_agent.fleet_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.heartbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.heartbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.heartbeat@package"
- "logs-elastic_agent.heartbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent@package"
- "logs-elastic_agent@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.metricbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.metricbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.metricbeat@package"
- "logs-elastic_agent.metricbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.osquerybeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.osquerybeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.osquerybeat@package"
- "logs-elastic_agent.osquerybeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.packetbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.packetbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.packetbeat@package"
- "logs-elastic_agent.packetbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-case:
index_sorting: False
index_template:
index_patterns:
- so-case*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 1500
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- case-mappings
- case-settings
priority: 500
so-common:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-*-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
priority: 1
so-endgame:
index_sorting: False
index_template:
index_patterns:
- endgame*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- endgame-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
priority: 500
so-idh:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
index_patterns:
- so-idh-*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
priority: 500
so-suricata:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-suricata-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-suricata-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- suricata-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-import:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-import-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-import-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-kratos:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
data_stream:
hidden: false
allow_custom_routing: false
index_patterns:
- logs-kratos-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-logstash:
index_sorting: False
index_template:
index_patterns:
- logs-logstash-default*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-logstash-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- logstash-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-redis:
index_sorting: False
index_template:
index_patterns:
- logs-redis-default*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-redis-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- redis-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-strelka:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-strelka-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- so-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- so-scan-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-syslog:
index_sorting: False
index_template:
index_patterns:
- logs-syslog-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-zeek:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-zeek-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-zeek-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 2
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- zeek-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
Reference in New Issue View Git Blame Copy Permalink