mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-06-12 21:29:16 +02:00
reyesj2
1058 lines
50 KiB
YAML
1058 lines
50 KiB
YAML
elasticsearch:
|
||
enabled:
|
||
description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported.
|
||
forcedType: bool
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
data_retention_method:
|
||
description: Method for data retention. Options are ILM or DLM. For single node deployments and most distributed grid users, DLM will be the recommended option for simplified management. Those with more complex use cases may prefer ILM. The latter allows for more granular control, but requires more management overhead.
|
||
options:
|
||
- ILM
|
||
- DLM
|
||
forcedType: string
|
||
global: True
|
||
version:
|
||
description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
|
||
readonly: True
|
||
global: True
|
||
advanced: True
|
||
esheap:
|
||
description: Specify the memory heap size in (m)egabytes for Elasticsearch.
|
||
helpLink: elasticsearch
|
||
index_clean:
|
||
description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, data is retained by the configured lifecycle settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations use lifecycle settings only.
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
vm:
|
||
max_map_count:
|
||
description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
|
||
forcedType: int
|
||
helpLink: elasticsearch
|
||
retention:
|
||
retention_pct:
|
||
decription: Total percentage of space used by Elasticsearch for multi node clusters
|
||
helpLink: elasticsearch
|
||
global: True
|
||
config:
|
||
cluster:
|
||
name:
|
||
description: The name of the Security Onion Elasticsearch cluster, for identification purposes.
|
||
readonly: True
|
||
global: True
|
||
helpLink: elasticsearch
|
||
logsdb:
|
||
enabled:
|
||
description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
routing:
|
||
allocation:
|
||
disk:
|
||
threshold_enabled:
|
||
description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster.
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
watermark:
|
||
low:
|
||
description: The lower percentage of used disk space representing a healthy node.
|
||
helpLink: elasticsearch
|
||
high:
|
||
description: The higher percentage of used disk space representing an unhealthy node.
|
||
helpLink: elasticsearch
|
||
flood_stage:
|
||
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
|
||
helpLink: elasticsearch
|
||
action:
|
||
destructive_requires_name:
|
||
description: Requires explicit index names when deleting indices. Prevents accidental deletion of indices via wildcard patterns.
|
||
advanced: True
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
script:
|
||
max_compilations_rate:
|
||
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
indices:
|
||
id_field_data:
|
||
enabled:
|
||
description: Enables or disables loading of field data on the _id field.
|
||
advanced: True
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
query:
|
||
bool:
|
||
max_clause_count:
|
||
description: Max number of boolean clauses per query.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
xpack:
|
||
ml:
|
||
enabled:
|
||
description: Enables or disables machine learning on the node.
|
||
forcedType: bool
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
security:
|
||
enabled:
|
||
description: Enables or disables Elasticsearch security features.
|
||
forcedType: bool
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
authc:
|
||
anonymous:
|
||
authz_exception:
|
||
description: Controls whether an authorization exception is thrown when anonymous user does not have the required privileges.
|
||
advanced: True
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
http:
|
||
ssl:
|
||
enabled:
|
||
description: Enables or disables TLS/SSL for the HTTP layer.
|
||
advanced: True
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
transport:
|
||
ssl:
|
||
enabled:
|
||
description: Enables or disables TLS/SSL for the transport layer.
|
||
advanced: True
|
||
forcedType: bool
|
||
helpLink: elasticsearch
|
||
pipelines:
|
||
custom001: &pipelines
|
||
description:
|
||
description: Description of the ingest node pipeline
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
processors:
|
||
description: Processors for the ingest node pipeline
|
||
global: True
|
||
advanced: True
|
||
multiline: True
|
||
helpLink: elasticsearch
|
||
custom002: *pipelines
|
||
custom003: *pipelines
|
||
custom004: *pipelines
|
||
custom005: *pipelines
|
||
custom006: *pipelines
|
||
custom007: *pipelines
|
||
custom008: *pipelines
|
||
custom009: *pipelines
|
||
custom010: *pipelines
|
||
index_settings:
|
||
global_overrides:
|
||
data_stream_lifecycle:
|
||
data_retention:
|
||
description: |
|
||
The retention period for all data streams. Retention does not define the period that the data will be removed, but the minimum time period they will be kept.
