From fe1824aedd776bf9a286f67c41b6c68118538031 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 15 Jul 2024 11:28:59 -0400 Subject: [PATCH] Revert "Elastic 8.14.2" --- salt/common/tools/sbin/so-common | 2 +- .../elastic-defend-endpoints.json | 2 +- .../endpoints-initial/windows-defender.json | 2 +- .../tools/sbin_jinja/so-elastic-fleet-setup | 21 +- salt/elasticsearch/defaults.yaml | 2374 +++++++---------- salt/elasticsearch/soc_elasticsearch.yaml | 52 - .../so-elasticsearch-templates-load | 4 +- salt/kibana/files/config_saved_objects.ndjson | 2 +- .../tools/sbin_jinja/so-kibana-config-load | 2 +- 9 files changed, 960 insertions(+), 1501 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 8a6effa5c8..05c47a6c17 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,7 +8,7 @@ # Elastic agent is not managed by salt. Because of this we must store this base information in a # script that accompanies the soup system. Since so-common is one of those special soup files, # and since this same logic is required during installation, it's included in this file. -ELASTIC_AGENT_TARBALL_VERSION="8.14.2" +ELASTIC_AGENT_TARBALL_VERSION="8.10.4" ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 15f08a1511..de35f803b8 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "8.14.0" + "version": "8.10.2" }, "enabled": true, "policy_id": "endpoints-initial", diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/windows-defender.json b/salt/elasticfleet/files/integrations/endpoints-initial/windows-defender.json index ab7e0783fe..ac4394e628 100644 --- a/salt/elasticfleet/files/integrations/endpoints-initial/windows-defender.json +++ b/salt/elasticfleet/files/integrations/endpoints-initial/windows-defender.json @@ -11,7 +11,7 @@ "winlogs-winlog": { "enabled": true, "streams": { - "winlog.winlogs": { + "winlog.winlog": { "enabled": true, "vars": { "channel": "Microsoft-Windows-Windows Defender/Operational", diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 7e497f6f58..0748557fd1 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -53,8 +53,7 @@ fi printf "\n### Create ES Token ###\n" ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) -### Create Outputs, Fleet Policy and Fleet URLs ### -# Create the Manager Elasticsearch Output first and set it as the default output +### Create Outputs & Fleet URLs ### printf "\nAdd Manager Elasticsearch Output...\n" ESCACRT=$(openssl x509 -in $INTCA) JSON_STRING=$( jq -n \ @@ -63,13 +62,7 @@ JSON_STRING=$( jq -n \ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" -# Create the Manager Fleet Server Host Agent Policy -# This has to be done while the Elasticsearch Output is set to the default Output -printf "Create Manager Fleet Server Policy...\n" -elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120" - -# Now we can create the Logstash Output and set it to to be the default Output -printf "\n\nCreate Logstash Output Config if node is not an Import or Eval install\n" +printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n" {% if grains.role not in ['so-import', 'so-eval'] %} LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt) LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key) @@ -108,6 +101,16 @@ printf "\n\n" # Load Elasticsearch templates /usr/sbin/so-elasticsearch-templates-load +# Manager Fleet Server Host +elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120" + +#Temp Fixup for ES Output bug +JSON_STRING=$( jq -n \ + --arg NAME "FleetServer_{{ GLOBALS.hostname }}" \ + '{"name": $NAME,"description": $NAME,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}' + ) +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + # Initial Endpoints Policy elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" "1209600" diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e1a2d192f1..36d673d70b 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -56,6 +56,87 @@ elasticsearch: enabled: true key: /usr/share/elasticsearch/config/elasticsearch.key verification_mode: none + pipelines: + custom001: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom001 + - pipeline: + name: common + custom002: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom002 + - pipeline: + name: common + custom003: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom003 + - pipeline: + name: common + custom004: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom004 + - pipeline: + name: common + custom005: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom005 + - pipeline: + name: common + custom006: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom006 + - pipeline: + name: common + custom007: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom007 + - pipeline: + name: common + custom008: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom008 + - pipeline: + name: common + custom009: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom009 + - pipeline: + name: common + custom010: + description: Custom Pipeline + processors: + - set: + field: tags + value: custom010 + - pipeline: + name: common index_settings: global_overrides: index_template: @@ -89,13 +170,84 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-items: + index_sorting: false + index_template: + composed_of: + - so-items-mappings + index_patterns: + - .items-default-** + priority: 500 + template: + mappings: + date_detection: false + settings: + index: + lifecycle: + name: so-items-logs + rollover_alias: ".items-default" + routing: + allocation: + include: + _tier_preference: "data_content" + mapping: + total_fields: + limit: 10000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + hot: + actions: + rollover: + max_size: 50gb + min_age: 0ms + so-lists: + index_sorting: false + index_template: + composed_of: + - so-lists-mappings + index_patterns: + - .lists-default-** + priority: 500 + template: + mappings: + date_detection: false + settings: + index: + lifecycle: + name: so-lists-logs + rollover_alias: ".lists-default" + routing: + allocation: + include: + _tier_preference: "data_content" + mapping: + total_fields: + limit: 10000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + hot: + actions: + rollover: + max_size: 50gb + min_age: 0ms so-case: index_sorting: false index_template: composed_of: - case-mappings - case-settings - ignore_missing_component_templates: [] index_patterns: - so-case* priority: 500 @@ -119,7 +271,36 @@ elasticsearch: sort: field: '@timestamp' order: desc - so-common: + so-detection: + index_sorting: false + index_template: + composed_of: + - detection-mappings + - detection-settings + index_patterns: + - so-detection* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + mapping: + total_fields: + limit: 1500 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + so-logs-soc: close: 30 delete: 365 index_sorting: false @@ -131,9 +312,7 @@ elasticsearch: - dtc-base-mappings - client-mappings - dtc-client-mappings - - cloud-mappings - container-mappings - - data_stream-mappings - destination-mappings - dtc-destination-mappings - pb-override-destination-mappings @@ -157,12 +336,10 @@ elasticsearch: - dtc-network-mappings - observer-mappings - dtc-observer-mappings - - orchestrator-mappings - organization-mappings - package-mappings - process-mappings - dtc-process-mappings - - registry-mappings - related-mappings - rule-mappings - dtc-rule-mappings @@ -172,23 +349,17 @@ elasticsearch: - source-mappings - dtc-source-mappings - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - threat-mappings - tls-mappings - - tracing-mappings - url-mappings - user_agent-mappings - dtc-user_agent-mappings - - vulnerability-mappings - common-settings - common-dynamic-mappings - - winlog-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - - logs-*-so* - priority: 1 + - logs-soc-so* + priority: 500 template: mappings: date_detection: false @@ -201,7 +372,7 @@ elasticsearch: settings: index: lifecycle: - name: so-common-logs + name: so-soc-logs mapping: total_fields: limit: 5000 @@ -236,16 +407,75 @@ elasticsearch: priority: 50 min_age: 30d warm: 7 - so-detection: + so-common: + close: 30 + delete: 365 index_sorting: false index_template: composed_of: - - detection-mappings - - detection-settings - ignore_missing_component_templates: [] + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings + data_stream: {} index_patterns: - - so-detection* - priority: 500 + - logs-*-so* + priority: 1 template: mappings: date_detection: false @@ -257,15 +487,42 @@ elasticsearch: match_mapping_type: string settings: index: + lifecycle: + name: so-common-logs mapping: total_fields: - limit: 1500 + limit: 5000 number_of_replicas: 0 number_of_shards: 1 refresh_interval: 30s sort: field: '@timestamp' order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 so-endgame: index_sorting: false index_template: @@ -328,7 +585,6 @@ elasticsearch: - common-settings - common-dynamic-mappings - winlog-mappings - ignore_missing_component_templates: [] index_patterns: - endgame* priority: 500 @@ -434,7 +690,6 @@ elasticsearch: - dtc-user_agent-mappings - common-settings - common-dynamic-mappings - ignore_missing_component_templates: [] index_patterns: - so-idh-* priority: 500 @@ -547,7 +802,6 @@ elasticsearch: - common-dynamic-mappings - winlog-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - logs-import-so* priority: 500 @@ -598,91 +852,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-items: - index_sorting: false - index_template: - composed_of: - - so-items-mappings - ignore_missing_component_templates: [] - index_patterns: - - .items-default-** - priority: 500 - template: - mappings: - date_detection: false - settings: - index: - lifecycle: - name: so-items-logs - rollover_alias: .items-default - mapping: - total_fields: - limit: 10000 - number_of_replicas: 0 - number_of_shards: 1 - refresh_interval: 30s - routing: - allocation: - include: - _tier_preference: data_content - sort: - field: '@timestamp' - order: desc - policy: - phases: - hot: - actions: - rollover: - max_size: 50gb - min_age: 0ms - so-kismet: - index_sorting: false - index_template: - composed_of: - - kismet-mappings - - source-mappings - - client-mappings - - device-mappings - - network-mappings - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: [] - index_patterns: - - logs-kismet-so* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-kismet-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-kratos: close: 30 delete: 365 @@ -742,7 +911,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: [] index_patterns: - logs-kratos-so* priority: 500 @@ -775,61 +943,24 @@ elasticsearch: set_priority: priority: 0 min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - warm: 7 - so-lists: - index_sorting: false - index_template: - composed_of: - - so-lists-mappings - ignore_missing_component_templates: [] - index_patterns: - - .lists-default-** - priority: 500 - template: - mappings: - date_detection: false - settings: - index: - lifecycle: - name: so-lists-logs - rollover_alias: .lists-default - mapping: - total_fields: - limit: 10000 - number_of_replicas: 0 - number_of_shards: 1 - refresh_interval: 30s - routing: - allocation: - include: - _tier_preference: data_content - sort: - field: '@timestamp' - order: desc - policy: - phases: + delete: + actions: + delete: {} + min_age: 365d hot: actions: rollover: - max_size: 50gb + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 so-logs: index_sorting: false index_template: @@ -842,7 +973,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: [] index_patterns: - logs-*-* priority: 225 @@ -904,8 +1034,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-1password.item_usages@custom index_patterns: - logs-1password.item_usages-* priority: 501 @@ -950,8 +1078,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-1password.signin_attempts@custom index_patterns: - logs-1password.signin_attempts-* priority: 501 @@ -996,8 +1122,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-apache.access@custom index_patterns: - logs-apache.access-* priority: 501 @@ -1042,8 +1166,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-apache.error@custom index_patterns: - logs-apache.error-* priority: 501 @@ -1088,8 +1210,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-auditd.log@custom index_patterns: - logs-auditd.log-* priority: 501 @@ -1134,8 +1254,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-auth0.logs@custom index_patterns: - logs-auth0.logs-* priority: 501 @@ -1170,27 +1288,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-aws_x_cloudfront_logs: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-aws.cloudfront_logs@package - - logs-aws.cloudfront_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudfront_logs@custom index_patterns: - - logs-aws.cloudfront_logs-* - priority: 501 + - "logs-aws.cloudfront_logs-*" template: settings: index: lifecycle: name: so-logs-aws.cloudfront_logs-logs number_of_replicas: 0 + composed_of: + - "logs-aws.cloudfront_logs@package" + - "logs-aws.cloudfront_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -1226,8 +1342,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.cloudtrail@custom index_patterns: - logs-aws.cloudtrail-* priority: 501 @@ -1272,8 +1386,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.cloudwatch_logs@custom index_patterns: - logs-aws.cloudwatch_logs-* priority: 501 @@ -1318,8 +1430,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.ec2_logs@custom index_patterns: - logs-aws.ec2_logs-* priority: 501 @@ -1364,8 +1474,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.elb_logs@custom index_patterns: - logs-aws.elb_logs-* priority: 501 @@ -1410,8 +1518,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.firewall_logs@custom index_patterns: - logs-aws.firewall_logs-* priority: 501 @@ -1446,27 +1552,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-aws_x_guardduty: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-aws.guardduty@package - - logs-aws.guardduty@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.guardduty@custom index_patterns: - - logs-aws.guardduty-* - priority: 501 + - "logs-aws.guardduty-*" template: settings: index: lifecycle: name: so-logs-aws.guardduty-logs number_of_replicas: 0 + composed_of: + - "logs-aws.guardduty@package" + - "logs-aws.guardduty@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -1492,27 +1596,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-aws_x_inspector: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-aws.inspector@package - - logs-aws.inspector@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.inspector@custom index_patterns: - - logs-aws.inspector-* - priority: 501 + - "logs-aws.inspector-*" template: settings: index: lifecycle: name: so-logs-aws.inspector-logs number_of_replicas: 0 + composed_of: + - "logs-aws.inspector@package" + - "logs-aws.inspector@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -1548,8 +1650,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.route53_public_logs@custom index_patterns: - logs-aws.route53_public_logs-* priority: 501 @@ -1594,8 +1694,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.route53_resolver_logs@custom index_patterns: - logs-aws.route53_resolver_logs-* priority: 501 @@ -1640,8 +1738,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.s3access@custom index_patterns: - logs-aws.s3access-* priority: 501 @@ -1676,27 +1772,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-aws_x_securityhub_findings: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-aws.securityhub_findings@package - - logs-aws.securityhub_findings@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_findings@custom index_patterns: - - logs-aws.securityhub_findings-* - priority: 501 + - "logs-aws.securityhub_findings-*" template: settings: index: lifecycle: name: so-logs-aws.securityhub_findings-logs number_of_replicas: 0 + composed_of: + - "logs-aws.securityhub_findings@package" + - "logs-aws.securityhub_findings@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -1722,27 +1816,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-aws_x_securityhub_insights: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-aws.securityhub_insights@package - - logs-aws.securityhub_insights@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_insights@custom index_patterns: - - logs-aws.securityhub_insights-* - priority: 501 + - "logs-aws.securityhub_insights-*" template: settings: index: lifecycle: name: so-logs-aws.securityhub_insights-logs number_of_replicas: 0 + composed_of: + - "logs-aws.securityhub_insights@package" + - "logs-aws.securityhub_insights@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -1778,8 +1870,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.vpcflow@custom index_patterns: - logs-aws.vpcflow-* priority: 501 @@ -1824,8 +1914,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-aws.waf@custom index_patterns: - logs-aws.waf-* priority: 501 @@ -1870,8 +1958,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.activitylogs@custom index_patterns: - logs-azure.activitylogs-* priority: 501 @@ -1916,8 +2002,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.application_gateway@custom index_patterns: - logs-azure.application_gateway-* priority: 501 @@ -1962,8 +2046,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.auditlogs@custom index_patterns: - logs-azure.auditlogs-* priority: 501 @@ -2008,8 +2090,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.eventhub@custom index_patterns: - logs-azure.eventhub-* priority: 501 @@ -2054,8 +2134,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.firewall_logs@custom index_patterns: - logs-azure.firewall_logs-* priority: 501 @@ -2100,8 +2178,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.identity_protection@custom index_patterns: - logs-azure.identity_protection-* priority: 501 @@ -2146,8 +2222,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.platformlogs@custom index_patterns: - logs-azure.platformlogs-* priority: 501 @@ -2192,8 +2266,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.provisioning@custom index_patterns: - logs-azure.provisioning-* priority: 501 @@ -2238,8 +2310,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.signinlogs@custom index_patterns: - logs-azure.signinlogs-* priority: 501 @@ -2284,8 +2354,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-azure.springcloudlogs@custom index_patterns: - logs-azure.springcloudlogs-* priority: 501 @@ -2330,8 +2398,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-barracuda.waf@custom index_patterns: - logs-barracuda.waf-* priority: 501 @@ -2376,8 +2442,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-carbonblack_edr.log@custom index_patterns: - logs-carbonblack_edr.log-* priority: 501 @@ -2412,27 +2476,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-cef_x_log: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-cef.log@package - - logs-cef.