Skip to content

Instantly share code, notes, and snippets.

@RuMORDeN

RuMORDeN/gist:299c5245e680a72c44061b4891c535e2

Last active December 19, 2019 20:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save RuMORDeN/299c5245e680a72c44061b4891c535e2 to your computer and use it in GitHub Desktop.
Save RuMORDeN/299c5245e680a72c44061b4891c535e2 to your computer and use it in GitHub Desktop.
Download ZIP
filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline-query
Raw
gistfile1.txt
#Setup Filebeat 7.5 per docs at https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-getting-started.html
#filebeat modules enable cisco
#filebeat setup
#Behavior results from processing by filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline pipeline. Bypass of this pipeline eliminates issue.
#Successful query of documents ingested outside of filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline
GET syslog-000008/_search
{
"query": {
"match": {
"message": {
"query": "retrieved"
}
}
}
}
...
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
...
#Empty query of documents ingested by filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline
GET filebeat-7.5.0-2019.12.10-000001/_search
{
"query": {
"match": {
"event.original": {
"query": "Primary"
}
}
}
}
...
"hits" : {
"total" : {
"value" : 0,
"relation" : "eq"
},
...
#filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline seems to process message to log.original then to event.original?
GET _ingest/pipeline/filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline
#Issue acts like related to lack of analysis on fields processed by pipeline.
#Indexes not processed by the pipeline have what appears to be default mappings
{
"kemp-000014" : {
"aliases" : {
"kemp" : {
"is_write_index" : true
}
},
"mappings" : {
"properties" : {
...
"host" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
#Indexes processed by the pipeline show differences. Sorry output is very long.
{
"filebeat-7.5.0-2019.12.18-000003" : {
"aliases" : {
"filebeat-7.5.0" : {
"is_write_index" : true
}
},
"mappings" : {
"_meta" : {
"beat" : "filebeat",
"version" : "7.5.0"
},
"dynamic_templates" : [
{
"labels" : {
"path_match" : "labels.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"container.labels" : {
"path_match" : "container.labels.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"dns.answers" : {
"path_match" : "dns.answers.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"fields" : {
"path_match" : "fields.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"docker.container.labels" : {
"path_match" : "docker.container.labels.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"kubernetes.labels.*" : {
"path_match" : "kubernetes.labels.*",
"mapping" : {
"type" : "keyword"
}
}
},
{
"kubernetes.annotations.*" : {
"path_match" : "kubernetes.annotations.*",
"mapping" : {
"type" : "keyword"
}
}
},
{
"docker.attrs" : {
"path_match" : "docker.attrs.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"cef.extensions" : {
"path_match" : "cef.extensions.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"kibana.log.meta" : {
"path_match" : "kibana.log.meta.*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "keyword"
}
}
},
{
"strings_as_keyword" : {
"match_mapping_type" : "string",
"mapping" : {
"ignore_above" : 1024,
"type" : "keyword"
}
}
}
],
"date_detection" : false,
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"_temp_" : {
"properties" : {
"cisco" : {
"properties" : {
"message_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rule_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"security" : {
"properties" : {
"access_control_rule_action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"access_control_rule_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"access_control_rule_reason" : {
"type" : "keyword",
"ignore_above" : 1024
},
"application_protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_record_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_response_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dst_ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dst_port" : {
"type" : "keyword",
"ignore_above" : 1024
},
"egress_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ingress_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"initiator_bytes" : {
"type" : "keyword",
"ignore_above" : 1024
},
"initiator_packets" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ip_reputation_si_category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nap_policy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"prefilter_policy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"referenced_host" : {
"type" : "keyword",
"ignore_above" : 1024
},
"responder_bytes" : {
"type" : "keyword",
"ignore_above" : 1024
},
"responder_packets" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sec_int_matching_ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"src_ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"src_port" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tcp_flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"url" : {
"type" : "keyword",
"ignore_above" : 1024
},
"url_category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"url_reputation" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"orig_security" : {
"properties" : {
"AccessControlRuleAction" : {
"type" : "keyword",
"ignore_above" : 1024
},
"AccessControlRuleName" : {
"type" : "keyword",
"ignore_above" : 1024
},
"AccessControlRuleReason" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ApplicationProtocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"Client" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ConnectType" : {
"type" : "keyword",
"ignore_above" : 1024
},
"DE" : {
"type" : "keyword",
"ignore_above" : 1024
},
"DNSQuery" : {
"type" : "keyword",
"ignore_above" : 1024
},
"DNSRecordType" : {
"type" : "keyword",
"ignore_above" : 1024
},
"DNSResponseType" : {
"type" : "keyword",
"ignore_above" : 1024
},
"DstIP" : {
"type" : "keyword",
"ignore_above" : 1024
},
"DstPort" : {
"type" : "keyword",
"ignore_above" : 1024
},
"EgressZone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"IPReputationSICategory" : {
"type" : "keyword",
"ignore_above" : 1024
},
"IngressZone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"InitiatorBytes" : {
"type" : "keyword",
"ignore_above" : 1024
},
"InitiatorPackets" : {
"type" : "keyword",
"ignore_above" : 1024
},
"NAPPolicy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"OriginalClientIP" : {
"type" : "keyword",
"ignore_above" : 1024
},
"Policy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"Prefilter Policy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"Protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ReferencedHost" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ResponderBytes" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ResponderPackets" : {
"type" : "keyword",
"ignore_above" : 1024
},
"SecIntMatchingIP" : {
"type" : "keyword",
"ignore_above" : 1024
},
"Sinkhole" : {
"type" : "keyword",
"ignore_above" : 1024
},
"SrcIP" : {
"type" : "keyword",
"ignore_above" : 1024
},
"SrcPort" : {
"type" : "keyword",
"ignore_above" : 1024
},
"TCPFlags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"URL" : {
"type" : "keyword",
"ignore_above" : 1024
},
"URLCategory" : {
"type" : "keyword",
"ignore_above" : 1024
},
"URLReputation" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"raw_date" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"agent" : {
"properties" : {
"ephemeral_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"hostname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"apache" : {
"properties" : {
"access" : {
"properties" : {
"ssl" : {
"properties" : {
"cipher" : {
"type" : "keyword",
"ignore_above" : 1024
},
"protocol" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"error" : {
"properties" : {
"module" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"apache2" : {
"properties" : {
"access" : {
"properties" : {
"geoip" : {
"type" : "object"
},
"user_agent" : {
"type" : "object"
}
}
},
"error" : {
"type" : "object"
}
}
},
"as" : {
"properties" : {
"number" : {
"type" : "long"
},
"organization" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"auditd" : {
"properties" : {
"log" : {
"properties" : {
"a0" : {
"type" : "keyword",
"ignore_above" : 1024
},
"addr" : {
"type" : "ip"
},
"geoip" : {
"type" : "object"
},
"item" : {
"type" : "keyword",
"ignore_above" : 1024
},
"items" : {
"type" : "keyword",
"ignore_above" : 1024
},
"laddr" : {
"type" : "ip"
},
"lport" : {
"type" : "long"
},
"new_auid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"new_ses" : {
"type" : "keyword",
"ignore_above" : 1024
},
"old_auid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"old_ses" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rport" : {
"type" : "long"
},
"sequence" : {
"type" : "long"
},
"tty" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"aws" : {
"properties" : {
"elb" : {
"properties" : {
"action_executed" : {
"type" : "keyword",
"ignore_above" : 1024
},
"backend" : {
"properties" : {
"http" : {
"properties" : {
"response" : {
"properties" : {
"status_code" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"port" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"backend_processing_time" : {
"properties" : {
"sec" : {
"type" : "float"
}
}
},
"chosen_cert" : {
"properties" : {
"arn" : {
"type" : "keyword",
"ignore_above" : 1024
},
"serial" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"connection_time" : {
"properties" : {
"ms" : {
"type" : "long"
}
}
},
"error" : {
"properties" : {
"reason" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"incoming_tls_alert" : {
"type" : "keyword",
"ignore_above" : 1024
},
"listener" : {
"type" : "keyword",
"ignore_above" : 1024
},
"matched_rule_priority" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"redirect_url" : {
"type" : "keyword",
"ignore_above" : 1024
},
"request_processing_time" : {
"properties" : {
"sec" : {
"type" : "float"
}
}
},
"response_processing_time" : {
"properties" : {
"sec" : {
"type" : "float"
}
}
},
"ssl_cipher" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ssl_protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"target_group" : {
"properties" : {
"arn" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"tls_handshake_time" : {
"properties" : {
"ms" : {
"type" : "long"
}
}
},
"tls_named_group" : {
"type" : "keyword",
"ignore_above" : 1024
},
"trace_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"s3access" : {
"properties" : {
"authentication_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bucket" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bucket_owner" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bytes_sent" : {
"type" : "long"
},
"cipher_suite" : {
"type" : "keyword",
"ignore_above" : 1024
},
"error_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"host_header" : {
"type" : "keyword",
"ignore_above" : 1024
},
"host_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_status" : {
"type" : "long"
},
"key" : {
"type" : "keyword",
"ignore_above" : 1024
},
"object_size" : {
"type" : "long"
},
"operation" : {
"type" : "keyword",
"ignore_above" : 1024
},
"referrer" : {
"type" : "keyword",
"ignore_above" : 1024
},
"remote_ip" : {
"type" : "ip"
},
"request_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"request_uri" : {
"type" : "keyword",
"ignore_above" : 1024
},
"requester" : {
"type" : "keyword",
"ignore_above" : 1024
},
"signature_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tls_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"total_time" : {
"type" : "long"
},
"turn_around_time" : {
"type" : "long"
},
"user_agent" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"azure" : {
"properties" : {
"activitylogs" : {
"properties" : {
"identity" : {
"properties" : {
"action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"authorization" : {
"properties" : {
"evidence" : {
"properties" : {
"principal_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"principal_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"role" : {
"type" : "keyword",
"ignore_above" : 1024
},
"role_assignment_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"role_assignment_scope" : {
"type" : "keyword",
"ignore_above" : 1024
},
"role_definition_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"claims_initiated_by_user" : {
"properties" : {
"fullname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"givenname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"schema" : {
"type" : "keyword",
"ignore_above" : 1024
},