|
||
|
||
Use a number followed by a time unit, such as 7d. Leave blank for indefinite retention where supported.
|
||
|
||
Configured retention period also affects the frequency of rolling over data streams.
|
||
- If retention is less than or equal to 1 day, max_age will be 1 hour
|
||
- If retention is less than or equal to 14 days, max_age will be 1 day
|
||
- If retention is less than or equal to 90 days, max_age will be 7 days
|
||
- If retention is greater than 90 days, max_age will be 30 days
|
||
forcedType: string
|
||
regex: ^$|^[0-9]{1,5}(?:d|h|m|s)$
|
||
regexFailureMessage: Must be blank or a number followed by d, h, m, or s, such as 7d.
|
||
index_template:
|
||
template:
|
||
settings:
|
||
index:
|
||
number_of_replicas:
|
||
description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
|
||
forcedType: int
|
||
global: True
|
||
helpLink: elasticsearch
|
||
refresh_interval:
|
||
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
number_of_shards:
|
||
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
sort:
|
||
field:
|
||
description: The field to sort by. Must set index_sorting to True.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
order:
|
||
description: The order to sort by. Must set index_sorting to True.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
policy:
|
||
phases:
|
||
hot:
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
helpLink: elasticsearch
|
||
rollover:
|
||
max_age:
|
||
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
max_primary_shard_size:
|
||
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
shrink:
|
||
method:
|
||
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
|
||
options:
|
||
- COUNT
|
||
- SIZE
|
||
global: True
|
||
advanced: True
|
||
forcedType: string
|
||
number_of_shards:
|
||
title: shard count
|
||
description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
max_primary_shard_size:
|
||
title: max shard size
|
||
description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
|
||
regex: ^[0-9]+(?:gb|tb|pb)$
|
||
global: True
|
||
forcedType: string
|
||
advanced: True
|
||
allow_write_after_shrink:
|
||
description: Allow writes after shrink.
|
||
global: True
|
||
forcedType: bool
|
||
default: False
|
||
advanced: True
|
||
forcemerge:
|
||
max_num_segments:
|
||
description: Reduce the number of segments in each index shard and clean up deleted documents.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
index_codec:
|
||
title: compression
|
||
description: Use higher compression for stored fields at the cost of slower performance.
|
||
forcedType: bool
|
||
global: True
|
||
default: False
|
||
advanced: True
|
||
cold:
|
||
min_age:
|
||
description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
global: True
|
||
helpLink: elasticsearch
|
||
allocate:
|
||
number_of_replicas:
|
||
description: Set the number of replicas. Remains the same as the previous phase by default.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
warm:
|
||
min_age:
|
||
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
helpLink: elasticsearch
|
||
shrink:
|
||
method:
|
||
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
|
||
options:
|
||
- COUNT
|
||
- SIZE
|
||
global: True
|
||
advanced: True
|
||
number_of_shards:
|
||
title: shard count
|
||
description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
max_primary_shard_size:
|
||
title: max shard size
|
||
description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
|
||
regex: ^[0-9]+(?:gb|tb|pb)$
|
||
global: True
|
||
forcedType: string
|
||
advanced: True
|
||
allow_write_after_shrink:
|
||
description: Allow writes after shrink.
|
||
global: True
|
||
forcedType: bool
|
||
default: False
|
||
advanced: True
|
||
forcemerge:
|
||
max_num_segments:
|
||
description: Reduce the number of segments in each index shard and clean up deleted documents.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
index_codec:
|
||
title: compression
|
||
description: Use higher compression for stored fields at the cost of slower performance.