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cef.log@custom index_patterns: - - logs-cef.log-* - priority: 501 + - "logs-cef.log-*" template: settings: index: lifecycle: name: so-logs-cef.log-logs number_of_replicas: 0 + composed_of: + - "logs-cef.log@package" + - "logs-cef.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -2458,27 +2520,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-checkpoint_x_firewall: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-checkpoint.firewall@package - - logs-checkpoint.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-checkpoint.firewall@custom index_patterns: - - logs-checkpoint.firewall-* - priority: 501 + - "logs-checkpoint.firewall-*" template: settings: index: lifecycle: name: so-logs-checkpoint.firewall-logs number_of_replicas: 0 + composed_of: + - "logs-checkpoint.firewall@package" + - "logs-checkpoint.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -2514,8 +2574,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_asa.log@custom index_patterns: - logs-cisco_asa.log-* priority: 501 @@ -2560,8 +2618,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.admin@custom index_patterns: - logs-cisco_duo.admin-* priority: 501 @@ -2606,8 +2662,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.auth@custom index_patterns: - logs-cisco_duo.auth-* priority: 501 @@ -2652,8 +2706,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.offline_enrollment@custom index_patterns: - logs-cisco_duo.offline_enrollment-* priority: 501 @@ -2698,8 +2750,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.summary@custom index_patterns: - logs-cisco_duo.summary-* priority: 501 @@ -2744,8 +2794,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.telephony@custom index_patterns: - logs-cisco_duo.telephony-* priority: 501 @@ -2780,27 +2828,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-cisco_ftd_x_log: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-cisco_ftd.log@package - - logs-cisco_ftd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ftd.log@custom index_patterns: - - logs-cisco_ftd.log-* - priority: 501 + - "logs-cisco_ftd.log-*" template: settings: index: lifecycle: name: so-logs-cisco_ftd.log-logs number_of_replicas: 0 + composed_of: + - "logs-cisco_ftd.log@package" + - "logs-cisco_ftd.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -2826,27 +2872,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-cisco_ios_x_log: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-cisco_ios.log@package - - logs-cisco_ios.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ios.log@custom index_patterns: - - logs-cisco_ios.log-* - priority: 501 + - "logs-cisco_ios.log-*" template: settings: index: lifecycle: name: so-logs-cisco_ios.log-logs number_of_replicas: 0 + composed_of: + - "logs-cisco_ios.log@package" + - "logs-cisco_ios.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -2872,27 +2916,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-cisco_ise_x_log: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-cisco_ise.log@package - - logs-cisco_ise.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ise.log@custom index_patterns: - - logs-cisco_ise.log-* - priority: 501 + - "logs-cisco_ise.log-*" template: settings: index: lifecycle: name: so-logs-cisco_ise.log-logs number_of_replicas: 0 + composed_of: + - "logs-cisco_ise.log@package" + - "logs-cisco_ise.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -2928,8 +2970,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.events@custom index_patterns: - logs-cisco_meraki.events-* priority: 501 @@ -2974,8 +3014,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.log@custom index_patterns: - logs-cisco_meraki.log-* priority: 501 @@ -3020,8 +3058,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cisco_umbrella.log@custom index_patterns: - logs-cisco_umbrella.log-* priority: 501 @@ -3056,27 +3092,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-citrix_adc_x_interface: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-citrix_adc.interface@package - - logs-citrix_adc.interface@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.interface@custom index_patterns: - - logs-citrix_adc.interface-* - priority: 501 + - "logs-citrix_adc.interface-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.interface-logs number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.interface@package" + - "logs-citrix_adc.interface@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -3102,27 +3136,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-citrix_adc_x_lbvserver: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-citrix_adc.lbvserver@package - - logs-citrix_adc.lbvserver@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.lbvserver@custom index_patterns: - - logs-citrix_adc.lbvserver-* - priority: 501 + - "logs-citrix_adc.lbvserver-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.lbvserver-logs number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.lbvserver@package" + - "logs-citrix_adc.lbvserver@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -3148,27 +3180,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-citrix_adc_x_service: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-citrix_adc.service@package - - logs-citrix_adc.service@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.service@custom index_patterns: - - logs-citrix_adc.service-* - priority: 501 + - "logs-citrix_adc.service-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.service-logs number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.service@package" + - "logs-citrix_adc.service@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -3194,27 +3224,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-citrix_adc_x_system: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-citrix_adc.system@package - - logs-citrix_adc.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.system@custom index_patterns: - - logs-citrix_adc.system-* - priority: 501 + - "logs-citrix_adc.system-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.system-logs number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.system@package" + - "logs-citrix_adc.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -3240,27 +3268,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-citrix_adc_x_vpn: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-citrix_adc.vpn@package - - logs-citrix_adc.vpn@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.vpn@custom index_patterns: - - logs-citrix_adc.vpn-* - priority: 501 + - "logs-citrix_adc.vpn-*" template: settings: index: lifecycle: name: so-logs-citrix_adc.vpn-logs number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.vpn@package" + - "logs-citrix_adc.vpn@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -3285,28 +3311,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-citrix_waf_x_log: - index_sorting: false - index_template: - composed_of: - - logs-citrix_waf.log@package - - logs-citrix_waf.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_waf.log@custom + so-logs-citrix_waf_x_log: + index_sorting: False + index_template: index_patterns: - - logs-citrix_waf.log-* - priority: 501 + - "logs-citrix_waf.log-*" template: settings: index: lifecycle: name: so-logs-citrix_waf.log-logs number_of_replicas: 0 + composed_of: + - "logs-citrix_waf.log@package" + - "logs-citrix_waf.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -3342,8 +3366,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cloudflare.audit@custom index_patterns: - logs-cloudflare.audit-* priority: 501 @@ -3388,8 +3410,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-cloudflare.logpull@custom index_patterns: - logs-cloudflare.logpull-* priority: 501 @@ -3434,8 +3454,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-crowdstrike.falcon@custom index_patterns: - logs-crowdstrike.falcon-* priority: 501 @@ -3480,8 +3498,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-crowdstrike.fdr@custom index_patterns: - logs-crowdstrike.fdr-* priority: 501 @@ -3526,8 +3542,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-darktrace.ai_analyst_alert@custom index_patterns: - logs-darktrace.ai_analyst_alert-* priority: 501 @@ -3572,8 +3586,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-darktrace.model_breach_alert@custom index_patterns: - logs-darktrace.model_breach_alert-* priority: 501 @@ -3618,8 +3630,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-darktrace.system_status_alert@custom index_patterns: - logs-darktrace.system_status_alert-* priority: 501 @@ -3665,7 +3675,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: [] index_patterns: - logs-detections.alerts-* priority: 501 @@ -3728,8 +3737,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent@custom index_patterns: - logs-elastic_agent-* priority: 501 @@ -3791,8 +3798,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.apm_server@custom