"surname" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"scope" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"operation_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"properties" : {
"properties" : {
"service_request_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"status_code" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"result_signature" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"auditlogs" : {
"properties" : {
"operation_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"operation_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"properties" : {
"properties" : {
"activityDateTime" : {
"type" : "keyword",
"ignore_above" : 1024
},
"activity_display_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"correlation_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"initiated_by" : {
"properties" : {
"app" : {
"properties" : {
"appId" : {
"type" : "keyword",
"ignore_above" : 1024
},
"displayName" : {
"type" : "keyword",
"ignore_above" : 1024
},
"servicePrincipalId" : {
"type" : "keyword",
"ignore_above" : 1024
},
"servicePrincipalName" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"user" : {
"properties" : {
"displayName" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ipAddress" : {
"type" : "keyword",
"ignore_above" : 1024
},
"userPrincipalName" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"logged_by_service" : {
"type" : "keyword",
"ignore_above" : 1024
},
"operation_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"result" : {
"type" : "keyword",
"ignore_above" : 1024
},
"result_reason" : {
"type" : "keyword",
"ignore_above" : 1024
},
"target_resources" : {
"properties" : {
"display_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ip_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"modified_properties" : {
"properties" : {
"displayName" : {
"type" : "keyword",
"ignore_above" : 1024
},
"newValue" : {
"type" : "keyword",
"ignore_above" : 1024
},
"oldValue" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"user_principal_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"result_signature" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tenant_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"correlation_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"resource" : {
"properties" : {
"group" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"namespace" : {
"type" : "keyword",
"ignore_above" : 1024
},
"provider" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"signinlogs" : {
"properties" : {
"identity" : {
"type" : "keyword",
"ignore_above" : 1024
},
"operation_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"operation_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"properties" : {
"properties" : {
"app_display_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"app_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client_app_used" : {
"type" : "keyword",
"ignore_above" : 1024
},
"conditional_access_status" : {
"type" : "keyword",
"ignore_above" : 1024
},
"correlation_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"created_at" : {
"type" : "keyword",
"ignore_above" : 1024
},
"device_detail" : {
"properties" : {
"browser" : {
"type" : "keyword",
"ignore_above" : 1024
},
"device_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"display_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"operating_system" : {
"type" : "keyword",
"ignore_above" : 1024
},
"trust_type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ip_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"is_interactive" : {
"type" : "keyword",
"ignore_above" : 1024
},
"original_request_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"processing_time_ms" : {
"type" : "float"
},
"resource_display_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"risk_detail" : {
"type" : "keyword",
"ignore_above" : 1024
},
"risk_level_aggregated" : {
"type" : "keyword",
"ignore_above" : 1024
},
"risk_level_during_signin" : {
"type" : "keyword",
"ignore_above" : 1024
},
"risk_state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"service_principal_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"status" : {
"properties" : {
"additional_details" : {
"type" : "keyword",
"ignore_above" : 1024
},
"error_code" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"token_issuer_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"token_issuer_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"user_display_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"user_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"user_principal_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"result_signature" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tenant_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"subscription_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tenant_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"bucket_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"cef" : {
"properties" : {
"device" : {
"properties" : {
"event_class_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"product" : {
"type" : "keyword",
"ignore_above" : 1024
},
"vendor" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"extensions" : {
"type" : "object"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"severity" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"certificate" : {
"properties" : {
"common_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha256" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"cisco" : {
"properties" : {
"asa" : {
"properties" : {
"connection_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"destination_interface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"destination_username" : {
"type" : "keyword",
"ignore_above" : 1024
},
"icmp_code" : {
"type" : "short"
},
"icmp_type" : {
"type" : "short"
},
"mapped_destination_ip" : {
"type" : "ip"
},
"mapped_destination_port" : {
"type" : "long"
},
"mapped_source_ip" : {
"type" : "ip"
},
"mapped_source_port" : {
"type" : "long"
},
"message_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rule_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source_interface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source_username" : {
"type" : "keyword",
"ignore_above" : 1024
},
"suffix" : {
"type" : "keyword",
"ignore_above" : 1024
},
"threat_category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"threat_level" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ftd" : {
"properties" : {
"connection_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"destination_interface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"destination_username" : {
"type" : "keyword",
"ignore_above" : 1024
},
"icmp_code" : {
"type" : "short"
},
"icmp_type" : {
"type" : "short"
},
"mapped_destination_ip" : {
"type" : "ip"
},
"mapped_destination_port" : {
"type" : "long"
},
"mapped_source_ip" : {
"type" : "ip"
},
"mapped_source_port" : {
"type" : "long"
},
"message_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rule_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"security" : {
"properties" : {
"access_control_rule_action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"access_control_rule_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"access_control_rule_reason" : {
"type" : "keyword",
"ignore_above" : 1024
},
"application_protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_record_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_response_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dns_ttl" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dst_ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dst_port" : {
"type" : "keyword",
"ignore_above" : 1024
},
"egress_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"endpoint_profile" : {
"type" : "keyword",
"ignore_above" : 1024
},
"file_count" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_referer" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_response" : {
"type" : "keyword",
"ignore_above" : 1024
},
"icmp_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"icmp_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ingress_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"initiator_bytes" : {
"type" : "keyword",
"ignore_above" : 1024
},
"initiator_packets" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ip_reputation_si_category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ips_count" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nap_policy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"prefilter_policy" : {
"type" : "keyword",
"ignore_above" : 1024
},
"protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"referenced_host" : {
"type" : "keyword",
"ignore_above" : 1024
},
"responder_bytes" : {
"type" : "keyword",
"ignore_above" : 1024
},
"responder_packets" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sec_int_matching_ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"src_ip" : {
"type" : "keyword",
"ignore_above" : 1024
},
"src_port" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tcp_flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"url" : {
"type" : "keyword",
"ignore_above" : 1024
},
"url_category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"url_reputation" : {
"type" : "keyword",
"ignore_above" : 1024
},
"user_agent" : {
"type" : "keyword",
"ignore_above" : 1024
},
"web_application" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"source_interface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source_username" : {
"type" : "keyword",
"ignore_above" : 1024
},
"suffix" : {
"type" : "keyword",
"ignore_above" : 1024
},
"threat_category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"threat_level" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ios" : {
"properties" : {
"access_list" : {
"type" : "keyword",
"ignore_above" : 1024
},
"facility" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"client" : {
"properties" : {
"address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"as" : {
"properties" : {
"number" : {
"type" : "long"
},
"organization" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"bytes" : {
"type" : "long"
},
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ip" : {
"type" : "ip"
},
"mac" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat" : {
"properties" : {
"ip" : {
"type" : "ip"
},
"port" : {
"type" : "long"
}
}
},
"packets" : {
"type" : "long"
},
"port" : {
"type" : "long"
},
"user" : {
"properties" : {
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"email" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"cloud" : {
"properties" : {
"account" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"availability_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"image" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"instance" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"machine" : {
"properties" : {
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"project" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"provider" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"container" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"image" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tag" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"labels" : {
"type" : "object"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"runtime" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"coredns" : {
"properties" : {
"dnssec_ok" : {
"type" : "boolean"
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"query" : {
"properties" : {
"class" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"size" : {
"type" : "long"
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"response" : {
"properties" : {
"code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"size" : {
"type" : "long"
}
}
}
}
},
"destination" : {
"properties" : {
"address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"as" : {
"properties" : {
"number" : {
"type" : "long"
},
"organization" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"bytes" : {
"type" : "long"
},
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ip" : {
"type" : "ip"
},
"mac" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat" : {
"properties" : {
"ip" : {
"type" : "ip"
},
"port" : {
"type" : "long"
}
}
},
"packets" : {
"type" : "long"
},
"port" : {
"type" : "long"
},
"service" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"user" : {
"properties" : {
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"email" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"dns" : {
"properties" : {
"answers" : {
"properties" : {
"class" : {
"type" : "keyword",
"ignore_above" : 1024
},
"data" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ttl" : {