|
||
forcedType: bool
|
||
global: True
|
||
default: False
|
||
advanced: True
|
||
allocate:
|
||
number_of_replicas:
|
||
description: Set the number of replicas. Remains the same as the previous phase by default.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
delete:
|
||
min_age:
|
||
description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
helpLink: elasticsearch
|
||
so-logs: &dataStreamSettings
|
||
index_sorting:
|
||
description: Sorts the index by event time, at the cost of additional processing resource consumption.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
data_stream_lifecycle:
|
||
data_retention:
|
||
description: |
|
||
The retention period for this data stream. Retention does not define the period that the data will be removed, but the minimum time period it will be kept.
|
||
|
||
Use a number followed by a time unit, such as 7d. Leave blank for indefinite retention where supported.
|
||
|
||
Configured retention period also affects the frequency of rolling over this data stream.
|
||
- If retention is less than or equal to 1 day, max_age will be 1 hour
|
||
- If retention is less than or equal to 14 days, max_age will be 1 day
|
||
- If retention is less than or equal to 90 days, max_age will be 7 days
|
||
- If retention is greater than 90 days, max_age will be 30 days
|
||
forcedType: string
|
||
regex: ^$|^[0-9]{1,5}(?:d|h|m|s)$
|
||
regexFailureMessage: Must be blank or a number followed by d, h, m, or s, such as 7d.
|
||
index_template:
|
||
index_patterns:
|
||
description: Patterns for matching multiple indices or tables.
|
||
forcedType: "[]string"
|
||
multiline: True
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
template:
|
||
settings:
|
||
index:
|
||
number_of_replicas:
|
||
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
auto_expand_replicas:
|
||
description: Automatically expand the number of replicas based on the number of data nodes in the cluster. This can help ensure high availability as the cluster scales up or down.
|
||
forcedType: string
|
||
regex: "^(0-[1-9]|1-[2-9]|2-[3-9]|3-[4-9]|4-[5-9]|5-[6-9]|6-[7-9]|7-[89]|8-9|[0-9]-all|false)$"
|
||
regexFailureMessage: Must be in the format of "x-y" where x is minimum number of replicas and y is maximum number of replicas, or "0-all" to specify a minimum of 0 and no maximum, or "false" to disable automatic replica expansion.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
mapping:
|
||
total_fields:
|
||
limit:
|
||
description: Max number of fields that can exist on a single index. Larger values will consume more resources.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
refresh_interval:
|
||
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
number_of_shards:
|
||
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
sort:
|
||
field:
|
||
description: The field to sort by. Must set index_sorting to True.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
order:
|
||
description: The order to sort by. Must set index_sorting to True.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
mappings:
|
||
_meta:
|
||
package:
|
||
name:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed_by:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed:
|
||
description: Meta settings for the mapping.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
composed_of:
|
||
description: The index template is composed of these component templates.
|
||
forcedType: "[]string"
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
priority:
|
||
description: The priority of the index template.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
data_stream:
|
||
hidden:
|
||
description: Hide the data stream.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
allow_custom_routing:
|
||
description: Allow custom routing for the data stream.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
policy:
|
||
phases:
|
||
hot:
|
||
min_age:
|
||
description: Minimum age of index. This determines when the index should be moved to the hot tier.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
rollover:
|
||
max_age:
|
||
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
max_primary_shard_size:
|
||
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
shrink:
|
||
method:
|
||
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
|
||
options:
|
||
- COUNT
|
||
- SIZE
|
||
global: True
|
||
advanced: True
|
||
forcedType: string
|
||
number_of_shards:
|
||
title: shard count
|
||
description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
max_primary_shard_size:
|
||
title: max shard size
|
||
description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
|
||
regex: ^[0-9]+(?:gb|tb|pb)$
|
||
global: True
|
||
forcedType: string
|
||
advanced: True
|
||
allow_write_after_shrink:
|
||
description: Allow writes after shrink.
|
||
global: True
|
||
forcedType: bool
|
||
default: False
|
||
advanced: True
|
||
forcemerge:
|
||
max_num_segments:
|
||
description: Reduce the number of segments in each index shard and clean up deleted documents.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
index_codec:
|
||
title: compression
|
||
description: Use higher compression for stored fields at the cost of slower performance.