index_patterns: - logs-elastic_agent.apm_server-* priority: 501 @@ -3854,8 +3859,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.auditbeat@custom index_patterns: - logs-elastic_agent.auditbeat-* priority: 501 @@ -3914,8 +3917,6 @@ elasticsearch: - logs-elastic_agent.cloudbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - ignore_missing_component_templates: - - logs-elastic_agent.cloudbeat@custom index_patterns: - logs-elastic_agent.cloudbeat-* priority: 501 @@ -3978,8 +3979,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.endpoint_security@custom index_patterns: - logs-elastic_agent.endpoint_security-* priority: 501 @@ -4036,8 +4035,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.filebeat@custom index_patterns: - logs-elastic_agent.filebeat-* priority: 501 @@ -4094,8 +4091,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.fleet_server@custom index_patterns: - logs-elastic_agent.fleet_server-* priority: 501 @@ -4145,8 +4140,6 @@ elasticsearch: - logs-elastic_agent.heartbeat@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - ignore_missing_component_templates: - - logs-elastic_agent.heartbeat@custom index_patterns: - logs-elastic_agent.heartbeat-* priority: 501 @@ -4209,8 +4202,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.metricbeat@custom index_patterns: - logs-elastic_agent.metricbeat-* priority: 501 @@ -4267,8 +4258,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.osquerybeat@custom index_patterns: - logs-elastic_agent.osquerybeat-* priority: 501 @@ -4324,8 +4313,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-elastic_agent.packetbeat@custom index_patterns: - logs-elastic_agent.packetbeat-* priority: 501 @@ -4388,8 +4375,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.alerts@custom index_patterns: - logs-endpoint.alerts-* priority: 501 @@ -4446,8 +4431,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.diagnostic.collection@custom index_patterns: - .logs-endpoint.diagnostic.collection-* priority: 501 @@ -4504,8 +4487,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.api@custom index_patterns: - logs-endpoint.events.api-* priority: 501 @@ -4562,8 +4543,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.file@custom index_patterns: - logs-endpoint.events.file-* priority: 501 @@ -4620,8 +4599,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.library@custom index_patterns: - logs-endpoint.events.library-* priority: 501 @@ -4678,8 +4655,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.network@custom index_patterns: - logs-endpoint.events.network-* priority: 501 @@ -4736,8 +4711,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.process@custom index_patterns: - logs-endpoint.events.process-* priority: 501 @@ -4794,8 +4767,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.registry@custom index_patterns: - logs-endpoint.events.registry-* priority: 501 @@ -4852,8 +4823,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-endpoint.events.security@custom index_patterns: - logs-endpoint.events.security-* priority: 501 @@ -4909,8 +4878,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-f5_bigip.log@custom index_patterns: - logs-f5_bigip.log-* priority: 501 @@ -4955,8 +4922,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fim.event@custom index_patterns: - logs-fim.event-* priority: 501 @@ -5001,8 +4966,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fireeye.nx@custom index_patterns: - logs-fireeye.nx-* priority: 501 @@ -5047,8 +5010,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fortinet_fortigate.log@custom index_patterns: - logs-fortinet_fortigate.log-* priority: 501 @@ -5093,8 +5054,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fortinet.clientendpoint@custom index_patterns: - logs-fortinet.clientendpoint-* priority: 501 @@ -5139,8 +5098,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fortinet.firewall@custom index_patterns: - logs-fortinet.firewall-* priority: 501 @@ -5185,8 +5142,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimail@custom index_patterns: - logs-fortinet.fortimail-* priority: 501 @@ -5231,8 +5186,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimanager@custom index_patterns: - logs-fortinet.fortimanager-* priority: 501 @@ -5277,8 +5230,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-gcp.audit@custom index_patterns: - logs-gcp.audit-* priority: 501 @@ -5323,8 +5274,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-gcp.dns@custom index_patterns: - logs-gcp.dns-* priority: 501 @@ -5369,8 +5318,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-gcp.firewall@custom index_patterns: - logs-gcp.firewall-* priority: 501 @@ -5415,8 +5362,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-gcp.loadbalancing_logs@custom index_patterns: - logs-gcp.loadbalancing_logs-* priority: 501 @@ -5461,8 +5406,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-gcp.vpcflow@custom index_patterns: - logs-gcp.vpcflow-* priority: 501 @@ -5507,8 +5450,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-github.audit@custom index_patterns: - logs-github.audit-* priority: 501 @@ -5553,8 +5494,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-github.code_scanning@custom index_patterns: - logs-github.code_scanning-* priority: 501 @@ -5599,8 +5538,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-github.dependabot@custom index_patterns: - logs-github.dependabot-* priority: 501 @@ -5645,8 +5582,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-github.issues@custom index_patterns: - logs-github.issues-* priority: 501 @@ -5691,8 +5626,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-github.secret_scanning@custom index_patterns: - logs-github.secret_scanning-* priority: 501 @@ -5737,8 +5670,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.access_transparency@custom index_patterns: - logs-google_workspace.access_transparency-* priority: 501 @@ -5783,8 +5714,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.admin@custom index_patterns: - logs-google_workspace.admin-* priority: 501 @@ -5829,8 +5758,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.alert@custom index_patterns: - logs-google_workspace.alert-* priority: 501 @@ -5875,8 +5802,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.context_aware_access@custom index_patterns: - logs-google_workspace.context_aware_access-* priority: 501 @@ -5921,8 +5846,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.device@custom index_patterns: - logs-google_workspace.device-* priority: 501 @@ -5967,8 +5890,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.drive@custom index_patterns: - logs-google_workspace.drive-* priority: 501 @@ -6013,8 +5934,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.gcp@custom index_patterns: - logs-google_workspace.gcp-* priority: 501 @@ -6059,8 +5978,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.group_enterprise@custom index_patterns: - logs-google_workspace.group_enterprise-* priority: 501 @@ -6105,8 +6022,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.groups@custom index_patterns: - logs-google_workspace.groups-* priority: 501 @@ -6151,8 +6066,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.login@custom index_patterns: - logs-google_workspace.login-* priority: 501 @@ -6197,8 +6110,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.rules@custom index_patterns: - logs-google_workspace.rules-* priority: 501 @@ -6243,8 +6154,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.saml@custom index_patterns: - logs-google_workspace.saml-* priority: 501 @@ -6289,8 +6198,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.token@custom index_patterns: - logs-google_workspace.token-* priority: 501 @@ -6335,8 +6242,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-google_workspace.user_accounts@custom index_patterns: - logs-google_workspace.user_accounts-* priority: 501 @@ -6381,9 +6286,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-http_endpoint.generic@package - - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* priority: 501 @@ -6428,8 +6330,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-httpjson.generic@custom index_patterns: - logs-httpjson.generic-* priority: 501 @@ -6464,27 +6364,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-iis_x_access: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-iis.access@package - - logs-iis.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.access@custom index_patterns: - - logs-iis.access-* - priority: 501 + - "logs-iis.access-*" template: settings: index: lifecycle: name: so-logs-iis.access-logs number_of_replicas: 0 + composed_of: + - "logs-iis.access@package" + - "logs-iis.access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -6510,27 +6408,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-iis_x_error: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-iis.error@package - - logs-iis.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.error@custom index_patterns: - - logs-iis.error-* - priority: 501 + - "logs-iis.error-*" template: settings: index: lifecycle: name: so-logs-iis.error-logs number_of_replicas: 0 + composed_of: + - "logs-iis.error@package" + - "logs-iis.