"type" : "long"
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"header_flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"op_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"question" : {
"properties" : {
"class" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"registered_domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"resolved_ip" : {
"type" : "ip"
},
"response_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"docker" : {
"properties" : {
"attrs" : {
"type" : "object"
},
"container" : {
"properties" : {
"labels" : {
"type" : "object"
}
}
}
}
},
"ecs" : {
"properties" : {
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"elasticsearch" : {
"properties" : {
"audit" : {
"properties" : {
"action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"event_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"indices" : {
"type" : "keyword",
"ignore_above" : 1024
},
"layer" : {
"type" : "keyword",
"ignore_above" : 1024
},
"message" : {
"type" : "text",
"norms" : false
},
"origin" : {
"properties" : {
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"realm" : {
"type" : "keyword",
"ignore_above" : 1024
},
"request" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"url" : {
"properties" : {
"params" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"user" : {
"properties" : {
"realm" : {
"type" : "keyword",
"ignore_above" : 1024
},
"roles" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"cluster" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"uuid" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"component" : {
"type" : "keyword",
"ignore_above" : 1024
},
"deprecation" : {
"type" : "object"
},
"gc" : {
"properties" : {
"heap" : {
"properties" : {
"size_kb" : {
"type" : "long"
},
"used_kb" : {
"type" : "long"
}
}
},
"jvm_runtime_sec" : {
"type" : "float"
},
"old_gen" : {
"properties" : {
"size_kb" : {
"type" : "long"
},
"used_kb" : {
"type" : "long"
}
}
},
"phase" : {
"properties" : {
"class_unload_time_sec" : {
"type" : "float"
},
"cpu_time" : {
"properties" : {
"real_sec" : {
"type" : "float"
},
"sys_sec" : {
"type" : "float"
},
"user_sec" : {
"type" : "float"
}
}
},
"duration_sec" : {
"type" : "float"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"parallel_rescan_time_sec" : {
"type" : "float"
},
"scrub_string_table_time_sec" : {
"type" : "float"
},
"scrub_symbol_table_time_sec" : {
"type" : "float"
},
"weak_refs_processing_time_sec" : {
"type" : "float"
}
}
},
"stopping_threads_time_sec" : {
"type" : "float"
},
"tags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"threads_total_stop_time_sec" : {
"type" : "float"
},
"young_gen" : {
"properties" : {
"size_kb" : {
"type" : "long"
},
"used_kb" : {
"type" : "long"
}
}
}
}
},
"index" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"node" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"server" : {
"properties" : {
"gc" : {
"properties" : {
"collection_duration" : {
"properties" : {
"ms" : {
"type" : "float"
}
}
},
"observation_duration" : {
"properties" : {
"ms" : {
"type" : "float"
}
}
},
"overhead_seq" : {
"type" : "long"
},
"young" : {
"properties" : {
"one" : {
"type" : "long"
},
"two" : {
"type" : "long"
}
}
}
}
},
"stacktrace" : {
"type" : "keyword",
"index" : false,
"ignore_above" : 1024
}
}
},
"shard" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"slowlog" : {
"properties" : {
"extra_source" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"logger" : {
"type" : "keyword",
"ignore_above" : 1024
},
"routing" : {
"type" : "keyword",
"ignore_above" : 1024
},
"search_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source_query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"stats" : {
"type" : "keyword",
"ignore_above" : 1024
},
"took" : {
"type" : "keyword",
"ignore_above" : 1024
},
"total_hits" : {
"type" : "keyword",
"ignore_above" : 1024
},
"total_shards" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"types" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"envoyproxy" : {
"properties" : {
"authority" : {
"type" : "keyword",
"ignore_above" : 1024
},
"log_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"proxy_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"request_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"response_flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"upstream_service_time" : {
"type" : "long"
}
}
},
"error" : {
"properties" : {
"code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"message" : {
"type" : "text",
"norms" : false
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"event" : {
"properties" : {
"action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"created" : {
"type" : "date"
},
"dataset" : {
"type" : "keyword",
"ignore_above" : 1024
},
"duration" : {
"type" : "long"
},
"end" : {
"type" : "date"
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kind" : {
"type" : "keyword",
"ignore_above" : 1024
},
"module" : {
"type" : "keyword",
"ignore_above" : 1024
},
"original" : {
"type" : "keyword",
"ignore_above" : 1024
},
"outcome" : {
"type" : "keyword",
"ignore_above" : 1024
},
"provider" : {
"type" : "keyword",
"ignore_above" : 1024
},
"risk_score" : {
"type" : "float"
},
"risk_score_norm" : {
"type" : "float"
},
"sequence" : {
"type" : "long"
},
"severity" : {
"type" : "long"
},
"start" : {
"type" : "date"
},
"timezone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"fields" : {
"type" : "object"
},
"file" : {
"properties" : {
"accessed" : {
"type" : "date"
},
"created" : {
"type" : "date"
},
"ctime" : {
"type" : "date"
},
"device" : {
"type" : "keyword",
"ignore_above" : 1024
},
"directory" : {
"type" : "keyword",
"ignore_above" : 1024
},
"extension" : {
"type" : "keyword",
"ignore_above" : 1024
},
"gid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"type" : "keyword",
"ignore_above" : 1024
},
"hash" : {
"properties" : {
"md5" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha1" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha256" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha512" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"inode" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mode" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mtime" : {
"type" : "date"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"owner" : {
"type" : "keyword",
"ignore_above" : 1024
},
"path" : {
"type" : "keyword",
"ignore_above" : 1024
},
"size" : {
"type" : "long"
},
"target_path" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"uid" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"fileset" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"googlecloud" : {
"properties" : {
"vpcflow" : {
"properties" : {
"destination" : {
"properties" : {
"instance" : {
"properties" : {
"project_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region" : {
"type" : "keyword",
"ignore_above" : 1024
},
"zone" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"vpc" : {
"properties" : {
"project_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"subnetwork_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"vpc_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"reporter" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rtt" : {
"properties" : {
"ms" : {
"type" : "long"
}
}
},
"source" : {
"properties" : {
"instance" : {
"properties" : {
"project_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region" : {
"type" : "keyword",
"ignore_above" : 1024
},
"zone" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"vpc" : {
"properties" : {
"project_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"subnetwork_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"vpc_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
}
}
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"haproxy" : {
"properties" : {
"backend_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"backend_queue" : {
"type" : "long"
},
"bind_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bytes_read" : {
"type" : "long"
},
"client" : {
"type" : "object"
},
"connection_wait_time_ms" : {
"type" : "long"
},
"connections" : {
"properties" : {
"active" : {
"type" : "long"
},
"backend" : {
"type" : "long"
},
"frontend" : {
"type" : "long"
},
"retries" : {
"type" : "long"
},
"server" : {
"type" : "long"
}
}
},
"destination" : {
"type" : "object"
},
"error_message" : {
"type" : "text",
"norms" : false
},
"frontend_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geoip" : {
"type" : "object"
},
"http" : {
"properties" : {
"request" : {
"properties" : {
"captured_cookie" : {
"type" : "keyword",
"ignore_above" : 1024
},
"captured_headers" : {
"type" : "keyword",
"ignore_above" : 1024
},
"raw_request_line" : {
"type" : "keyword",
"ignore_above" : 1024
},
"time_wait_ms" : {
"type" : "long"
},
"time_wait_without_data_ms" : {
"type" : "long"
}
}
},
"response" : {
"properties" : {
"captured_cookie" : {
"type" : "keyword",
"ignore_above" : 1024
},
"captured_headers" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"mode" : {
"type" : "keyword",
"ignore_above" : 1024
},
"server_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"server_queue" : {
"type" : "long"
},
"source" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tcp" : {
"properties" : {
"connection_waiting_time_ms" : {
"type" : "long"
}
}
},
"termination_state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"time_backend_connect" : {
"type" : "long"
},
"time_queue" : {
"type" : "long"
},
"total_waiting_time_ms" : {
"type" : "long"
}
}
},
"hash" : {
"properties" : {
"md5" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha1" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha256" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha512" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"host" : {
"properties" : {
"architecture" : {
"type" : "keyword",
"ignore_above" : 1024
},
"containerized" : {
"type" : "boolean"
},
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hostname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ip" : {
"type" : "ip"
},
"mac" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"os" : {
"properties" : {
"build" : {
"type" : "keyword",
"ignore_above" : 1024
},
"codename" : {
"type" : "keyword",
"ignore_above" : 1024
},
"family" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kernel" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"platform" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"uptime" : {
"type" : "long"
},
"user" : {
"properties" : {
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"email" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"hostname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http" : {
"properties" : {
"request" : {
"properties" : {
"body" : {
"properties" : {
"bytes" : {
"type" : "long"
},
"content" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"bytes" : {
"type" : "long"
},
"method" : {
"type" : "keyword",
"ignore_above" : 1024
},
"referrer" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"response" : {
"properties" : {
"body" : {
"properties" : {
"bytes" : {
"type" : "long"
},
"content" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"bytes" : {
"type" : "long"
},
"status_code" : {
"type" : "long"
}
}
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ibmmq" : {
"properties" : {
"errorlog" : {
"properties" : {
"action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"arithinsert" : {
"type" : "keyword",
"ignore_above" : 1024
},
"code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"commentinsert" : {
"type" : "keyword",
"ignore_above" : 1024
},
"errordescription" : {
"type" : "text",
"norms" : false
},
"explanation" : {
"type" : "keyword",
"ignore_above" : 1024
},
"installation" : {
"type" : "keyword",
"ignore_above" : 1024
},
"qmgr" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"icinga" : {
"properties" : {
"debug" : {
"properties" : {
"facility" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"main" : {
"properties" : {
"facility" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"startup" : {
"properties" : {
"facility" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"icmp" : {
"properties" : {
"code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"igmp" : {
"properties" : {
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"iis" : {
"properties" : {
"access" : {
"properties" : {
"cookie" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geoip" : {
"type" : "object"
},
"server_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"site_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sub_status" : {
"type" : "long"
},
"user_agent" : {
"type" : "object"
},
"win32_status" : {
"type" : "long"
}
}
},
"error" : {
"properties" : {