|
||
forcedType: bool
|
||
global: True
|
||
default: False
|
||
advanced: True
|
||
warm:
|
||
min_age:
|
||
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
rollover:
|
||
max_age:
|
||
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
max_primary_shard_size:
|
||
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
shrink:
|
||
method:
|
||
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
|
||
options:
|
||
- COUNT
|
||
- SIZE
|
||
global: True
|
||
advanced: True
|
||
number_of_shards:
|
||
title: shard count
|
||
description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
max_primary_shard_size:
|
||
title: max shard size
|
||
description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
|
||
regex: ^[0-9]+(?:gb|tb|pb)$
|
||
global: True
|
||
forcedType: string
|
||
advanced: True
|
||
allow_write_after_shrink:
|
||
description: Allow writes after shrink.
|
||
global: True
|
||
forcedType: bool
|
||
default: False
|
||
advanced: True
|
||
forcemerge:
|
||
max_num_segments:
|
||
description: Reduce the number of segments in each index shard and clean up deleted documents.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
index_codec:
|
||
title: compression
|
||
description: Use higher compression for stored fields at the cost of slower performance.
|
||
forcedType: bool
|
||
global: True
|
||
default: False
|
||
advanced: True
|
||
allocate:
|
||
number_of_replicas:
|
||
description: Set the number of replicas. Remains the same as the previous phase by default.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
cold:
|
||
min_age:
|
||
description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
allocate:
|
||
number_of_replicas:
|
||
description: Set the number of replicas. Remains the same as the previous phase by default.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
delete:
|
||
min_age:
|
||
description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
_meta:
|
||
package:
|
||
name:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed_by:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed:
|
||
description: Meta settings for the mapping.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
so-logs-system_x_auth: *dataStreamSettings
|
||
so-logs-system_x_syslog: *dataStreamSettings
|
||
so-logs-system_x_system: *dataStreamSettings
|
||
so-logs-system_x_application: *dataStreamSettings
|
||
so-logs-system_x_security: *dataStreamSettings
|
||
so-logs-windows_x_forwarded: *dataStreamSettings
|
||
so-logs-windows_x_powershell: *dataStreamSettings
|
||
so-logs-windows_x_powershell_operational: *dataStreamSettings
|
||
so-logs-windows_x_sysmon_operational: *dataStreamSettings
|
||
so-logs-winlog_x_winlog: *dataStreamSettings
|
||
so-logs-detections_x_alerts: *dataStreamSettings
|
||
so-logs-http_endpoint_x_generic: *dataStreamSettings
|
||
so-logs-httpjson_x_generic: *dataStreamSettings
|
||
so-logs-osquery-manager-actions: *dataStreamSettings
|
||
so-logs-osquery-manager-action_x_responses: *dataStreamSettings
|
||
so-logs-osquery-manager_x_action_x_responses: *dataStreamSettings
|
||
so-logs-osquery-manager_x_result: *dataStreamSettings
|
||
so-logs-elastic_agent_x_apm_server: *dataStreamSettings
|
||
so-logs-elastic_agent_x_auditbeat: *dataStreamSettings
|
||
so-logs-elastic_agent_x_cloudbeat: *dataStreamSettings
|
||
so-logs-elastic_agent_x_endpoint_security: *dataStreamSettings
|
||
so-logs-endpoint_x_alerts: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_api: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_file: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_library: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_network: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_process: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_registry: *dataStreamSettings
|
||
so-logs-endpoint_x_events_x_security: *dataStreamSettings
|
||
so-logs-elastic_agent_x_filebeat: *dataStreamSettings
|
||
so-logs-elastic_agent_x_fleet_server: *dataStreamSettings
|
||
so-logs-elastic_agent_x_heartbeat: *dataStreamSettings
|
||
so-logs-elastic_agent: *dataStreamSettings
|
||
so-logs-elastic_agent_x_metricbeat: *dataStreamSettings
|
||
so-logs-elastic_agent_x_osquerybeat: *dataStreamSettings
|
||
so-logs-elastic_agent_x_packetbeat: *dataStreamSettings
|
||
so-logs-elasticsearch_x_server: *dataStreamSettings