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -6566,8 +6462,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-juniper_srx.log@custom index_patterns: - logs-juniper_srx.log-* priority: 501 @@ -6612,8 +6506,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-juniper.junos@custom index_patterns: - logs-juniper.junos-* priority: 501 @@ -6658,8 +6550,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-juniper.netscreen@custom index_patterns: - logs-juniper.netscreen-* priority: 501 @@ -6704,8 +6594,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-juniper.srx@custom index_patterns: - logs-juniper.srx-* priority: 501 @@ -6750,8 +6638,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-kafka_log.generic@custom index_patterns: - logs-kafka_log.generic-* priority: 501 @@ -6796,8 +6682,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-lastpass.detailed_shared_folder@custom index_patterns: - logs-lastpass.detailed_shared_folder-* priority: 501 @@ -6842,8 +6726,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-lastpass.event_report@custom index_patterns: - logs-lastpass.event_report-* priority: 501 @@ -6888,8 +6770,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-lastpass.user@custom index_patterns: - logs-lastpass.user-* priority: 501 @@ -6934,8 +6814,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-m365_defender.event@custom index_patterns: - logs-m365_defender.event-* priority: 501 @@ -6980,8 +6858,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-m365_defender.incident@custom index_patterns: - logs-m365_defender.incident-* priority: 501 @@ -7026,8 +6902,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-m365_defender.log@custom index_patterns: - logs-m365_defender.log-* priority: 501 @@ -7072,8 +6946,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-microsoft_defender_endpoint.log@custom index_patterns: - logs-microsoft_defender_endpoint.log-* priority: 501 @@ -7118,8 +6990,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-microsoft_dhcp.log@custom index_patterns: - logs-microsoft_dhcp.log-* priority: 501 @@ -7154,27 +7024,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-microsoft_sqlserver_x_audit: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-microsoft_sqlserver.audit@package - - logs-microsoft_sqlserver.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.audit@custom index_patterns: - - logs-microsoft_sqlserver.audit-* - priority: 501 + - "logs-microsoft_sqlserver.audit-*" template: settings: index: lifecycle: name: so-logs-microsoft_sqlserver.audit-logs number_of_replicas: 0 + composed_of: + - "logs-microsoft_sqlserver.audit@package" + - "logs-microsoft_sqlserver.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -7200,27 +7068,113 @@ elasticsearch: priority: 50 min_age: 30d so-logs-microsoft_sqlserver_x_log: - index_sorting: false + index_sorting: False index_template: + index_patterns: + - "logs-microsoft_sqlserver.log-*" + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_sqlserver.log-logs + number_of_replicas: 0 composed_of: - - logs-microsoft_sqlserver.log@package - - logs-microsoft_sqlserver.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 + - "logs-microsoft_sqlserver.log@package" + - "logs-microsoft_sqlserver.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 data_stream: - allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.log@custom + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mysql_x_error: + index_sorting: False + index_template: index_patterns: - - logs-microsoft_sqlserver.log-* + - "logs-mysql.error-*" + template: + settings: + index: + lifecycle: + name: so-logs-mysql.error-logs + number_of_replicas: 0 + composed_of: + - "logs-mysql.error@package" + - "logs-mysql.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mysql_x_slowlog: + index_sorting: False + index_template: + index_patterns: + - "logs-mysql.slowlog-*" template: settings: index: lifecycle: - name: so-logs-microsoft_sqlserver.log-logs + name: so-logs-mysql.slowlog-logs number_of_replicas: 0 + composed_of: + - "logs-mysql.slowlog@package" + - "logs-mysql.slowlog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -7256,8 +7210,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.audit_events@custom index_patterns: - logs-mimecast.audit_events-* priority: 501 @@ -7302,8 +7254,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.dlp_logs@custom index_patterns: - logs-mimecast.dlp_logs-* priority: 501 @@ -7348,8 +7298,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.siem_logs@custom index_patterns: - logs-mimecast.siem_logs-* priority: 501 @@ -7394,8 +7342,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_customer@custom index_patterns: - logs-mimecast.threat_intel_malware_customer-* priority: 501 @@ -7440,8 +7386,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_grid@custom index_patterns: - logs-mimecast.threat_intel_malware_grid-* priority: 501 @@ -7486,8 +7430,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ap_logs@custom index_patterns: - logs-mimecast.ttp_ap_logs-* priority: 501 @@ -7532,8 +7474,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ip_logs@custom index_patterns: - logs-mimecast.ttp_ip_logs-* priority: 501 @@ -7541,53 +7481,7 @@ elasticsearch: settings: index: lifecycle: - name: so-logs-mimecast.ttp_ip_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_url_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_url_logs@package - - logs-mimecast.ttp_url_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_url_logs@custom - index_patterns: - - logs-mimecast.ttp_url_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_url_logs-logs + name: so-logs-mimecast.ttp_ip_logs-logs number_of_replicas: 0 policy: phases: @@ -7613,27 +7507,25 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-mysql_x_error: + so-logs-mimecast_x_ttp_url_logs: index_sorting: false index_template: composed_of: - - logs-mysql.error@package - - logs-mysql.error@custom + - logs-mimecast.ttp_url_logs@package + - logs-mimecast.ttp_url_logs@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mysql.error@custom index_patterns: - - logs-mysql.error-* + - logs-mimecast.ttp_url_logs-* priority: 501 template: settings: index: lifecycle: - name: so-logs-mysql.error-logs + name: so-logs-mimecast.ttp_url_logs-logs number_of_replicas: 0 policy: phases: @@ -7659,27 +7551,25 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-mysql_x_slowlog: + so-logs-netflow_x_log: index_sorting: false index_template: composed_of: - - logs-mysql.slowlog@package - - logs-mysql.slowlog@custom + - logs-netflow.log@package + - logs-netflow.log@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-mysql.slowlog@custom index_patterns: - - logs-mysql.slowlog-* + - logs-netflow.log-* priority: 501 template: settings: index: lifecycle: - name: so-logs-mysql.slowlog-logs + name: so-logs-netflow.log-logs number_of_replicas: 0 policy: phases: @@ -7705,28 +7595,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-netflow_x_log: - index_sorting: false + so-logs-nginx_x_access: + index_sorting: False index_template: - composed_of: - - logs-netflow.log@package - - logs-netflow.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-netflow.log@custom index_patterns: - - logs-netflow.log-* - priority: 501 + - "logs-nginx.access-*" template: settings: index: lifecycle: - name: so-logs-netflow.log-logs + name: so-logs-nginx.access-logs number_of_replicas: 0 + composed_of: + - "logs-nginx.access@package" + - "logs-nginx.access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -7751,28 +7639,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-nginx_x_access: - index_sorting: false + so-logs-nginx_x_error: + index_sorting: False index_template: - composed_of: - - logs-nginx.access@package - - logs-nginx.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.access@custom index_patterns: - - logs-nginx.access-* - priority: 501 + - "logs-nginx.error-*" template: settings: index: lifecycle: - name: so-logs-nginx.access-logs + name: so-logs-nginx.error-logs number_of_replicas: 0 + composed_of: + - "logs-nginx.error@package" + - "logs-nginx.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -7797,28 +7683,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-nginx_x_error: - index_sorting: false + so-metrics-nginx_x_stubstatus: + index_sorting: False index_template: - composed_of: - - logs-nginx.error@package - - logs-nginx.