"geoip" : {
"type" : "object"
},
"queue_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"reason_phrase" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"input" : {
"properties" : {
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"iptables" : {
"properties" : {
"ether_type" : {
"type" : "long"
},
"flow_label" : {
"type" : "long"
},
"fragment_flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"fragment_offset" : {
"type" : "long"
},
"icmp" : {
"properties" : {
"code" : {
"type" : "long"
},
"id" : {
"type" : "long"
},
"parameter" : {
"type" : "long"
},
"redirect" : {
"type" : "ip"
},
"seq" : {
"type" : "long"
},
"type" : {
"type" : "long"
}
}
},
"id" : {
"type" : "long"
},
"incomplete_bytes" : {
"type" : "long"
},
"input_device" : {
"type" : "keyword",
"ignore_above" : 1024
},
"length" : {
"type" : "long"
},
"output_device" : {
"type" : "keyword",
"ignore_above" : 1024
},
"precedence_bits" : {
"type" : "short"
},
"tcp" : {
"properties" : {
"ack" : {
"type" : "long"
},
"flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"reserved_bits" : {
"type" : "short"
},
"seq" : {
"type" : "long"
},
"window" : {
"type" : "long"
}
}
},
"tos" : {
"type" : "long"
},
"ttl" : {
"type" : "long"
},
"ubiquiti" : {
"properties" : {
"input_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"output_zone" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rule_number" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rule_set" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"udp" : {
"properties" : {
"length" : {
"type" : "long"
}
}
}
}
},
"jolokia" : {
"properties" : {
"agent" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"secured" : {
"type" : "boolean"
},
"server" : {
"properties" : {
"product" : {
"type" : "keyword",
"ignore_above" : 1024
},
"vendor" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"url" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"kafka" : {
"properties" : {
"block_timestamp" : {
"type" : "date"
},
"key" : {
"type" : "keyword",
"ignore_above" : 1024
},
"log" : {
"properties" : {
"class" : {
"type" : "keyword",
"ignore_above" : 1024
},
"component" : {
"type" : "keyword",
"ignore_above" : 1024
},
"trace" : {
"properties" : {
"class" : {
"type" : "keyword",
"ignore_above" : 1024
},
"message" : {
"type" : "text",
"norms" : false
}
}
}
}
},
"offset" : {
"type" : "long"
},
"partition" : {
"type" : "long"
},
"topic" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"kibana" : {
"properties" : {
"log" : {
"properties" : {
"meta" : {
"type" : "object"
},
"state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tags" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"kubernetes" : {
"properties" : {
"annotations" : {
"properties" : {
"*" : {
"type" : "object"
}
}
},
"container" : {
"properties" : {
"image" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"deployment" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"labels" : {
"properties" : {
"*" : {
"type" : "object"
}
}
},
"namespace" : {
"type" : "keyword",
"ignore_above" : 1024
},
"node" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"pod" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"uid" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"replicaset" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"statefulset" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"labels" : {
"type" : "object"
},
"log" : {
"properties" : {
"file" : {
"properties" : {
"path" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"level" : {
"type" : "keyword",
"ignore_above" : 1024
},
"logger" : {
"type" : "keyword",
"ignore_above" : 1024
},
"offset" : {
"type" : "long"
},
"original" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source" : {
"properties" : {
"address" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"logstash" : {
"properties" : {
"log" : {
"properties" : {
"log_event" : {
"type" : "object"
},
"module" : {
"type" : "keyword",
"ignore_above" : 1024
},
"thread" : {
"type" : "keyword",
"fields" : {
"text" : {
"type" : "text",
"norms" : false
}
},
"ignore_above" : 1024
}
}
},
"slowlog" : {
"properties" : {
"event" : {
"type" : "keyword",
"fields" : {
"text" : {
"type" : "text",
"norms" : false
}
},
"ignore_above" : 1024
},
"module" : {
"type" : "keyword",
"ignore_above" : 1024
},
"plugin_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"plugin_params" : {
"type" : "keyword",
"fields" : {
"text" : {
"type" : "text",
"norms" : false
}
},
"ignore_above" : 1024
},
"plugin_params_object" : {
"type" : "object"
},
"plugin_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"thread" : {
"type" : "keyword",
"fields" : {
"text" : {
"type" : "text",
"norms" : false
}
},
"ignore_above" : 1024
},
"took_in_millis" : {
"type" : "long"
}
}
}
}
},
"message" : {
"type" : "text",
"norms" : false
},
"misp" : {
"properties" : {
"attack_pattern" : {
"properties" : {
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kill_chain_phases" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"campaign" : {
"properties" : {
"aliases" : {
"type" : "text",
"norms" : false
},
"description" : {
"type" : "text",
"norms" : false
},
"first_seen" : {
"type" : "date"
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"last_seen" : {
"type" : "date"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"objective" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"course_of_action" : {
"properties" : {
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"identity" : {
"properties" : {
"contact_information" : {
"type" : "text",
"norms" : false
},
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"identity_class" : {
"type" : "keyword",
"ignore_above" : 1024
},
"labels" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sectors" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"intrusion_set" : {
"properties" : {
"aliases" : {
"type" : "text",
"norms" : false
},
"description" : {
"type" : "text",
"norms" : false
},
"first_seen" : {
"type" : "date"
},
"goals" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"last_seen" : {
"type" : "date"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"primary_motivation" : {
"type" : "text",
"norms" : false
},
"resource_level" : {
"type" : "text",
"norms" : false
},
"secondary_motivations" : {
"type" : "text",
"norms" : false
}
}
},
"malware" : {
"properties" : {
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kill_chain_phases" : {
"type" : "keyword",
"ignore_above" : 1024
},
"labels" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"note" : {
"properties" : {
"authors" : {
"type" : "keyword",
"ignore_above" : 1024
},
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"object_refs" : {
"type" : "keyword",
"ignore_above" : 1024
},
"summary" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"observed_data" : {
"properties" : {
"first_observed" : {
"type" : "date"
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"last_observed" : {
"type" : "date"
},
"number_observed" : {
"type" : "long"
},
"objects" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"report" : {
"properties" : {
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"labels" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"object_refs" : {
"type" : "text",
"norms" : false
},
"published" : {
"type" : "date"
}
}
},
"threat_actor" : {
"properties" : {
"aliases" : {
"type" : "text",
"norms" : false
},
"description" : {
"type" : "text",
"norms" : false
},
"goals" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"labels" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"personal_motivations" : {
"type" : "text",
"norms" : false
},
"primary_motivation" : {
"type" : "text",
"norms" : false
},
"resource_level" : {
"type" : "text",
"norms" : false
},
"roles" : {
"type" : "text",
"norms" : false
},
"secondary_motivations" : {
"type" : "text",
"norms" : false
},
"sophistication" : {
"type" : "text",
"norms" : false
}
}
},
"threat_indicator" : {
"properties" : {
"attack_pattern" : {
"type" : "keyword",
"ignore_above" : 1024
},
"campaign" : {
"type" : "keyword",
"ignore_above" : 1024
},
"confidence" : {
"type" : "keyword",
"ignore_above" : 1024
},
"description" : {
"type" : "text",
"norms" : false
},
"feed" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"intrusion_set" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kill_chain_phases" : {
"type" : "keyword",
"ignore_above" : 1024
},
"labels" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mitre_tactic" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mitre_technique" : {
"type" : "keyword",
"ignore_above" : 1024
},
"negate" : {
"type" : "boolean"
},
"severity" : {
"type" : "keyword",
"ignore_above" : 1024
},
"threat_actor" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"valid_from" : {
"type" : "date"
},
"valid_until" : {
"type" : "date"
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"tool" : {
"properties" : {
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kill_chain_phases" : {
"type" : "text",
"norms" : false
},
"labels" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tool_version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"vulnerability" : {
"properties" : {
"description" : {
"type" : "text",
"norms" : false
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"mongodb" : {
"properties" : {
"log" : {
"properties" : {
"component" : {
"type" : "keyword",
"ignore_above" : 1024
},
"context" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"mssql" : {
"properties" : {
"log" : {
"properties" : {
"origin" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"mysql" : {
"properties" : {
"error" : {
"type" : "object"
},
"slowlog" : {
"properties" : {
"bytes_received" : {
"type" : "long"
},
"bytes_sent" : {
"type" : "long"
},
"current_user" : {
"type" : "keyword",
"ignore_above" : 1024
},
"filesort" : {
"type" : "boolean"
},
"filesort_on_disk" : {
"type" : "boolean"
},
"full_join" : {
"type" : "boolean"
},
"full_scan" : {
"type" : "boolean"
},
"innodb" : {
"properties" : {
"io_r_bytes" : {
"type" : "long"
},
"io_r_ops" : {
"type" : "long"
},
"io_r_wait" : {
"properties" : {
"sec" : {
"type" : "long"
}
}
},
"pages_distinct" : {
"type" : "long"
},
"queue_wait" : {
"properties" : {
"sec" : {
"type" : "long"
}
}
},
"rec_lock_wait" : {
"properties" : {
"sec" : {
"type" : "long"
}
}
},
"trx_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"killed" : {
"type" : "keyword",
"ignore_above" : 1024
},
"last_errno" : {
"type" : "keyword",
"ignore_above" : 1024
},
"lock_time" : {
"properties" : {
"sec" : {
"type" : "float"
}
}
},
"log_slow_rate_limit" : {
"type" : "keyword",
"ignore_above" : 1024
},
"log_slow_rate_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"merge_passes" : {
"type" : "long"
},
"priority_queue" : {
"type" : "boolean"
},
"query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"query_cache_hit" : {
"type" : "boolean"
},
"read_first" : {
"type" : "long"
},
"read_key" : {
"type" : "long"
},
"read_last" : {
"type" : "long"
},
"read_next" : {
"type" : "long"
},
"read_prev" : {
"type" : "long"
},
"read_rnd" : {
"type" : "long"
},
"read_rnd_next" : {
"type" : "long"
},
"rows_affected" : {
"type" : "long"
},
"rows_examined" : {
"type" : "long"
},
"rows_sent" : {
"type" : "long"
},
"schema" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sort_merge_passes" : {
"type" : "long"
},
"sort_range_count" : {
"type" : "long"
},
"sort_rows" : {
"type" : "long"
},
"sort_scan_count" : {
"type" : "long"
},
"tmp_disk_tables" : {
"type" : "long"
},
"tmp_table" : {
"type" : "boolean"
},
"tmp_table_on_disk" : {
"type" : "boolean"
},
"tmp_table_sizes" : {
"type" : "long"
},
"tmp_tables" : {
"type" : "long"
}
}
},
"thread_id" : {
"type" : "long"
}
}
},
"nats" : {
"properties" : {
"log" : {
"properties" : {
"client" : {
"properties" : {
"id" : {
"type" : "long"
}
}
},
"msg" : {
"properties" : {
"bytes" : {
"type" : "long"
},
"error" : {
"properties" : {
"message" : {
"type" : "text",
"norms" : false
}
}
},
"max_messages" : {
"type" : "long"
},
"queue_group" : {
"type" : "text",
"norms" : false
},
"reply_to" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sid" : {
"type" : "long"
},
"subject" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
},
"netflow" : {
"properties" : {
"absolute_error" : {
"type" : "double"
},
"address_pool_high_threshold" : {
"type" : "long"
},
"address_pool_low_threshold" : {
"type" : "long"
},
"address_port_mapping_high_threshold" : {
"type" : "long"
},
"address_port_mapping_low_threshold" : {
"type" : "long"
},
"address_port_mapping_per_user_high_threshold" : {
"type" : "long"
},
"anonymization_flags" : {
"type" : "long"
},
"anonymization_technique" : {
"type" : "long"
},
"application_category_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"application_description" : {