|
||
so-metrics-endpoint_x_metadata: *dataStreamSettings
|
||
so-metrics-endpoint_x_metrics: *dataStreamSettings
|
||
so-metrics-endpoint_x_policy: *dataStreamSettings
|
||
so-metrics-nginx_x_stubstatus: *dataStreamSettings
|
||
so-metrics-vsphere_x_datastore: *dataStreamSettings
|
||
so-metrics-vsphere_x_host: *dataStreamSettings
|
||
so-metrics-vsphere_x_virtualmachine: *dataStreamSettings
|
||
so-common: *dataStreamSettings
|
||
so-endgame: *dataStreamSettings
|
||
so-idh: *dataStreamSettings
|
||
so-suricata: *dataStreamSettings
|
||
so-suricata_x_alerts: *dataStreamSettings
|
||
so-import: *dataStreamSettings
|
||
so-kratos: *dataStreamSettings
|
||
so-hydra: *dataStreamSettings
|
||
so-kismet: *dataStreamSettings
|
||
so-logstash: *dataStreamSettings
|
||
so-redis: *dataStreamSettings
|
||
so-strelka: *dataStreamSettings
|
||
so-syslog: *dataStreamSettings
|
||
so-zeek: *dataStreamSettings
|
||
# Managed SOC integration annotations are inserted below this line. Referencing '*dataStreamSettings'
|
||
so-case: &indexSettings
|
||
index_sorting:
|
||
description: Sorts the index by event time, at the cost of additional processing resource consumption.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
index_template:
|
||
index_patterns:
|
||
description: Patterns for matching multiple indices or tables.
|
||
forcedType: "[]string"
|
||
multiline: True
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
template:
|
||
settings:
|
||
index:
|
||
number_of_replicas:
|
||
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
auto_expand_replicas:
|
||
description: Automatically expand the number of replicas based on the number of data nodes in the cluster. This can help ensure high availability as the cluster scales up or down.
|
||
forcedType: string
|
||
regex: "^(0-[1-9]|1-[2-9]|2-[3-9]|3-[4-9]|4-[5-9]|5-[6-9]|6-[7-9]|7-[89]|8-9|[0-9]-all|false)$"
|
||
regexFailureMessage: Must be in the format of "x-y" where x is minimum number of replicas and y is maximum number of replicas, or "0-all" to specify a minimum of 0 and no maximum, or "false" to disable automatic replica expansion.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
mapping:
|
||
total_fields:
|
||
limit:
|
||
description: Max number of fields that can exist on a single index. Larger values will consume more resources.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
refresh_interval:
|
||
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
number_of_shards:
|
||
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
sort:
|
||
field:
|
||
description: The field to sort by. Must set index_sorting to True.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
order:
|
||
description: The order to sort by. Must set index_sorting to True.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
mappings:
|
||
_meta:
|
||
package:
|
||
name:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed_by:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed:
|
||
description: Meta settings for the mapping.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
composed_of:
|
||
description: The index template is composed of these component templates.
|
||
forcedType: "[]string"
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
priority:
|
||
description: The priority of the index template.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
policy:
|
||
phases:
|
||
hot:
|
||
min_age:
|
||
description: Minimum age of index. This determines when the index should be moved to the hot tier.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
rollover:
|
||
max_age:
|
||
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
max_primary_shard_size:
|
||
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
shrink:
|
||
method:
|
||
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
|
||
options:
|
||
- COUNT
|
||
- SIZE
|
||
global: True
|
||
advanced: True
|
||
forcedType: string
|
||
number_of_shards:
|
||
title: shard count
|
||
description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
max_primary_shard_size:
|
||
title: max shard size
|
||
description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
|
||
regex: ^[0-9]+(?:gb|tb|pb)$
|
||
global: True
|
||
forcedType: string
|
||
advanced: True
|
||
allow_write_after_shrink:
|
||
description: Allow writes after shrink.