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.error@custom index_patterns: - - logs-nginx.error-* - priority: 501 + - "metrics-nginx.stubstatus-*" template: settings: index: lifecycle: - name: so-logs-nginx.error-logs + name: so-metrics-nginx.stubstatus-logs number_of_replicas: 0 + composed_of: + - "metrics-nginx.stubstatus@package" + - "metrics-nginx.stubstatus@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -7854,8 +7738,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-o365.audit@custom index_patterns: - logs-o365.audit-* priority: 501 @@ -7900,8 +7782,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-okta.system@custom index_patterns: - logs-okta.system-* priority: 501 @@ -7945,7 +7825,6 @@ elasticsearch: name: elastic_agent composed_of: - logs-osquery_manager.action.responses - ignore_missing_component_templates: [] index_patterns: - .logs-osquery_manager.action.responses* priority: 501 @@ -7963,7 +7842,6 @@ elasticsearch: name: elastic_agent composed_of: - logs-osquery_manager.actions - ignore_missing_component_templates: [] index_patterns: - .logs-osquery_manager.actions* priority: 501 @@ -7982,8 +7860,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-panw.panos@custom index_patterns: - logs-panw.panos-* priority: 501 @@ -8028,8 +7904,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-pfsense.log@custom index_patterns: - logs-pfsense.log-* priority: 501 @@ -8064,27 +7938,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_clicks_blocked: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-proofpoint_tap.clicks_blocked@package - - logs-proofpoint_tap.clicks_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_blocked@custom index_patterns: - - logs-proofpoint_tap.clicks_blocked-* - priority: 501 + - "logs-proofpoint_tap.clicks_blocked-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.clicks_blocked-logs number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.clicks_blocked@package" + - "logs-proofpoint_tap.clicks_blocked@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -8110,27 +7982,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_clicks_permitted: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-proofpoint_tap.clicks_permitted@package - - logs-proofpoint_tap.clicks_permitted@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_permitted@custom index_patterns: - - logs-proofpoint_tap.clicks_permitted-* - priority: 501 + - "logs-proofpoint_tap.clicks_permitted-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.clicks_permitted-logs number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.clicks_permitted@package" + - "logs-proofpoint_tap.clicks_permitted@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -8156,27 +8026,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_message_blocked: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-proofpoint_tap.message_blocked@package - - logs-proofpoint_tap.message_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_blocked@custom index_patterns: - - logs-proofpoint_tap.message_blocked-* - priority: 501 + - "logs-proofpoint_tap.message_blocked-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.message_blocked-logs number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.message_blocked@package" + - "logs-proofpoint_tap.message_blocked@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -8202,27 +8070,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-proofpoint_tap_x_message_delivered: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-proofpoint_tap.message_delivered@package - - logs-proofpoint_tap.message_delivered@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_delivered@custom index_patterns: - - logs-proofpoint_tap.message_delivered-* - priority: 501 + - "logs-proofpoint_tap.message_delivered-*" template: settings: index: lifecycle: name: so-logs-proofpoint_tap.message_delivered-logs number_of_replicas: 0 + composed_of: + - "logs-proofpoint_tap.message_delivered@package" + - "logs-proofpoint_tap.message_delivered@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -8258,8 +8124,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-pulse_connect_secure.log@custom index_patterns: - logs-pulse_connect_secure.log-* priority: 501 @@ -8304,8 +8168,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.activity@custom index_patterns: - logs-sentinel_one.activity-* priority: 501 @@ -8350,8 +8212,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.agent@custom index_patterns: - logs-sentinel_one.agent-* priority: 501 @@ -8396,8 +8256,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.alert@custom index_patterns: - logs-sentinel_one.alert-* priority: 501 @@ -8442,8 +8300,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.group@custom index_patterns: - logs-sentinel_one.group-* priority: 501 @@ -8488,8 +8344,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.threat@custom index_patterns: - logs-sentinel_one.threat-* priority: 501 @@ -8524,27 +8378,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-snort_x_log: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-snort.log@package - - logs-snort.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snort.log@custom index_patterns: - - logs-snort.log-* - priority: 501 + - "logs-snort.log-*" template: settings: index: lifecycle: name: so-logs-snort.log-logs number_of_replicas: 0 + composed_of: + - "logs-snort.log@package" + - "logs-snort.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -8580,8 +8432,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-snyk.audit@custom index_patterns: - logs-snyk.audit-* priority: 501 @@ -8608,142 +8458,33 @@ elasticsearch: max_age: 30d max_primary_shard_size: 50gb set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_vulnerabilities: - index_sorting: false - index_template: - composed_of: - - logs-snyk.vulnerabilities@package - - logs-snyk.vulnerabilities@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.vulnerabilities@custom - index_patterns: - - logs-snyk.vulnerabilities-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.vulnerabilities-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-soc: - close: 30 - delete: 365 - index_sorting: false - index_template: - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - common-settings - - common-dynamic-mappings - data_stream: {} - ignore_missing_component_templates: [] + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-snyk_x_vulnerabilities: + index_sorting: false + index_template: + composed_of: + - logs-snyk.vulnerabilities@package + - logs-snyk.vulnerabilities@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false index_patterns: - - logs-soc-so* - priority: 500 + - logs-snyk.vulnerabilities-* + priority: 501 template: - mappings: - date_detection: false - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string settings: index: lifecycle: - name: so-logs-soc-logs - mapping: - total_fields: - limit: 5000 + name: so-logs-snyk.vulnerabilities-logs number_of_replicas: 0 - number_of_shards: 1 - refresh_interval: 30s - sort: - field: '@timestamp' - order: desc policy: phases: cold: @@ -8768,7 +8509,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - warm: 7 so-logs-sonicwall_firewall_x_log: index_sorting: false index_template: @@ -8780,8 +8520,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sonicwall_firewall.log@custom index_patterns: - logs-sonicwall_firewall.log-* priority: 501 @@ -8826,8 +8564,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sophos_central.alert@custom index_patterns: - logs-sophos_central.alert-* priority: 501 @@ -8872,8 +8608,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sophos_central.event@custom index_patterns: - logs-sophos_central.event-* priority: 501 @@ -8918,8 +8652,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sophos.utm@custom index_patterns: - logs-sophos.utm-* priority: 501 @@ -8964,8 +8696,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-sophos.xg@custom index_patterns: - logs-sophos.xg-* priority: 501 @@ -9010,8 +8740,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-symantec_endpoint.log@custom index_patterns: - logs-symantec_endpoint.log-* priority: 501 @@ -9057,8 +8785,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-system.application@custom index_patterns: - logs-system.application* priority: 501 @@ -9104,8 +8830,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-system.auth@custom index_patterns: - logs-system.auth* priority: 501 @@ -9151,8 +8875,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-system.security@custom index_patterns: - logs-system.security* priority: 501 @@ -9198,8 +8920,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-system.syslog@custom index_patterns: - logs-system.syslog* priority: 501 @@ -9245,8 +8965,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-system.system@custom index_patterns: - logs-system.system* priority: 501 @@ -9291,8 +9009,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.asset@custom index_patterns: - logs-tenable_sc.asset-* priority: 501 @@ -9337,8 +9053,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.plugin@custom index_patterns: - logs-tenable_sc.plugin-* priority: 501 @@ -9383,8 +9097,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.vulnerability@custom index_patterns: - logs-tenable_sc.vulnerability-* priority: 501 @@ -9429,8 +9141,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malware@custom index_patterns: - logs-ti_abusech.malware-* priority: 501 @@ -9475,8 +9185,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malwarebazaar@custom index_patterns: - logs-ti_abusech.malwarebazaar-* priority: 501 @@ -9521,8 +9229,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.threatfox@custom index_patterns: - logs-ti_abusech.threatfox-* priority: 501 @@ -9567,8 +9273,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.url@custom index_patterns: - logs-ti_abusech.url-* priority: 501 @@ -9603,27 +9307,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-ti_anomali_x_threatstream: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-ti_anomali.threatstream@package - - logs-ti_anomali.threatstream@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_anomali.threatstream@custom index_patterns: - - logs-ti_anomali.threatstream-* - priority: 501 + - "logs-ti_anomali.threatstream-*" template: settings: index: lifecycle: name: so-logs-ti_anomali.threatstream-logs number_of_replicas: 0 + composed_of: + - "logs-ti_anomali.threatstream@package" + - "logs-ti_anomali.threatstream@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -9649,27 +9351,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-ti_cybersixgill_x_threat: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-ti_cybersixgill.threat@package - - logs-ti_cybersixgill.