"type" : "keyword",
"ignore_above" : 1024
},
"application_group_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"application_id" : {
"type" : "short"
},
"application_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"application_sub_category_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bgp_destination_as_number" : {
"type" : "long"
},
"bgp_next_adjacent_as_number" : {
"type" : "long"
},
"bgp_next_hop_ipv4_address" : {
"type" : "ip"
},
"bgp_next_hop_ipv6_address" : {
"type" : "ip"
},
"bgp_prev_adjacent_as_number" : {
"type" : "long"
},
"bgp_source_as_number" : {
"type" : "long"
},
"bgp_validity_state" : {
"type" : "short"
},
"biflow_direction" : {
"type" : "short"
},
"class_id" : {
"type" : "short"
},
"class_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"classification_engine_id" : {
"type" : "short"
},
"collection_time_milliseconds" : {
"type" : "date"
},
"collector_certificate" : {
"type" : "short"
},
"collector_ipv4_address" : {
"type" : "ip"
},
"collector_ipv6_address" : {
"type" : "ip"
},
"collector_transport_port" : {
"type" : "long"
},
"common_properties_id" : {
"type" : "long"
},
"confidence_level" : {
"type" : "double"
},
"connection_sum_duration_seconds" : {
"type" : "long"
},
"connection_transaction_id" : {
"type" : "long"
},
"data_link_frame_section" : {
"type" : "short"
},
"data_link_frame_size" : {
"type" : "long"
},
"data_link_frame_type" : {
"type" : "long"
},
"data_records_reliability" : {
"type" : "boolean"
},
"delta_flow_count" : {
"type" : "long"
},
"destination_ipv4_address" : {
"type" : "ip"
},
"destination_ipv4_prefix" : {
"type" : "ip"
},
"destination_ipv4_prefix_length" : {
"type" : "short"
},
"destination_ipv6_address" : {
"type" : "ip"
},
"destination_ipv6_prefix" : {
"type" : "ip"
},
"destination_ipv6_prefix_length" : {
"type" : "short"
},
"destination_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"destination_transport_port" : {
"type" : "long"
},
"digest_hash_value" : {
"type" : "long"
},
"distinct_count_of_destination_ip_address" : {
"type" : "long"
},
"distinct_count_of_destination_ipv4_address" : {
"type" : "long"
},
"distinct_count_of_destination_ipv6_address" : {
"type" : "long"
},
"distinct_count_of_source_ip_address" : {
"type" : "long"
},
"distinct_count_of_source_ipv4_address" : {
"type" : "long"
},
"distinct_count_of_source_ipv6_address" : {
"type" : "long"
},
"dot1q_customer_dei" : {
"type" : "boolean"
},
"dot1q_customer_destination_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dot1q_customer_priority" : {
"type" : "short"
},
"dot1q_customer_source_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dot1q_customer_vlan_id" : {
"type" : "long"
},
"dot1q_dei" : {
"type" : "boolean"
},
"dot1q_priority" : {
"type" : "short"
},
"dot1q_service_instance_id" : {
"type" : "long"
},
"dot1q_service_instance_priority" : {
"type" : "short"
},
"dot1q_service_instance_tag" : {
"type" : "short"
},
"dot1q_vlan_id" : {
"type" : "long"
},
"dropped_layer2_octet_delta_count" : {
"type" : "long"
},
"dropped_layer2_octet_total_count" : {
"type" : "long"
},
"dropped_octet_delta_count" : {
"type" : "long"
},
"dropped_octet_total_count" : {
"type" : "long"
},
"dropped_packet_delta_count" : {
"type" : "long"
},
"dropped_packet_total_count" : {
"type" : "long"
},
"dst_traffic_index" : {
"type" : "long"
},
"egress_broadcast_packet_total_count" : {
"type" : "long"
},
"egress_interface" : {
"type" : "long"
},
"egress_interface_type" : {
"type" : "long"
},
"egress_physical_interface" : {
"type" : "long"
},
"egress_unicast_packet_total_count" : {
"type" : "long"
},
"egress_vrfid" : {
"type" : "long"
},
"encrypted_technology" : {
"type" : "keyword",
"ignore_above" : 1024
},
"engine_id" : {
"type" : "short"
},
"engine_type" : {
"type" : "short"
},
"ethernet_header_length" : {
"type" : "short"
},
"ethernet_payload_length" : {
"type" : "long"
},
"ethernet_total_length" : {
"type" : "long"
},
"ethernet_type" : {
"type" : "long"
},
"export_interface" : {
"type" : "long"
},
"export_protocol_version" : {
"type" : "short"
},
"export_sctp_stream_id" : {
"type" : "long"
},
"export_transport_protocol" : {
"type" : "short"
},
"exported_flow_record_total_count" : {
"type" : "long"
},
"exported_message_total_count" : {
"type" : "long"
},
"exported_octet_total_count" : {
"type" : "long"
},
"exporter" : {
"properties" : {
"address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source_id" : {
"type" : "long"
},
"timestamp" : {
"type" : "date"
},
"uptime_millis" : {
"type" : "long"
},
"version" : {
"type" : "long"
}
}
},
"exporter_certificate" : {
"type" : "short"
},
"exporter_ipv4_address" : {
"type" : "ip"
},
"exporter_ipv6_address" : {
"type" : "ip"
},
"exporter_transport_port" : {
"type" : "long"
},
"exporting_process_id" : {
"type" : "long"
},
"external_address_realm" : {
"type" : "short"
},
"firewall_event" : {
"type" : "short"
},
"flags_and_sampler_id" : {
"type" : "long"
},
"flow_active_timeout" : {
"type" : "long"
},
"flow_direction" : {
"type" : "short"
},
"flow_duration_microseconds" : {
"type" : "long"
},
"flow_duration_milliseconds" : {
"type" : "long"
},
"flow_end_delta_microseconds" : {
"type" : "long"
},
"flow_end_microseconds" : {
"type" : "date"
},
"flow_end_milliseconds" : {
"type" : "date"
},
"flow_end_nanoseconds" : {
"type" : "date"
},
"flow_end_reason" : {
"type" : "short"
},
"flow_end_seconds" : {
"type" : "date"
},
"flow_end_sys_up_time" : {
"type" : "long"
},
"flow_id" : {
"type" : "long"
},
"flow_idle_timeout" : {
"type" : "long"
},
"flow_key_indicator" : {
"type" : "long"
},
"flow_label_ipv6" : {
"type" : "long"
},
"flow_sampling_time_interval" : {
"type" : "long"
},
"flow_sampling_time_spacing" : {
"type" : "long"
},
"flow_selected_flow_delta_count" : {
"type" : "long"
},
"flow_selected_octet_delta_count" : {
"type" : "long"
},
"flow_selected_packet_delta_count" : {
"type" : "long"
},
"flow_selector_algorithm" : {
"type" : "long"
},
"flow_start_delta_microseconds" : {
"type" : "long"
},
"flow_start_microseconds" : {
"type" : "date"
},
"flow_start_milliseconds" : {
"type" : "date"
},
"flow_start_nanoseconds" : {
"type" : "date"
},
"flow_start_seconds" : {
"type" : "date"
},
"flow_start_sys_up_time" : {
"type" : "long"
},
"forwarding_status" : {
"type" : "short"
},
"fragment_flags" : {
"type" : "short"
},
"fragment_identification" : {
"type" : "long"
},
"fragment_offset" : {
"type" : "long"
},
"global_address_mapping_high_threshold" : {
"type" : "long"
},
"gre_key" : {
"type" : "long"
},
"hash_digest_output" : {
"type" : "boolean"
},
"hash_flow_domain" : {
"type" : "long"
},
"hash_initialiser_value" : {
"type" : "long"
},
"hash_ip_payload_offset" : {
"type" : "long"
},
"hash_ip_payload_size" : {
"type" : "long"
},
"hash_output_range_max" : {
"type" : "long"
},
"hash_output_range_min" : {
"type" : "long"
},
"hash_selected_range_max" : {
"type" : "long"
},
"hash_selected_range_min" : {
"type" : "long"
},
"http_content_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_message_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_reason_phrase" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_request_host" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_request_method" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_request_target" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_status_code" : {
"type" : "long"
},
"http_user_agent" : {
"type" : "keyword",
"ignore_above" : 1024
},
"icmp_code_ipv4" : {
"type" : "short"
},
"icmp_code_ipv6" : {
"type" : "short"
},
"icmp_type_code_ipv4" : {
"type" : "long"
},
"icmp_type_code_ipv6" : {
"type" : "long"
},
"icmp_type_ipv4" : {
"type" : "short"
},
"icmp_type_ipv6" : {
"type" : "short"
},
"igmp_type" : {
"type" : "short"
},
"ignored_data_record_total_count" : {
"type" : "long"
},
"ignored_layer2_frame_total_count" : {
"type" : "long"
},
"ignored_layer2_octet_total_count" : {
"type" : "long"
},
"ignored_octet_total_count" : {
"type" : "long"
},
"ignored_packet_total_count" : {
"type" : "long"
},
"information_element_data_type" : {
"type" : "short"
},
"information_element_description" : {
"type" : "keyword",
"ignore_above" : 1024
},
"information_element_id" : {
"type" : "long"
},
"information_element_index" : {
"type" : "long"
},
"information_element_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"information_element_range_begin" : {
"type" : "long"
},
"information_element_range_end" : {
"type" : "long"
},
"information_element_semantics" : {
"type" : "short"
},
"information_element_units" : {
"type" : "long"
},
"ingress_broadcast_packet_total_count" : {
"type" : "long"
},
"ingress_interface" : {
"type" : "long"
},
"ingress_interface_type" : {
"type" : "long"
},
"ingress_multicast_packet_total_count" : {
"type" : "long"
},
"ingress_physical_interface" : {
"type" : "long"
},
"ingress_unicast_packet_total_count" : {
"type" : "long"
},
"ingress_vrfid" : {
"type" : "long"
},
"initiator_octets" : {
"type" : "long"
},
"initiator_packets" : {
"type" : "long"
},
"interface_description" : {
"type" : "keyword",
"ignore_above" : 1024
},
"interface_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"intermediate_process_id" : {
"type" : "long"
},
"internal_address_realm" : {
"type" : "short"
},
"ip_class_of_service" : {
"type" : "short"
},
"ip_diff_serv_code_point" : {
"type" : "short"
},
"ip_header_length" : {
"type" : "short"
},
"ip_header_packet_section" : {
"type" : "short"
},
"ip_next_hop_ipv4_address" : {
"type" : "ip"
},
"ip_next_hop_ipv6_address" : {
"type" : "ip"
},
"ip_payload_length" : {
"type" : "long"
},
"ip_payload_packet_section" : {
"type" : "short"
},
"ip_precedence" : {
"type" : "short"
},
"ip_sec_spi" : {
"type" : "long"
},
"ip_total_length" : {
"type" : "long"
},
"ip_ttl" : {
"type" : "short"
},
"ip_version" : {
"type" : "short"
},
"ipv4_ihl" : {
"type" : "short"
},
"ipv4_options" : {
"type" : "long"
},
"ipv4_router_sc" : {
"type" : "ip"
},
"ipv6_extension_headers" : {
"type" : "long"
},
"is_multicast" : {
"type" : "short"
},
"layer2_frame_delta_count" : {
"type" : "long"
},
"layer2_frame_total_count" : {
"type" : "long"
},
"layer2_octet_delta_count" : {
"type" : "long"
},
"layer2_octet_delta_sum_of_squares" : {
"type" : "long"
},
"layer2_octet_total_count" : {
"type" : "long"
},
"layer2_octet_total_sum_of_squares" : {
"type" : "long"
},
"layer2_segment_id" : {
"type" : "long"
},
"layer2packet_section_data" : {
"type" : "short"
},
"layer2packet_section_offset" : {
"type" : "long"
},
"layer2packet_section_size" : {
"type" : "long"
},
"line_card_id" : {
"type" : "long"
},
"lower_ci_limit" : {
"type" : "double"
},
"max_bib_entries" : {
"type" : "long"
},
"max_entries_per_user" : {
"type" : "long"
},
"max_export_seconds" : {
"type" : "date"
},
"max_flow_end_microseconds" : {
"type" : "date"
},
"max_flow_end_milliseconds" : {
"type" : "date"
},
"max_flow_end_nanoseconds" : {
"type" : "date"
},
"max_flow_end_seconds" : {
"type" : "date"
},
"max_fragments_pending_reassembly" : {
"type" : "long"
},
"max_session_entries" : {
"type" : "long"
},
"max_subscribers" : {
"type" : "long"
},
"maximum_ip_total_length" : {
"type" : "long"
},
"maximum_layer2_total_length" : {
"type" : "long"
},
"maximum_ttl" : {
"type" : "short"
},
"message_md5_checksum" : {
"type" : "short"
},
"message_scope" : {
"type" : "short"
},
"metering_process_id" : {
"type" : "long"
},
"metro_evc_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"metro_evc_type" : {
"type" : "short"
},
"mib_capture_time_semantics" : {
"type" : "short"
},
"mib_context_engine_id" : {
"type" : "short"
},
"mib_context_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mib_index_indicator" : {
"type" : "long"
},
"mib_module_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mib_object_description" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mib_object_identifier" : {
"type" : "short"
},
"mib_object_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mib_object_syntax" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mib_object_value_bits" : {
"type" : "short"
},
"mib_object_value_counter" : {
"type" : "long"
},
"mib_object_value_gauge" : {
"type" : "long"
},
"mib_object_value_integer" : {
"type" : "long"
},
"mib_object_value_ip_address" : {
"type" : "ip"
},
"mib_object_value_octet_string" : {
"type" : "short"
},
"mib_object_value_oid" : {
"type" : "short"
},
"mib_object_value_time_ticks" : {
"type" : "long"
},
"mib_object_value_unsigned" : {
"type" : "long"
},
"mib_sub_identifier" : {
"type" : "long"
},
"min_export_seconds" : {
"type" : "date"
},
"min_flow_start_microseconds" : {
"type" : "date"
},
"min_flow_start_milliseconds" : {
"type" : "date"
},
"min_flow_start_nanoseconds" : {
"type" : "date"
},
"min_flow_start_seconds" : {
"type" : "date"
},
"minimum_ip_total_length" : {