|
||
global: True
|
||
forcedType: bool
|
||
default: False
|
||
advanced: True
|
||
forcemerge:
|
||
max_num_segments:
|
||
description: Reduce the number of segments in each index shard and clean up deleted documents.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
index_codec:
|
||
title: compression
|
||
description: Use higher compression for stored fields at the cost of slower performance.
|
||
forcedType: bool
|
||
global: True
|
||
default: False
|
||
advanced: True
|
||
warm:
|
||
min_age:
|
||
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
rollover:
|
||
max_age:
|
||
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
max_primary_shard_size:
|
||
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
shrink:
|
||
method:
|
||
description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
|
||
options:
|
||
- COUNT
|
||
- SIZE
|
||
global: True
|
||
advanced: True
|
||
number_of_shards:
|
||
title: shard count
|
||
description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
max_primary_shard_size:
|
||
title: max shard size
|
||
description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
|
||
regex: ^[0-9]+(?:gb|tb|pb)$
|
||
global: True
|
||
forcedType: string
|
||
advanced: True
|
||
allow_write_after_shrink:
|
||
description: Allow writes after shrink.
|
||
global: True
|
||
forcedType: bool
|
||
default: False
|
||
advanced: True
|
||
forcemerge:
|
||
max_num_segments:
|
||
description: Reduce the number of segments in each index shard and clean up deleted documents.
|
||
global: True
|
||
forcedType: int
|
||
advanced: True
|
||
index_codec:
|
||
title: compression
|
||
description: Use higher compression for stored fields at the cost of slower performance.
|
||
forcedType: bool
|
||
global: True
|
||
default: False
|
||
advanced: True
|
||
allocate:
|
||
number_of_replicas:
|
||
description: Set the number of replicas. Remains the same as the previous phase by default.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
cold:
|
||
min_age:
|
||
description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
actions:
|
||
set_priority:
|
||
priority:
|
||
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
allocate:
|
||
number_of_replicas:
|
||
description: Set the number of replicas. Remains the same as the previous phase by default.
|
||
forcedType: int
|
||
global: True
|
||
advanced: True
|
||
delete:
|
||
min_age:
|
||
description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
|
||
regex: ^[0-9]{1,5}d$
|
||
forcedType: string
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
_meta:
|
||
package:
|
||
name:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed_by:
|
||
description: Meta settings for the mapping.
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
managed:
|
||
description: Meta settings for the mapping.
|
||
forcedType: bool
|
||
global: True
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
sos-backup: *indexSettings
|
||
so-detection: *indexSettings
|
||
so-assistant-chat: *indexSettings
|
||
so-assistant-session: *indexSettings
|
||
so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
|
||
index_sorting:
|
||
description: Sorts the index by event time, at the cost of additional processing resource consumption.
|
||
forcedType: bool
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
index_template:
|
||
ignore_missing_component_templates:
|
||
description: Ignore component templates if they aren't in Elasticsearch.
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
index_patterns:
|
||
description: Patterns for matching multiple indices or tables.
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
template:
|
||
settings:
|
||
index:
|
||
mode:
|
||
description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage.
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
number_of_replicas:
|
||
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
composed_of:
|
||
description: The index template is composed of these component templates.
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
priority:
|
||
description: The priority of the index template.
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
data_stream:
|
||
hidden:
|
||
description: Hide the data stream.
|
||
forcedType: bool
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
allow_custom_routing:
|
||
description: Allow custom routing for the data stream.
|
||
forcedType: bool
|
||
advanced: True
|
||
readonly: True
|
||
helpLink: elasticsearch
|
||
so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings
|
||
so_roles:
|
||
so-manager: &soroleSettings
|
||
config:
|
||
node:
|
||
roles:
|
||
description: List of Elasticsearch roles that the node should have. Blank assumes all roles
|
||
forcedType: "[]string"
|
||
global: False
|
||
advanced: True
|
||
helpLink: elasticsearch
|
||
so-managersearch: *soroleSettings
|
||
so-standalone: *soroleSettings
|
||
so-searchnode: *soroleSettings
|
||
so-heavynode: *soroleSettings
|
||
so-eval: *soroleSettings
|
||
so-import: *soroleSettings
|