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_cybersixgill.threat@custom index_patterns: - - logs-ti_cybersixgill.threat-* - priority: 501 + - "logs-ti_cybersixgill.threat-*" template: settings: index: lifecycle: name: so-logs-ti_cybersixgill.threat-logs number_of_replicas: 0 + composed_of: + - "logs-ti_cybersixgill.threat@package" + - "logs-ti_cybersixgill.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -9705,8 +9405,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat@custom index_patterns: - logs-ti_misp.threat-* priority: 501 @@ -9751,8 +9449,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat_attributes@custom index_patterns: - logs-ti_misp.threat_attributes-* priority: 501 @@ -9797,8 +9493,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_otx.pulses_subscribed@custom index_patterns: - logs-ti_otx.pulses_subscribed-* priority: 501 @@ -9843,8 +9537,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_otx.threat@custom index_patterns: - logs-ti_otx.threat-* priority: 501 @@ -9889,8 +9581,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.latest_ioc-template@custom index_patterns: - logs-ti_recordedfuture.latest_ioc-template-* priority: 501 @@ -9935,8 +9625,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.threat@custom index_patterns: - logs-ti_recordedfuture.threat-* priority: 501 @@ -9971,27 +9659,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-ti_threatq_x_threat: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-ti_threatq.threat@package - - logs-ti_threatq.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_threatq.threat@custom index_patterns: - - logs-ti_threatq.threat-* - priority: 501 + - "logs-ti_threatq.threat-*" template: settings: index: lifecycle: name: so-logs-ti_threatq.threat-logs number_of_replicas: 0 + composed_of: + - "logs-ti_threatq.threat@package" + - "logs-ti_threatq.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -10017,27 +9703,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-vsphere_x_log: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-vsphere.log@package - - logs-vsphere.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-vsphere.log@custom index_patterns: - - logs-vsphere.log-* - priority: 501 + - "logs-vsphere.log-*" template: settings: index: lifecycle: name: so-logs-vsphere.log-logs number_of_replicas: 0 + composed_of: + - "logs-vsphere.log@package" + - "logs-vsphere.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -10073,8 +9757,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-windows.forwarded@custom index_patterns: - logs-windows.forwarded* priority: 501 @@ -10119,8 +9801,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-windows.powershell@custom index_patterns: - logs-windows.powershell-* priority: 501 @@ -10165,8 +9845,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-windows.powershell_operational@custom index_patterns: - logs-windows.powershell_operational-* priority: 501 @@ -10211,8 +9889,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-windows.sysmon_operational@custom index_patterns: - logs-windows.sysmon_operational-* priority: 501 @@ -10247,28 +9923,25 @@ elasticsearch: priority: 50 min_age: 30d so-logs-winlog_x_winlog: - index_sorting: false + index_sorting: False index_template: - composed_of: - - logs-winlog.winlog@package - - logs-winlog.winlog@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-winlog.winlog@package - - logs-winlog.winlog@custom index_patterns: - - logs-winlog.winlog-* - priority: 501 + - "logs-winlog.winlog-*" template: settings: index: lifecycle: name: so-logs-winlog.winlog-logs number_of_replicas: 0 + composed_of: + - "logs-winlog.winlog@package" + - "logs-winlog.winlog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -10304,8 +9977,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.alerts@custom index_patterns: - logs-zscaler_zia.alerts-* priority: 501 @@ -10350,8 +10021,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.dns@custom index_patterns: - logs-zscaler_zia.dns-* priority: 501 @@ -10396,8 +10065,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.firewall@custom index_patterns: - logs-zscaler_zia.firewall-* priority: 501 @@ -10442,8 +10109,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.tunnel@custom index_patterns: - logs-zscaler_zia.tunnel-* priority: 501 @@ -10488,8 +10153,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.web@custom index_patterns: - logs-zscaler_zia.web-* priority: 501 @@ -10534,8 +10197,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.app_connector_status@custom index_patterns: - logs-zscaler_zpa.app_connector_status-* priority: 501 @@ -10580,8 +10241,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.audit@custom index_patterns: - logs-zscaler_zpa.audit-* priority: 501 @@ -10626,8 +10285,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.browser_access@custom index_patterns: - logs-zscaler_zpa.browser_access-* priority: 501 @@ -10672,8 +10329,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_activity@custom index_patterns: - logs-zscaler_zpa.user_activity-* priority: 501 @@ -10718,8 +10373,6 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_status@custom index_patterns: - logs-zscaler_zpa.user_status-* priority: 501 @@ -10753,93 +10406,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logstash: - index_sorting: false + so-metrics-endpoint_x_metadata: + index_sorting: False index_template: - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - logstash-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - ignore_missing_component_templates: [] index_patterns: - - logs-logstash-default* - priority: 500 + - "metrics-endpoint.metadata-*" template: - mappings: - date_detection: false - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string settings: index: lifecycle: - name: so-logstash-logs - mapping: - total_fields: - limit: 5000 + name: so-metrics-endpoint.metadata-logs number_of_replicas: 0 - number_of_shards: 1 - refresh_interval: 30s - sort: - field: '@timestamp' - order: desc + composed_of: + - "metrics-endpoint.metadata@package" + - "metrics-endpoint.metadata@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -10864,28 +10450,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-endpoint_x_metadata: - index_sorting: false + so-metrics-endpoint_x_metrics: + index_sorting: False index_template: - composed_of: - - metrics-endpoint.metadata@package - - metrics-endpoint.metadata@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-endpoint.metadata@custom index_patterns: - - metrics-endpoint.metadata-* - priority: 501 + - "metrics-endpoint.metrics-*" template: settings: index: lifecycle: - name: so-metrics-endpoint.metadata-logs + name: so-metrics-endpoint.metrics-logs number_of_replicas: 0 + composed_of: + - "metrics-endpoint.metrics@package" + - "metrics-endpoint.metrics@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -10910,28 +10494,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-endpoint_x_metrics: - index_sorting: false + so-metrics-endpoint_x_policy: + index_sorting: False index_template: - composed_of: - - metrics-endpoint.metrics@package - - metrics-endpoint.metrics@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-endpoint.metrics@custom index_patterns: - - metrics-endpoint.metrics-* - priority: 501 + - "metrics-endpoint.policy-*" template: settings: index: lifecycle: - name: so-metrics-endpoint.metrics-logs + name: so-metrics-endpoint.policy-logs number_of_replicas: 0 + composed_of: + - "metrics-endpoint.policy@package" + - "metrics-endpoint.policy@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -10956,28 +10538,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-endpoint_x_policy: - index_sorting: false + so-metrics-vsphere_x_datastore: + index_sorting: False index_template: - composed_of: - - metrics-endpoint.policy@package - - metrics-endpoint.policy@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-endpoint.policy@custom index_patterns: - - metrics-endpoint.policy-* - priority: 501 + - "metrics-vsphere.datastore-*" template: settings: index: lifecycle: - name: so-metrics-endpoint.policy-logs + name: so-metrics-vsphere.datastore-logs number_of_replicas: 0 + composed_of: + - "metrics-vsphere.datastore@package" + - "metrics-vsphere.datastore@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -11002,74 +10582,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-fleet_server_x_agent_status: - index_sorting: false + so-metrics-vsphere_x_host: + index_sorting: False index_template: - composed_of: - - metrics@tsdb-settings - - metrics-fleet_server.agent_status@package - - metrics-fleet_server.agent_status@custom - - ecs@mappings - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-fleet_server.agent_status@custom index_patterns: - - metrics-fleet_server.agent_status-* - priority: 501 + - "metrics-vsphere.host-*" template: settings: index: - mode: time_series + lifecycle: + name: so-metrics-vsphere.host-logs number_of_replicas: 0 - so-metrics-fleet_server_x_agent_versions: - index_sorting: false - index_template: composed_of: - - metrics@tsdb-settings - - metrics-fleet_server.agent_versions@package - - metrics-fleet_server.agent_versions@custom - - ecs@mappings - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-fleet_server.agent_versions@custom - index_patterns: - - metrics-fleet_server.agent_versions-* + - "metrics-vsphere.host@package" + - "metrics-vsphere.host@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 501 - template: - settings: - index: - mode: time_series - number_of_replicas: 0 - so-metrics-nginx_x_stubstatus: - index_sorting: false - index_template: - composed_of: - - metrics-nginx.stubstatus@package - - metrics-nginx.stubstatus@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 data_stream: - allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - metrics-nginx.stubstatus@custom - index_patterns: - - metrics-nginx.stubstatus-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-nginx.stubstatus-logs - number_of_replicas: 0 + allow_custom_routing: false policy: phases: cold: @@ -11094,28 +10626,26 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-vsphere_x_datastore: - index_sorting: false + so-metrics-vsphere_x_virtualmachine: + index_sorting: False index_template: - composed_of: - - metrics-vsphere.datastore@package - - metrics-vsphere.datastore@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.datastore@custom index_patterns: - - metrics-vsphere.datastore-* - priority: 501 + - "metrics-vsphere.virtualmachine-*" template: settings: index: lifecycle: - name: so-metrics-vsphere.datastore-logs + name: so-metrics-vsphere.virtualmachine-logs number_of_replicas: 0 + composed_of: + - "metrics-vsphere.virtualmachine@package" + - "metrics-vsphere.virtualmachine@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: cold: @@ -11140,27 +10670,28 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-vsphere_x_host: + so-kismet: index_sorting: false index_template: composed_of: - - metrics-vsphere.host@package - - metrics-vsphere.host@custom + - kismet-mappings + - source-mappings + - client-mappings + - device-mappings + - network-mappings - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - metrics-vsphere.host@custom index_patterns: - - metrics-vsphere.host-* + - logs-kismet-so* priority: 501 template: settings: index: lifecycle: - name: so-metrics-vsphere.host-logs + name: so-kismet-logs number_of_replicas: 0 policy: phases: @@ -11186,28 +10717,92 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-metrics-vsphere_x_virtualmachine: + so-logstash: index_sorting: false index_template: composed_of: - - metrics-vsphere.virtualmachine@package - - metrics-vsphere.virtualmachine@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.virtualmachine@custom + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - logstash-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings index_patterns: - - metrics-vsphere.virtualmachine-* - priority: 501 + - logs-logstash-default* + priority: 500 template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: - name: so-metrics-vsphere.virtualmachine-logs + name: so-logstash-logs + mapping: + total_fields: + limit: 5000 number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: cold: @@ -11293,7 +10888,6 @@ elasticsearch: - vulnerability-mappings - common-settings - common-dynamic-mappings - ignore_missing_component_templates: [] index_patterns: - logs-redis-default* priority: 500 @@ -11406,7 +11000,6 @@ elasticsearch: - common-settings - common-dynamic-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - logs-strelka-so* priority: 500 @@ -11518,7 +11111,6 @@ elasticsearch: - common-settings - common-dynamic-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - logs-suricata-so* priority: 500 @@ -11630,7 +11222,6 @@ elasticsearch: - common-settings - common-dynamic-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - logs-suricata.alerts-* priority: 500 @@ -11743,7 +11334,6 @@ elasticsearch: - common-settings - common-dynamic-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - logs-syslog-so* priority: 500 @@ -11857,7 +11447,6 @@ elasticsearch: - common-settings - common-dynamic-mappings data_stream: {} - ignore_missing_component_templates: [] index_patterns: - logs-zeek-so* priority: 500 @@ -11907,87 +11496,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - pipelines: - custom001: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom001 - - pipeline: - name: common - custom002: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom002 - - pipeline: - name: common - custom003: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom003 - - pipeline: - name: common - custom004: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom004 - - pipeline: - name: common - custom005: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom005 - - pipeline: - name: common - custom006: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom006 - - pipeline: - name: common - custom007: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom007 - - pipeline: - name: common - custom008: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom008 - - pipeline: - name: common - custom009: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom009 - - pipeline: - name: common - custom010: - description: Custom Pipeline - processors: - - set: - field: tags - value: custom010 - - pipeline: - name: common retention: retention_pct: 50 so_roles: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 085aab7f0e..f56ed313e3 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -530,58 +530,6 @@ elasticsearch: so-strelka: *indexSettings so-syslog: *indexSettings so-zeek: *indexSettings - so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings - index_sorting: - description: Sorts the index by event time, at the cost of additional processing resource consumption. - advanced: True - readonly: True - helpLink: elasticsearch.html - index_template: - ignore_missing_component_templates: - description: Ignore component templates if they aren't in Elasticsearch. - advanced: True - readonly: True - helpLink: elasticsearch.html - index_patterns: - description: Patterns for matching multiple indices or tables. - advanced: True - readonly: True - helpLink: elasticsearch.html - template: - settings: - index: - mode: - description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage. - advanced: True - readonly: True - helpLink: elasticsearch.html - number_of_replicas: - description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. - advanced: True - readonly: True - helpLink: elasticsearch.html - composed_of: - description: The index template is composed of these component templates. - advanced: True - readonly: True - helpLink: elasticsearch.html - priority: - description: The priority of the index template. - advanced: True - readonly: True - helpLink: elasticsearch.html - data_stream: - hidden: - description: Hide the data stream. - advanced: True - readonly: True - helpLink: elasticsearch.html - allow_custom_routing: - description: Allow custom routing for the data stream. - advanced: True - readonly: True - helpLink: elasticsearch.html - so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings so_roles: so-manager: &soroleSettings config: diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load index 12ef4dbf66..080348522f 100755 --- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load @@ -134,7 +134,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then TEMPLATE=${i::-14} COMPONENT_PATTERN=${TEMPLATE:3} MATCH=$(echo "$TEMPLATE" | grep -E "^so-logs-|^so-metrics" | grep -vE "detections|osquery") - if [[ -n "$MATCH" && ! "$COMPONENT_LIST" =~ "$COMPONENT_PATTERN" && ! "$COMPONENT_PATTERN" =~ logs-http_endpoint\.generic|logs-winlog\.winlog ]]; then + if [[ -n "$MATCH" && ! "$COMPONENT_LIST" =~ "$COMPONENT_PATTERN" ]]; then load_failures=$((load_failures+1)) echo "Component template does not exist for $COMPONENT_PATTERN. The index template will not be loaded. Load failures: $load_failures" else @@ -153,7 +153,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then cd - >/dev/null if [[ $load_failures -eq 0 ]]; then - echo "All templates loaded successfully" + echo "All template loaded successfully" touch $STATE_FILE_SUCCESS else echo "Encountered $load_failures templates that were unable to load, likely due to missing dependencies that will be available later; will retry on next highstate" diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 50e2ba45c1..bc503debb0 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.14.2","id": "8.14.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.10.4","id": "8.10.4","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index fc0896009e..5b4b525602 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.14.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.10.4" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done