"type" : "long"
},
"minimum_layer2_total_length" : {
"type" : "long"
},
"minimum_ttl" : {
"type" : "short"
},
"mobile_imsi" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mobile_msisdn" : {
"type" : "keyword",
"ignore_above" : 1024
},
"monitoring_interval_end_milli_seconds" : {
"type" : "date"
},
"monitoring_interval_start_milli_seconds" : {
"type" : "date"
},
"mpls_label_stack_depth" : {
"type" : "long"
},
"mpls_label_stack_length" : {
"type" : "long"
},
"mpls_label_stack_section" : {
"type" : "short"
},
"mpls_label_stack_section10" : {
"type" : "short"
},
"mpls_label_stack_section2" : {
"type" : "short"
},
"mpls_label_stack_section3" : {
"type" : "short"
},
"mpls_label_stack_section4" : {
"type" : "short"
},
"mpls_label_stack_section5" : {
"type" : "short"
},
"mpls_label_stack_section6" : {
"type" : "short"
},
"mpls_label_stack_section7" : {
"type" : "short"
},
"mpls_label_stack_section8" : {
"type" : "short"
},
"mpls_label_stack_section9" : {
"type" : "short"
},
"mpls_payload_length" : {
"type" : "long"
},
"mpls_payload_packet_section" : {
"type" : "short"
},
"mpls_top_label_exp" : {
"type" : "short"
},
"mpls_top_label_ipv4_address" : {
"type" : "ip"
},
"mpls_top_label_ipv6_address" : {
"type" : "ip"
},
"mpls_top_label_prefix_length" : {
"type" : "short"
},
"mpls_top_label_stack_section" : {
"type" : "short"
},
"mpls_top_label_ttl" : {
"type" : "short"
},
"mpls_top_label_type" : {
"type" : "short"
},
"mpls_vpn_route_distinguisher" : {
"type" : "short"
},
"multicast_replication_factor" : {
"type" : "long"
},
"nat_event" : {
"type" : "short"
},
"nat_instance_id" : {
"type" : "long"
},
"nat_originating_address_realm" : {
"type" : "short"
},
"nat_pool_id" : {
"type" : "long"
},
"nat_pool_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat_quota_exceeded_event" : {
"type" : "long"
},
"nat_threshold_event" : {
"type" : "long"
},
"nat_type" : {
"type" : "short"
},
"new_connection_delta_count" : {
"type" : "long"
},
"next_header_ipv6" : {
"type" : "short"
},
"not_sent_flow_total_count" : {
"type" : "long"
},
"not_sent_layer2_octet_total_count" : {
"type" : "long"
},
"not_sent_octet_total_count" : {
"type" : "long"
},
"not_sent_packet_total_count" : {
"type" : "long"
},
"observation_domain_id" : {
"type" : "long"
},
"observation_domain_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"observation_point_id" : {
"type" : "long"
},
"observation_point_type" : {
"type" : "short"
},
"observation_time_microseconds" : {
"type" : "date"
},
"observation_time_milliseconds" : {
"type" : "date"
},
"observation_time_nanoseconds" : {
"type" : "date"
},
"observation_time_seconds" : {
"type" : "date"
},
"observed_flow_total_count" : {
"type" : "long"
},
"octet_delta_count" : {
"type" : "long"
},
"octet_delta_sum_of_squares" : {
"type" : "long"
},
"octet_total_count" : {
"type" : "long"
},
"octet_total_sum_of_squares" : {
"type" : "long"
},
"opaque_octets" : {
"type" : "short"
},
"original_exporter_ipv4_address" : {
"type" : "ip"
},
"original_exporter_ipv6_address" : {
"type" : "ip"
},
"original_flows_completed" : {
"type" : "long"
},
"original_flows_initiated" : {
"type" : "long"
},
"original_flows_present" : {
"type" : "long"
},
"original_observation_domain_id" : {
"type" : "long"
},
"p2p_technology" : {
"type" : "keyword",
"ignore_above" : 1024
},
"packet_delta_count" : {
"type" : "long"
},
"packet_total_count" : {
"type" : "long"
},
"padding_octets" : {
"type" : "short"
},
"payload_length_ipv6" : {
"type" : "long"
},
"port_id" : {
"type" : "long"
},
"port_range_end" : {
"type" : "long"
},
"port_range_num_ports" : {
"type" : "long"
},
"port_range_start" : {
"type" : "long"
},
"port_range_step_size" : {
"type" : "long"
},
"post_destination_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"post_dot1q_customer_vlan_id" : {
"type" : "long"
},
"post_dot1q_vlan_id" : {
"type" : "long"
},
"post_ip_class_of_service" : {
"type" : "short"
},
"post_ip_diff_serv_code_point" : {
"type" : "short"
},
"post_ip_precedence" : {
"type" : "short"
},
"post_layer2_octet_delta_count" : {
"type" : "long"
},
"post_layer2_octet_total_count" : {
"type" : "long"
},
"post_mcast_layer2_octet_delta_count" : {
"type" : "long"
},
"post_mcast_layer2_octet_total_count" : {
"type" : "long"
},
"post_mcast_octet_delta_count" : {
"type" : "long"
},
"post_mcast_octet_total_count" : {
"type" : "long"
},
"post_mcast_packet_delta_count" : {
"type" : "long"
},
"post_mcast_packet_total_count" : {
"type" : "long"
},
"post_mpls_top_label_exp" : {
"type" : "short"
},
"post_napt_destination_transport_port" : {
"type" : "long"
},
"post_napt_source_transport_port" : {
"type" : "long"
},
"post_nat_destination_ipv4_address" : {
"type" : "ip"
},
"post_nat_destination_ipv6_address" : {
"type" : "ip"
},
"post_nat_source_ipv4_address" : {
"type" : "ip"
},
"post_nat_source_ipv6_address" : {
"type" : "ip"
},
"post_octet_delta_count" : {
"type" : "long"
},
"post_octet_total_count" : {
"type" : "long"
},
"post_packet_delta_count" : {
"type" : "long"
},
"post_packet_total_count" : {
"type" : "long"
},
"post_source_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"post_vlan_id" : {
"type" : "long"
},
"private_enterprise_number" : {
"type" : "long"
},
"protocol_identifier" : {
"type" : "short"
},
"pseudo_wire_control_word" : {
"type" : "long"
},
"pseudo_wire_destination_ipv4_address" : {
"type" : "ip"
},
"pseudo_wire_id" : {
"type" : "long"
},
"pseudo_wire_type" : {
"type" : "long"
},
"relative_error" : {
"type" : "double"
},
"responder_octets" : {
"type" : "long"
},
"responder_packets" : {
"type" : "long"
},
"rfc3550_jitter_microseconds" : {
"type" : "long"
},
"rfc3550_jitter_milliseconds" : {
"type" : "long"
},
"rfc3550_jitter_nanoseconds" : {
"type" : "long"
},
"rtp_sequence_number" : {
"type" : "long"
},
"sampler_id" : {
"type" : "short"
},
"sampler_mode" : {
"type" : "short"
},
"sampler_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sampler_random_interval" : {
"type" : "long"
},
"sampling_algorithm" : {
"type" : "short"
},
"sampling_flow_interval" : {
"type" : "long"
},
"sampling_flow_spacing" : {
"type" : "long"
},
"sampling_interval" : {
"type" : "long"
},
"sampling_packet_interval" : {
"type" : "long"
},
"sampling_packet_space" : {
"type" : "long"
},
"sampling_population" : {
"type" : "long"
},
"sampling_probability" : {
"type" : "double"
},
"sampling_size" : {
"type" : "long"
},
"sampling_time_interval" : {
"type" : "long"
},
"sampling_time_space" : {
"type" : "long"
},
"section_exported_octets" : {
"type" : "long"
},
"section_offset" : {
"type" : "long"
},
"selection_sequence_id" : {
"type" : "long"
},
"selector_algorithm" : {
"type" : "long"
},
"selector_id" : {
"type" : "long"
},
"selector_id_total_flows_observed" : {
"type" : "long"
},
"selector_id_total_flows_selected" : {
"type" : "long"
},
"selector_id_total_pkts_observed" : {
"type" : "long"
},
"selector_id_total_pkts_selected" : {
"type" : "long"
},
"selector_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"session_scope" : {
"type" : "short"
},
"source_ipv4_address" : {
"type" : "ip"
},
"source_ipv4_prefix" : {
"type" : "ip"
},
"source_ipv4_prefix_length" : {
"type" : "short"
},
"source_ipv6_address" : {
"type" : "ip"
},
"source_ipv6_prefix" : {
"type" : "ip"
},
"source_ipv6_prefix_length" : {
"type" : "short"
},
"source_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source_transport_port" : {
"type" : "long"
},
"source_transport_ports_limit" : {
"type" : "long"
},
"src_traffic_index" : {
"type" : "long"
},
"sta_ipv4_address" : {
"type" : "ip"
},
"sta_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"system_init_time_milliseconds" : {
"type" : "date"
},
"tcp_ack_total_count" : {
"type" : "long"
},
"tcp_acknowledgement_number" : {
"type" : "long"
},
"tcp_control_bits" : {
"type" : "long"
},
"tcp_destination_port" : {
"type" : "long"
},
"tcp_fin_total_count" : {
"type" : "long"
},
"tcp_header_length" : {
"type" : "short"
},
"tcp_options" : {
"type" : "long"
},
"tcp_psh_total_count" : {
"type" : "long"
},
"tcp_rst_total_count" : {
"type" : "long"
},
"tcp_sequence_number" : {
"type" : "long"
},
"tcp_source_port" : {
"type" : "long"
},
"tcp_syn_total_count" : {
"type" : "long"
},
"tcp_urg_total_count" : {
"type" : "long"
},
"tcp_urgent_pointer" : {
"type" : "long"
},
"tcp_window_scale" : {
"type" : "long"
},
"tcp_window_size" : {
"type" : "long"
},
"template_id" : {
"type" : "long"
},
"total_length_ipv4" : {
"type" : "long"
},
"transport_octet_delta_count" : {
"type" : "long"
},
"transport_packet_delta_count" : {
"type" : "long"
},
"tunnel_technology" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"udp_destination_port" : {
"type" : "long"
},
"udp_message_length" : {
"type" : "long"
},
"udp_source_port" : {
"type" : "long"
},
"upper_ci_limit" : {
"type" : "double"
},
"user_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"value_distribution_method" : {
"type" : "short"
},
"virtual_station_interface_id" : {
"type" : "short"
},
"virtual_station_interface_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"virtual_station_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"virtual_station_uuid" : {
"type" : "short"
},
"vlan_id" : {
"type" : "long"
},
"vpn_identifier" : {
"type" : "short"
},
"vr_fname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"wlan_channel_id" : {
"type" : "short"
},
"wlan_ssid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"wtp_mac_address" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"network" : {
"properties" : {
"application" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bytes" : {
"type" : "long"
},
"community_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"direction" : {
"type" : "keyword",
"ignore_above" : 1024
},
"forwarded_ip" : {
"type" : "ip"
},
"iana_number" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"packets" : {
"type" : "long"
},
"protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"transport" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"nginx" : {
"properties" : {
"access" : {
"properties" : {
"geoip" : {
"type" : "object"
},
"user_agent" : {
"type" : "object"
}
}
},
"error" : {
"properties" : {
"connection_id" : {
"type" : "long"
}
}
}
}
},
"object_key" : {
"type" : "keyword",
"ignore_above" : 1024
},
"observer" : {
"properties" : {
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hostname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ip" : {
"type" : "ip"
},
"mac" : {
"type" : "keyword",
"ignore_above" : 1024
},
"os" : {
"properties" : {
"family" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kernel" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"platform" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"product" : {
"type" : "keyword",
"ignore_above" : 1024
},
"serial_number" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"vendor" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"organization" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"os" : {
"properties" : {
"family" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kernel" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"platform" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"osquery" : {
"properties" : {
"result" : {
"properties" : {
"action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"calendar_time" : {
"type" : "keyword",
"ignore_above" : 1024
},
"host_identifier" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"unix_time" : {
"type" : "long"
}
}
}
}
},
"panw" : {
"properties" : {
"panos" : {
"properties" : {
"destination" : {
"properties" : {
"interface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat" : {
"properties" : {
"ip" : {
"type" : "ip"
},
"port" : {
"type" : "long"
}
}
},
"zone" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"file" : {
"properties" : {
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"flow_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"network" : {
"properties" : {
"nat" : {
"properties" : {
"community_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"pcap_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ruleset" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sequence_number" : {
"type" : "long"
},
"source" : {
"properties" : {
"interface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat" : {
"properties" : {
"ip" : {
"type" : "ip"
},
"port" : {
"type" : "long"
}
}
},
"zone" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"threat" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"resource" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"url" : {
"properties" : {
"category" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
},
"postgresql" : {
"properties" : {
"log" : {
"properties" : {
"core_id" : {
"type" : "long"
},
"database" : {
"type" : "keyword",
"ignore_above" : 1024
},
"error" : {
"properties" : {
"code" : {
"type" : "long"
}
}
},
"query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"query_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"query_step" : {
"type" : "keyword",
"ignore_above" : 1024
},
"timestamp" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"process" : {
"properties" : {
"args" : {
"type" : "keyword",
"ignore_above" : 1024
},
"executable" : {
"type" : "keyword",
"ignore_above" : 1024
},
"hash" : {
"properties" : {
"md5" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha1" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha256" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha512" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"pgid" : {
"type" : "long"
},
"pid" : {
"type" : "long"
},
"ppid" : {
"type" : "long"
},
"program" : {
"type" : "keyword",
"ignore_above" : 1024
},
"start" : {
"type" : "date"
},
"thread" : {
"properties" : {
"id" : {
"type" : "long"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"title" : {
"type" : "keyword",
"ignore_above" : 1024
},
"uptime" : {
"type" : "long"
},
"working_directory" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"rabbitmq" : {
"properties" : {
"log" : {
"properties" : {
"pid" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"redis" : {
"properties" : {
"log" : {
"properties" : {
"role" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"slowlog" : {
"properties" : {
"args" : {
"type" : "keyword",
"ignore_above" : 1024
},
"cmd" : {
"type" : "keyword",
"ignore_above" : 1024
},
"duration" : {
"properties" : {
"us" : {
"type" : "long"
}
}
},
"id" : {
"type" : "long"
},
"key" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"related" : {
"properties" : {
"ip" : {
"type" : "ip"
}
}
},
"santa" : {
"properties" : {
"action" : {
"type" : "keyword",
"ignore_above" : 1024
},
"decision" : {
"type" : "keyword",
"ignore_above" : 1024
},
"disk" : {
"properties" : {
"bsdname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"bus" : {
"type" : "keyword",
"ignore_above" : 1024
},
"fs" : {
"type" : "keyword",
"ignore_above" : 1024
},
"model" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mount" : {
"type" : "keyword",
"ignore_above" : 1024
},
"serial" : {
"type" : "keyword",
"ignore_above" : 1024
},
"volume" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"mode" : {
"type" : "keyword",
"ignore_above" : 1024
},
"reason" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"server" : {
"properties" : {
"address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"as" : {
"properties" : {
"number" : {
"type" : "long"
},
"organization" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"bytes" : {
"type" : "long"
},
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ip" : {
"type" : "ip"
},
"mac" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat" : {
"properties" : {
"ip" : {
"type" : "ip"
},
"port" : {
"type" : "long"
}
}
},
"packets" : {
"type" : "long"
},
"port" : {
"type" : "long"
},
"user" : {
"properties" : {
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"email" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"service" : {
"properties" : {
"ephemeral_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"source" : {
"properties" : {
"address" : {
"type" : "keyword",
"ignore_above" : 1024
},
"as" : {
"properties" : {
"number" : {
"type" : "long"
},
"organization" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"bytes" : {
"type" : "long"
},
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geo" : {
"properties" : {
"city_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"continent_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"country_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_iso_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"region_name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"ip" : {
"type" : "ip"
},
"mac" : {
"type" : "keyword",
"ignore_above" : 1024
},
"nat" : {
"properties" : {
"ip" : {
"type" : "ip"
},
"port" : {
"type" : "long"
}
}
},
"packets" : {
"type" : "long"
},
"port" : {
"type" : "long"
},
"service" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"user" : {
"properties" : {
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"email" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"stream" : {
"type" : "keyword",
"ignore_above" : 1024
},
"suricata" : {
"properties" : {
"eve" : {
"properties" : {
"alert" : {
"properties" : {
"action" : {
"type" : "alias",
"path" : "event.outcome"
},
"category" : {
"type" : "keyword",
"ignore_above" : 1024
},
"gid" : {
"type" : "long"
},
"rev" : {
"type" : "long"
},
"severity" : {
"type" : "alias",
"path" : "event.severity"
},
"signature" : {
"type" : "keyword",
"ignore_above" : 1024
},
"signature_id" : {
"type" : "long"
}
}
},
"app_proto" : {
"type" : "alias",
"path" : "network.protocol"
},
"app_proto_expected" : {
"type" : "keyword",
"ignore_above" : 1024
},
"app_proto_orig" : {
"type" : "keyword",
"ignore_above" : 1024
},
"app_proto_tc" : {
"type" : "keyword",
"ignore_above" : 1024
},
"app_proto_ts" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dest_ip" : {
"type" : "alias",
"path" : "destination.ip"
},
"dest_port" : {
"type" : "alias",
"path" : "destination.port"
},
"dns" : {
"properties" : {
"id" : {
"type" : "long"
},
"rcode" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rdata" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rrname" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rrtype" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ttl" : {
"type" : "long"
},
"tx_id" : {
"type" : "long"
},
"type" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"email" : {
"properties" : {
"status" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"event_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"fileinfo" : {
"properties" : {
"filename" : {
"type" : "alias",
"path" : "file.path"
},
"gaps" : {
"type" : "boolean"
},
"md5" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha1" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha256" : {
"type" : "keyword",
"ignore_above" : 1024
},
"size" : {
"type" : "alias",
"path" : "file.size"
},
"state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"stored" : {
"type" : "boolean"
},
"tx_id" : {
"type" : "long"
}
}
},
"flags" : {
"type" : "object"
},
"flow" : {
"properties" : {
"age" : {
"type" : "long"
},
"alerted" : {
"type" : "boolean"
},
"bytes_toclient" : {
"type" : "alias",
"path" : "destination.bytes"
},
"bytes_toserver" : {
"type" : "alias",
"path" : "source.bytes"
},
"end" : {
"type" : "date"
},
"pkts_toclient" : {
"type" : "alias",
"path" : "destination.packets"
},
"pkts_toserver" : {
"type" : "alias",
"path" : "source.packets"
},
"reason" : {
"type" : "keyword",
"ignore_above" : 1024
},
"start" : {
"type" : "alias",
"path" : "event.start"
},
"state" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"flow_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http" : {
"properties" : {
"hostname" : {
"type" : "alias",
"path" : "url.domain"
},
"http_content_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"http_method" : {
"type" : "alias",
"path" : "http.request.method"
},
"http_refer" : {
"type" : "alias",
"path" : "http.request.referrer"
},
"http_user_agent" : {
"type" : "alias",
"path" : "user_agent.original"
},
"length" : {
"type" : "alias",
"path" : "http.response.body.bytes"
},
"protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"redirect" : {
"type" : "keyword",
"ignore_above" : 1024
},
"status" : {
"type" : "alias",
"path" : "http.response.status_code"
},
"url" : {
"type" : "alias",
"path" : "url.original"
}
}
},
"icmp_code" : {
"type" : "long"
},
"icmp_type" : {
"type" : "long"
},
"in_iface" : {
"type" : "keyword",
"ignore_above" : 1024
},
"pcap_cnt" : {
"type" : "long"
},
"proto" : {
"type" : "alias",
"path" : "network.transport"
},
"smtp" : {
"properties" : {
"helo" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mail_from" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rcpt_to" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"src_ip" : {
"type" : "alias",
"path" : "source.ip"
},
"src_port" : {
"type" : "alias",
"path" : "source.port"
},
"ssh" : {
"properties" : {
"client" : {
"properties" : {
"proto_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"software_version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"server" : {
"properties" : {
"proto_version" : {
"type" : "keyword",
"ignore_above" : 1024
},
"software_version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"stats" : {
"properties" : {
"app_layer" : {
"properties" : {
"flow" : {
"properties" : {
"dcerpc_tcp" : {
"type" : "long"
},
"dcerpc_udp" : {
"type" : "long"
},
"dns_tcp" : {
"type" : "long"
},
"dns_udp" : {
"type" : "long"
},
"failed_tcp" : {
"type" : "long"
},
"failed_udp" : {
"type" : "long"
},
"ftp" : {
"type" : "long"
},
"http" : {
"type" : "long"
},
"imap" : {
"type" : "long"
},
"msn" : {
"type" : "long"
},
"smb" : {
"type" : "long"
},
"smtp" : {
"type" : "long"
},
"ssh" : {
"type" : "long"
},
"tls" : {
"type" : "long"
}
}
},
"tx" : {
"properties" : {
"dcerpc_tcp" : {
"type" : "long"
},
"dcerpc_udp" : {
"type" : "long"
},
"dns_tcp" : {
"type" : "long"
},
"dns_udp" : {
"type" : "long"
},
"ftp" : {
"type" : "long"
},
"http" : {
"type" : "long"
},
"smb" : {
"type" : "long"
},
"smtp" : {
"type" : "long"
},
"ssh" : {
"type" : "long"
},
"tls" : {
"type" : "long"
}
}
}
}
},
"capture" : {
"properties" : {
"kernel_drops" : {
"type" : "long"
},
"kernel_ifdrops" : {
"type" : "long"
},
"kernel_packets" : {
"type" : "long"
}
}
},
"decoder" : {
"properties" : {
"avg_pkt_size" : {
"type" : "long"
},
"bytes" : {
"type" : "long"
},
"dce" : {
"properties" : {
"pkt_too_small" : {
"type" : "long"
}
}
},
"erspan" : {
"type" : "long"
},
"ethernet" : {
"type" : "long"
},
"gre" : {
"type" : "long"
},
"icmpv4" : {
"type" : "long"
},
"icmpv6" : {
"type" : "long"
},
"ieee8021ah" : {
"type" : "long"
},
"invalid" : {
"type" : "long"
},
"ipraw" : {
"properties" : {
"invalid_ip_version" : {
"type" : "long"
}
}
},
"ipv4" : {
"type" : "long"
},
"ipv4_in_ipv6" : {
"type" : "long"
},
"ipv6" : {
"type" : "long"
},
"ipv6_in_ipv6" : {
"type" : "long"
},
"ltnull" : {
"properties" : {
"pkt_too_small" : {
"type" : "long"
},
"unsupported_type" : {
"type" : "long"
}
}
},
"max_pkt_size" : {
"type" : "long"
},
"mpls" : {
"type" : "long"
},
"null" : {
"type" : "long"
},
"pkts" : {
"type" : "long"
},
"ppp" : {
"type" : "long"
},
"pppoe" : {
"type" : "long"
},
"raw" : {
"type" : "long"
},
"sctp" : {
"type" : "long"
},
"sll" : {
"type" : "long"
},
"tcp" : {
"type" : "long"
},
"teredo" : {
"type" : "long"
},
"udp" : {
"type" : "long"
},
"vlan" : {
"type" : "long"
},
"vlan_qinq" : {
"type" : "long"
}
}
},
"defrag" : {
"properties" : {
"ipv4" : {
"properties" : {
"fragments" : {
"type" : "long"
},
"reassembled" : {
"type" : "long"
},
"timeouts" : {
"type" : "long"
}
}
},
"ipv6" : {
"properties" : {
"fragments" : {
"type" : "long"
},
"reassembled" : {
"type" : "long"
},
"timeouts" : {
"type" : "long"
}
}
},
"max_frag_hits" : {
"type" : "long"
}
}
},
"detect" : {
"properties" : {
"alert" : {
"type" : "long"
}
}
},
"dns" : {
"properties" : {
"memcap_global" : {
"type" : "long"
},
"memcap_state" : {
"type" : "long"
},
"memuse" : {
"type" : "long"
}
}
},
"file_store" : {
"properties" : {
"open_files" : {
"type" : "long"
}
}
},
"flow" : {
"properties" : {
"emerg_mode_entered" : {
"type" : "long"
},
"emerg_mode_over" : {
"type" : "long"
},
"icmpv4" : {
"type" : "long"
},
"icmpv6" : {
"type" : "long"
},
"memcap" : {
"type" : "long"
},
"memuse" : {
"type" : "long"
},
"spare" : {
"type" : "long"
},
"tcp" : {
"type" : "long"
},
"tcp_reuse" : {
"type" : "long"
},
"udp" : {
"type" : "long"
}
}
},
"flow_mgr" : {
"properties" : {
"bypassed_pruned" : {
"type" : "long"
},
"closed_pruned" : {
"type" : "long"
},
"est_pruned" : {
"type" : "long"
},
"flows_checked" : {
"type" : "long"
},
"flows_notimeout" : {
"type" : "long"
},
"flows_removed" : {
"type" : "long"
},
"flows_timeout" : {
"type" : "long"
},
"flows_timeout_inuse" : {
"type" : "long"
},
"new_pruned" : {
"type" : "long"
},
"rows_busy" : {
"type" : "long"
},
"rows_checked" : {
"type" : "long"
},
"rows_empty" : {
"type" : "long"
},
"rows_maxlen" : {
"type" : "long"
},
"rows_skipped" : {
"type" : "long"
}
}
},
"http" : {
"properties" : {
"memcap" : {
"type" : "long"
},
"memuse" : {
"type" : "long"
}
}
},
"tcp" : {
"properties" : {
"insert_data_normal_fail" : {
"type" : "long"
},
"insert_data_overlap_fail" : {
"type" : "long"
},
"insert_list_fail" : {
"type" : "long"
},
"invalid_checksum" : {
"type" : "long"
},
"memuse" : {
"type" : "long"
},
"no_flow" : {
"type" : "long"
},
"overlap" : {
"type" : "long"
},
"overlap_diff_data" : {
"type" : "long"
},
"pseudo" : {
"type" : "long"
},
"pseudo_failed" : {
"type" : "long"
},
"reassembly_gap" : {
"type" : "long"
},
"reassembly_memuse" : {
"type" : "long"
},
"rst" : {
"type" : "long"
},
"segment_memcap_drop" : {
"type" : "long"
},
"sessions" : {
"type" : "long"
},
"ssn_memcap_drop" : {
"type" : "long"
},
"stream_depth_reached" : {
"type" : "long"
},
"syn" : {
"type" : "long"
},
"synack" : {
"type" : "long"
}
}
},
"uptime" : {
"type" : "long"
}
}
},
"tcp" : {
"properties" : {
"ack" : {
"type" : "boolean"
},
"fin" : {
"type" : "boolean"
},
"psh" : {
"type" : "boolean"
},
"rst" : {
"type" : "boolean"
},
"state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"syn" : {
"type" : "boolean"
},
"tcp_flags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tcp_flags_tc" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tcp_flags_ts" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"timestamp" : {
"type" : "alias",
"path" : "@timestamp"
},
"tls" : {
"properties" : {
"fingerprint" : {
"type" : "keyword",
"ignore_above" : 1024
},
"issuerdn" : {
"type" : "keyword",
"ignore_above" : 1024
},
"notafter" : {
"type" : "date"
},
"notbefore" : {
"type" : "date"
},
"serial" : {
"type" : "keyword",
"ignore_above" : 1024
},
"session_resumed" : {
"type" : "boolean"
},
"sni" : {
"type" : "keyword",
"ignore_above" : 1024
},
"subject" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"tx_id" : {
"type" : "long"
}
}
}
}
},
"syslog" : {
"properties" : {
"facility" : {
"type" : "long"
},
"facility_label" : {
"type" : "keyword",
"ignore_above" : 1024
},
"priority" : {
"type" : "long"
},
"severity_label" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"system" : {
"properties" : {
"auth" : {
"properties" : {
"groupadd" : {
"type" : "object"
},
"ssh" : {
"properties" : {
"dropped_ip" : {
"type" : "ip"
},
"event" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geoip" : {
"type" : "object"
},
"method" : {
"type" : "keyword",
"ignore_above" : 1024
},
"signature" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"sudo" : {
"properties" : {
"command" : {
"type" : "keyword",
"ignore_above" : 1024
},
"error" : {
"type" : "keyword",
"ignore_above" : 1024
},
"pwd" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tty" : {
"type" : "keyword",
"ignore_above" : 1024
},
"user" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"useradd" : {
"properties" : {
"home" : {
"type" : "keyword",
"ignore_above" : 1024
},
"shell" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"syslog" : {
"type" : "object"
}
}
},
"tags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"timeseries" : {
"properties" : {
"instance" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"tracing" : {
"properties" : {
"trace" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"transaction" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"traefik" : {
"properties" : {
"access" : {
"properties" : {
"backend_url" : {
"type" : "keyword",
"ignore_above" : 1024
},
"frontend_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"geoip" : {
"properties" : {
"city_name" : {
"type" : "alias",
"path" : "source.geo.city_name"
},
"continent_name" : {
"type" : "alias",
"path" : "source.geo.continent_name"
},
"country_iso_code" : {
"type" : "alias",
"path" : "source.geo.country_iso_code"
},
"location" : {
"type" : "alias",
"path" : "source.geo.location"
},
"region_iso_code" : {
"type" : "alias",
"path" : "source.geo.region_iso_code"
},
"region_name" : {
"type" : "alias",
"path" : "source.geo.region_name"
}
}
},
"request_count" : {
"type" : "long"
},
"user_agent" : {
"properties" : {
"device" : {
"type" : "alias",
"path" : "user_agent.device.name"
},
"name" : {
"type" : "alias",
"path" : "user_agent.name"
},
"original" : {
"type" : "alias",
"path" : "user_agent.original"
},
"os" : {
"type" : "alias",
"path" : "user_agent.os.full_name"
},
"os_name" : {
"type" : "alias",
"path" : "user_agent.os.name"
}
}
},
"user_identifier" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
},
"url" : {
"properties" : {
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"fragment" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full" : {
"type" : "keyword",
"ignore_above" : 1024
},
"original" : {
"type" : "keyword",
"ignore_above" : 1024
},
"password" : {
"type" : "keyword",
"ignore_above" : 1024
},
"path" : {
"type" : "keyword",
"ignore_above" : 1024
},
"port" : {
"type" : "long"
},
"query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"scheme" : {
"type" : "keyword",
"ignore_above" : 1024
},
"username" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"user" : {
"properties" : {
"audit" : {
"properties" : {
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"domain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"effective" : {
"properties" : {
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"email" : {
"type" : "keyword",
"ignore_above" : 1024
},
"filesystem" : {
"properties" : {
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"hash" : {
"type" : "keyword",
"ignore_above" : 1024
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"owner" : {
"properties" : {
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"saved" : {
"properties" : {
"group" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"terminal" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"user_agent" : {
"properties" : {
"device" : {
"properties" : {
"name" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"original" : {
"type" : "keyword",
"ignore_above" : 1024
},
"os" : {
"properties" : {
"family" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full" : {
"type" : "keyword",
"ignore_above" : 1024
},
"full_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"kernel" : {
"type" : "keyword",
"ignore_above" : 1024
},
"name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"platform" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"zeek" : {
"properties" : {
"connection" : {
"properties" : {
"history" : {
"type" : "keyword",
"ignore_above" : 1024
},
"inner_vlan" : {
"type" : "long"
},
"local_orig" : {
"type" : "boolean"
},
"local_resp" : {
"type" : "boolean"
},
"missed_bytes" : {
"type" : "long"
},
"orig_l2_addr" : {
"type" : "keyword",
"ignore_above" : 1024
},
"resp_l2_addr" : {
"type" : "keyword",
"ignore_above" : 1024
},
"state" : {
"type" : "keyword",
"ignore_above" : 1024
},
"vlan" : {
"type" : "long"
}
}
},
"dns" : {
"properties" : {
"AA" : {
"type" : "boolean"
},
"RA" : {
"type" : "boolean"
},
"RD" : {
"type" : "boolean"
},
"TC" : {
"type" : "boolean"
},
"TTLs" : {
"type" : "double"
},
"answers" : {
"type" : "keyword",
"ignore_above" : 1024
},
"qclass" : {
"type" : "long"
},
"qclass_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"qtype" : {
"type" : "long"
},
"qtype_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"query" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rcode" : {
"type" : "long"
},
"rcode_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rejected" : {
"type" : "boolean"
},
"rtt" : {
"type" : "double"
},
"saw_query" : {
"type" : "boolean"
},
"saw_reply" : {
"type" : "boolean"
},
"total_answers" : {
"type" : "long"
},
"total_replies" : {
"type" : "long"
},
"trans_id" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"files" : {
"properties" : {
"analyzers" : {
"type" : "keyword",
"ignore_above" : 1024
},
"depth" : {
"type" : "long"
},
"duration" : {
"type" : "double"
},
"entropy" : {
"type" : "double"
},
"extracted" : {
"type" : "keyword",
"ignore_above" : 1024
},
"extracted_cutoff" : {
"type" : "boolean"
},
"extracted_size" : {
"type" : "long"
},
"filename" : {
"type" : "keyword",
"ignore_above" : 1024
},
"fuid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"is_orig" : {
"type" : "boolean"
},
"local_orig" : {
"type" : "boolean"
},
"md5" : {
"type" : "keyword",
"ignore_above" : 1024
},
"mime_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"missing_bytes" : {
"type" : "long"
},
"overflow_bytes" : {
"type" : "long"
},
"parent_fuid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"rx_host" : {
"type" : "ip"
},
"seen_bytes" : {
"type" : "long"
},
"session_ids" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha1" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sha256" : {
"type" : "keyword",
"ignore_above" : 1024
},
"source" : {
"type" : "keyword",
"ignore_above" : 1024
},
"timedout" : {
"type" : "boolean"
},
"total_bytes" : {
"type" : "long"
},
"tx_host" : {
"type" : "ip"
}
}
},
"fnotice" : {
"properties" : {
"file" : {
"properties" : {
"total_bytes" : {
"type" : "long"
}
}
}
}
},
"http" : {
"properties" : {
"captured_password" : {
"type" : "boolean"
},
"client_header_names" : {
"type" : "keyword",
"ignore_above" : 1024
},
"info_code" : {
"type" : "long"
},
"info_msg" : {
"type" : "keyword",
"ignore_above" : 1024
},
"orig_filenames" : {
"type" : "keyword",
"ignore_above" : 1024
},
"orig_fuids" : {
"type" : "keyword",
"ignore_above" : 1024
},
"orig_mime_depth" : {
"type" : "long"
},
"orig_mime_types" : {
"type" : "keyword",
"ignore_above" : 1024
},
"password" : {
"type" : "keyword",
"ignore_above" : 1024
},
"proxied" : {
"type" : "keyword",
"ignore_above" : 1024
},
"range_request" : {
"type" : "boolean"
},
"resp_filenames" : {
"type" : "keyword",
"ignore_above" : 1024
},
"resp_fuids" : {
"type" : "keyword",
"ignore_above" : 1024
},
"resp_mime_depth" : {
"type" : "long"
},
"resp_mime_types" : {
"type" : "keyword",
"ignore_above" : 1024
},
"server_header_names" : {
"type" : "keyword",
"ignore_above" : 1024
},
"status_msg" : {
"type" : "keyword",
"ignore_above" : 1024
},
"tags" : {
"type" : "keyword",
"ignore_above" : 1024
},
"trans_depth" : {
"type" : "long"
}
}
},
"notice" : {
"properties" : {
"actions" : {
"type" : "keyword",
"ignore_above" : 1024
},
"connection_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"dropped" : {
"type" : "boolean"
},
"email_body_sections" : {
"type" : "text",
"norms" : false
},
"email_delay_tokens" : {
"type" : "keyword",
"ignore_above" : 1024
},
"file" : {
"properties" : {
"id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"is_orig" : {
"type" : "boolean"
},
"mime_type" : {
"type" : "keyword",
"ignore_above" : 1024
},
"missing_bytes" : {
"type" : "long"
},
"overflow_bytes" : {
"type" : "long"
},
"parent_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"seen_bytes" : {
"type" : "long"
},
"source" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
},
"fuid" : {
"type" : "keyword",
"ignore_above" : 1024
},
"icmp_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"identifier" : {
"type" : "keyword",
"ignore_above" : 1024
},
"msg" : {
"type" : "keyword",
"ignore_above" : 1024
},
"n" : {
"type" : "long"
},
"note" : {
"type" : "keyword",
"ignore_above" : 1024
},
"peer_descr" : {
"type" : "text",
"norms" : false
},
"peer_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"sub" : {
"type" : "keyword",
"ignore_above" : 1024
},
"suppress_for" : {
"type" : "double"
}
}
},
"session_id" : {
"type" : "keyword",
"ignore_above" : 1024
},
"ssl" : {
"properties" : {
"cert_chain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"cert_chain_fuids" : {
"type" : "keyword",
"ignore_above" : 1024
},
"cipher" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client_cert_chain" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client_cert_chain_fuids" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client_issuer" : {
"type" : "keyword",
"ignore_above" : 1024
},
"client_subject" : {
"type" : "keyword",
"ignore_above" : 1024
},
"curve" : {
"type" : "keyword",
"ignore_above" : 1024
},
"established" : {
"type" : "boolean"
},
"issuer" : {
"type" : "keyword",
"ignore_above" : 1024
},
"last_alert" : {
"type" : "keyword",
"ignore_above" : 1024
},
"next_protocol" : {
"type" : "keyword",
"ignore_above" : 1024
},
"resumed" : {
"type" : "boolean"
},
"server_name" : {
"type" : "keyword",
"ignore_above" : 1024
},
"subject" : {
"type" : "keyword",
"ignore_above" : 1024
},
"validation_code" : {
"type" : "keyword",
"ignore_above" : 1024
},
"validation_status" : {
"type" : "keyword",
"ignore_above" : 1024
},
"version" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
},
"settings" : {
"index" : {
"lifecycle" : {
"name" : "filebeat-7.5.0",
"rollover_alias" : "filebeat-7.5.0"
},
"mapping" : {
"total_fields" : {
"limit" : "10000"
}
},
"refresh_interval" : "5s",
"number_of_shards" : "1",
"provided_name" : "<filebeat-7.5.0-{now/d}-000003>",
"query" : {
"default_field" : [
"message",
"tags",
...
"event.original",
...
"fields.*"
]
},
"creation_date" : "1576694675699",
"number_of_replicas" : "1",
"uuid" : "Fhu-EoXqSSiSBlBZL2-geA",
"version" : {
"created" : "7050099"
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment