Last active
December 19, 2019 20:23
-
-
Save RuMORDeN/299c5245e680a72c44061b4891c535e2 to your computer and use it in GitHub Desktop.
filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline-query
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Setup Filebeat 7.5 per docs at https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-getting-started.html | |
#filebeat modules enable cisco | |
#filebeat setup | |
#Behavior results from processing by filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline pipeline. Bypass of this pipeline eliminates issue. | |
#Successful query of documents ingested outside of filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline | |
GET syslog-000008/_search | |
{ | |
"query": { | |
"match": { | |
"message": { | |
"query": "retrieved" | |
} | |
} | |
} | |
} | |
... | |
"hits" : { | |
"total" : { | |
"value" : 10000, | |
"relation" : "gte" | |
}, | |
... | |
#Empty query of documents ingested by filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline | |
GET filebeat-7.5.0-2019.12.10-000001/_search | |
{ | |
"query": { | |
"match": { | |
"event.original": { | |
"query": "Primary" | |
} | |
} | |
} | |
} | |
... | |
"hits" : { | |
"total" : { | |
"value" : 0, | |
"relation" : "eq" | |
}, | |
... | |
#filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline seems to process message to log.original then to event.original? | |
GET _ingest/pipeline/filebeat-7.5.0-cisco-ftd-asa-ftd-pipeline | |
#Issue acts like related to lack of analysis on fields processed by pipeline. | |
#Indexes not processed by the pipeline have what appears to be default mappings | |
{ | |
"kemp-000014" : { | |
"aliases" : { | |
"kemp" : { | |
"is_write_index" : true | |
} | |
}, | |
"mappings" : { | |
"properties" : { | |
... | |
"host" : { | |
"type" : "text", | |
"fields" : { | |
"keyword" : { | |
"type" : "keyword", | |
"ignore_above" : 256 | |
} | |
} | |
}, | |
#Indexes processed by the pipeline show differences. Sorry output is very long. | |
{ | |
"filebeat-7.5.0-2019.12.18-000003" : { | |
"aliases" : { | |
"filebeat-7.5.0" : { | |
"is_write_index" : true | |
} | |
}, | |
"mappings" : { | |
"_meta" : { | |
"beat" : "filebeat", | |
"version" : "7.5.0" | |
}, | |
"dynamic_templates" : [ | |
{ | |
"labels" : { | |
"path_match" : "labels.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"container.labels" : { | |
"path_match" : "container.labels.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"dns.answers" : { | |
"path_match" : "dns.answers.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"fields" : { | |
"path_match" : "fields.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"docker.container.labels" : { | |
"path_match" : "docker.container.labels.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"kubernetes.labels.*" : { | |
"path_match" : "kubernetes.labels.*", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"kubernetes.annotations.*" : { | |
"path_match" : "kubernetes.annotations.*", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"docker.attrs" : { | |
"path_match" : "docker.attrs.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"cef.extensions" : { | |
"path_match" : "cef.extensions.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"kibana.log.meta" : { | |
"path_match" : "kibana.log.meta.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"strings_as_keyword" : { | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"ignore_above" : 1024, | |
"type" : "keyword" | |
} | |
} | |
} | |
], | |
"date_detection" : false, | |
"properties" : { | |
"@timestamp" : { | |
"type" : "date" | |
}, | |
"@version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"_temp_" : { | |
"properties" : { | |
"cisco" : { | |
"properties" : { | |
"message_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rule_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"security" : { | |
"properties" : { | |
"access_control_rule_action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"access_control_rule_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"access_control_rule_reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"application_protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_record_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_response_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dst_ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dst_port" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"egress_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ingress_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"initiator_bytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"initiator_packets" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip_reputation_si_category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nap_policy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"prefilter_policy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"referenced_host" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"responder_bytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"responder_packets" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sec_int_matching_ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"src_ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"src_port" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tcp_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url_category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url_reputation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"orig_security" : { | |
"properties" : { | |
"AccessControlRuleAction" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"AccessControlRuleName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"AccessControlRuleReason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ApplicationProtocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Client" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ConnectType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DE" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DNSQuery" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DNSRecordType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DNSResponseType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DstIP" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DstPort" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"EgressZone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IPReputationSICategory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IngressZone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"InitiatorBytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"InitiatorPackets" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"NAPPolicy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"OriginalClientIP" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Policy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Prefilter Policy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ReferencedHost" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ResponderBytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ResponderPackets" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SecIntMatchingIP" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Sinkhole" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SrcIP" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SrcPort" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TCPFlags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"URL" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"URLCategory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"URLReputation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"raw_date" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"agent" : { | |
"properties" : { | |
"ephemeral_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"apache" : { | |
"properties" : { | |
"access" : { | |
"properties" : { | |
"ssl" : { | |
"properties" : { | |
"cipher" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"error" : { | |
"properties" : { | |
"module" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"apache2" : { | |
"properties" : { | |
"access" : { | |
"properties" : { | |
"geoip" : { | |
"type" : "object" | |
}, | |
"user_agent" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"error" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"auditd" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"a0" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"addr" : { | |
"type" : "ip" | |
}, | |
"geoip" : { | |
"type" : "object" | |
}, | |
"item" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"items" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"laddr" : { | |
"type" : "ip" | |
}, | |
"lport" : { | |
"type" : "long" | |
}, | |
"new_auid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"new_ses" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"old_auid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"old_ses" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rport" : { | |
"type" : "long" | |
}, | |
"sequence" : { | |
"type" : "long" | |
}, | |
"tty" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"aws" : { | |
"properties" : { | |
"elb" : { | |
"properties" : { | |
"action_executed" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"backend" : { | |
"properties" : { | |
"http" : { | |
"properties" : { | |
"response" : { | |
"properties" : { | |
"status_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"port" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"backend_processing_time" : { | |
"properties" : { | |
"sec" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"chosen_cert" : { | |
"properties" : { | |
"arn" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"serial" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"connection_time" : { | |
"properties" : { | |
"ms" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"error" : { | |
"properties" : { | |
"reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"incoming_tls_alert" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"listener" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"matched_rule_priority" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"redirect_url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"request_processing_time" : { | |
"properties" : { | |
"sec" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"response_processing_time" : { | |
"properties" : { | |
"sec" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"ssl_cipher" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ssl_protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"target_group" : { | |
"properties" : { | |
"arn" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"tls_handshake_time" : { | |
"properties" : { | |
"ms" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"tls_named_group" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trace_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"s3access" : { | |
"properties" : { | |
"authentication_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bucket" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bucket_owner" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bytes_sent" : { | |
"type" : "long" | |
}, | |
"cipher_suite" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"error_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"host_header" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"host_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_status" : { | |
"type" : "long" | |
}, | |
"key" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"object_size" : { | |
"type" : "long" | |
}, | |
"operation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"referrer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"remote_ip" : { | |
"type" : "ip" | |
}, | |
"request_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"request_uri" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"requester" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"signature_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tls_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"total_time" : { | |
"type" : "long" | |
}, | |
"turn_around_time" : { | |
"type" : "long" | |
}, | |
"user_agent" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"azure" : { | |
"properties" : { | |
"activitylogs" : { | |
"properties" : { | |
"identity" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"authorization" : { | |
"properties" : { | |
"evidence" : { | |
"properties" : { | |
"principal_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"principal_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"role" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"role_assignment_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"role_assignment_scope" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"role_definition_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"claims_initiated_by_user" : { | |
"properties" : { | |
"fullname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"givenname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"schema" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"surname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"scope" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"operation_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"properties" : { | |
"properties" : { | |
"service_request_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"status_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"result_signature" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"auditlogs" : { | |
"properties" : { | |
"operation_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"operation_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"properties" : { | |
"properties" : { | |
"activityDateTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"activity_display_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"correlation_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"initiated_by" : { | |
"properties" : { | |
"app" : { | |
"properties" : { | |
"appId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"displayName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"servicePrincipalId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"servicePrincipalName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user" : { | |
"properties" : { | |
"displayName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ipAddress" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"userPrincipalName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"logged_by_service" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"operation_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"result" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"result_reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"target_resources" : { | |
"properties" : { | |
"display_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"modified_properties" : { | |
"properties" : { | |
"displayName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"newValue" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"oldValue" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user_principal_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"result_signature" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tenant_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"correlation_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resource" : { | |
"properties" : { | |
"group" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"namespace" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"provider" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"signinlogs" : { | |
"properties" : { | |
"identity" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"operation_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"operation_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"properties" : { | |
"properties" : { | |
"app_display_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"app_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client_app_used" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"conditional_access_status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"correlation_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"created_at" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"device_detail" : { | |
"properties" : { | |
"browser" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"device_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"display_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"operating_system" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trust_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"is_interactive" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original_request_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"processing_time_ms" : { | |
"type" : "float" | |
}, | |
"resource_display_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"risk_detail" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"risk_level_aggregated" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"risk_level_during_signin" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"risk_state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"service_principal_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"status" : { | |
"properties" : { | |
"additional_details" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"error_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"token_issuer_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"token_issuer_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user_display_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user_principal_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"result_signature" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tenant_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"subscription_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tenant_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"bucket_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"cef" : { | |
"properties" : { | |
"device" : { | |
"properties" : { | |
"event_class_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vendor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"extensions" : { | |
"type" : "object" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"severity" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"certificate" : { | |
"properties" : { | |
"common_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"cisco" : { | |
"properties" : { | |
"asa" : { | |
"properties" : { | |
"connection_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"destination_interface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"destination_username" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"icmp_code" : { | |
"type" : "short" | |
}, | |
"icmp_type" : { | |
"type" : "short" | |
}, | |
"mapped_destination_ip" : { | |
"type" : "ip" | |
}, | |
"mapped_destination_port" : { | |
"type" : "long" | |
}, | |
"mapped_source_ip" : { | |
"type" : "ip" | |
}, | |
"mapped_source_port" : { | |
"type" : "long" | |
}, | |
"message_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rule_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source_interface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source_username" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"suffix" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threat_category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threat_level" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ftd" : { | |
"properties" : { | |
"connection_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"destination_interface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"destination_username" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"icmp_code" : { | |
"type" : "short" | |
}, | |
"icmp_type" : { | |
"type" : "short" | |
}, | |
"mapped_destination_ip" : { | |
"type" : "ip" | |
}, | |
"mapped_destination_port" : { | |
"type" : "long" | |
}, | |
"mapped_source_ip" : { | |
"type" : "ip" | |
}, | |
"mapped_source_port" : { | |
"type" : "long" | |
}, | |
"message_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rule_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"security" : { | |
"properties" : { | |
"access_control_rule_action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"access_control_rule_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"access_control_rule_reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"application_protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_record_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_response_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dns_ttl" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dst_ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dst_port" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"egress_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"endpoint_profile" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"file_count" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_referer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_response" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"icmp_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"icmp_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ingress_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"initiator_bytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"initiator_packets" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip_reputation_si_category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ips_count" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nap_policy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"prefilter_policy" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"referenced_host" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"responder_bytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"responder_packets" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sec_int_matching_ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"src_ip" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"src_port" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tcp_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url_category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url_reputation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user_agent" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"web_application" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"source_interface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source_username" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"suffix" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threat_category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threat_level" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ios" : { | |
"properties" : { | |
"access_list" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"facility" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"client" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"cloud" : { | |
"properties" : { | |
"account" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"availability_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"image" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"instance" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"machine" : { | |
"properties" : { | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"project" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"provider" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"container" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"image" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tag" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"labels" : { | |
"type" : "object" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"runtime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"coredns" : { | |
"properties" : { | |
"dnssec_ok" : { | |
"type" : "boolean" | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"query" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"size" : { | |
"type" : "long" | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"response" : { | |
"properties" : { | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"size" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"destination" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"service" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"dns" : { | |
"properties" : { | |
"answers" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"data" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ttl" : { | |
"type" : "long" | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"header_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"op_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"question" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"resolved_ip" : { | |
"type" : "ip" | |
}, | |
"response_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"docker" : { | |
"properties" : { | |
"attrs" : { | |
"type" : "object" | |
}, | |
"container" : { | |
"properties" : { | |
"labels" : { | |
"type" : "object" | |
} | |
} | |
} | |
} | |
}, | |
"ecs" : { | |
"properties" : { | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"elasticsearch" : { | |
"properties" : { | |
"audit" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"event_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"indices" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"layer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"origin" : { | |
"properties" : { | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"realm" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"request" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"url" : { | |
"properties" : { | |
"params" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user" : { | |
"properties" : { | |
"realm" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"roles" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"cluster" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"component" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"deprecation" : { | |
"type" : "object" | |
}, | |
"gc" : { | |
"properties" : { | |
"heap" : { | |
"properties" : { | |
"size_kb" : { | |
"type" : "long" | |
}, | |
"used_kb" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"jvm_runtime_sec" : { | |
"type" : "float" | |
}, | |
"old_gen" : { | |
"properties" : { | |
"size_kb" : { | |
"type" : "long" | |
}, | |
"used_kb" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"phase" : { | |
"properties" : { | |
"class_unload_time_sec" : { | |
"type" : "float" | |
}, | |
"cpu_time" : { | |
"properties" : { | |
"real_sec" : { | |
"type" : "float" | |
}, | |
"sys_sec" : { | |
"type" : "float" | |
}, | |
"user_sec" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"duration_sec" : { | |
"type" : "float" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"parallel_rescan_time_sec" : { | |
"type" : "float" | |
}, | |
"scrub_string_table_time_sec" : { | |
"type" : "float" | |
}, | |
"scrub_symbol_table_time_sec" : { | |
"type" : "float" | |
}, | |
"weak_refs_processing_time_sec" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"stopping_threads_time_sec" : { | |
"type" : "float" | |
}, | |
"tags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threads_total_stop_time_sec" : { | |
"type" : "float" | |
}, | |
"young_gen" : { | |
"properties" : { | |
"size_kb" : { | |
"type" : "long" | |
}, | |
"used_kb" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"index" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"node" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"server" : { | |
"properties" : { | |
"gc" : { | |
"properties" : { | |
"collection_duration" : { | |
"properties" : { | |
"ms" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"observation_duration" : { | |
"properties" : { | |
"ms" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"overhead_seq" : { | |
"type" : "long" | |
}, | |
"young" : { | |
"properties" : { | |
"one" : { | |
"type" : "long" | |
}, | |
"two" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"stacktrace" : { | |
"type" : "keyword", | |
"index" : false, | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"shard" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"slowlog" : { | |
"properties" : { | |
"extra_source" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"logger" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"routing" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"search_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source_query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"stats" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"took" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"total_hits" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"total_shards" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"types" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"envoyproxy" : { | |
"properties" : { | |
"authority" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"log_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"proxy_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"request_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"response_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"upstream_service_time" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"error" : { | |
"properties" : { | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"event" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"created" : { | |
"type" : "date" | |
}, | |
"dataset" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"duration" : { | |
"type" : "long" | |
}, | |
"end" : { | |
"type" : "date" | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kind" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"module" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"outcome" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"provider" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"risk_score" : { | |
"type" : "float" | |
}, | |
"risk_score_norm" : { | |
"type" : "float" | |
}, | |
"sequence" : { | |
"type" : "long" | |
}, | |
"severity" : { | |
"type" : "long" | |
}, | |
"start" : { | |
"type" : "date" | |
}, | |
"timezone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"fields" : { | |
"type" : "object" | |
}, | |
"file" : { | |
"properties" : { | |
"accessed" : { | |
"type" : "date" | |
}, | |
"created" : { | |
"type" : "date" | |
}, | |
"ctime" : { | |
"type" : "date" | |
}, | |
"device" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"directory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"extension" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"gid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"inode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mtime" : { | |
"type" : "date" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"owner" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"size" : { | |
"type" : "long" | |
}, | |
"target_path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"fileset" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"googlecloud" : { | |
"properties" : { | |
"vpcflow" : { | |
"properties" : { | |
"destination" : { | |
"properties" : { | |
"instance" : { | |
"properties" : { | |
"project_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vpc" : { | |
"properties" : { | |
"project_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subnetwork_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vpc_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"reporter" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rtt" : { | |
"properties" : { | |
"ms" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"source" : { | |
"properties" : { | |
"instance" : { | |
"properties" : { | |
"project_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vpc" : { | |
"properties" : { | |
"project_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subnetwork_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vpc_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"haproxy" : { | |
"properties" : { | |
"backend_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"backend_queue" : { | |
"type" : "long" | |
}, | |
"bind_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bytes_read" : { | |
"type" : "long" | |
}, | |
"client" : { | |
"type" : "object" | |
}, | |
"connection_wait_time_ms" : { | |
"type" : "long" | |
}, | |
"connections" : { | |
"properties" : { | |
"active" : { | |
"type" : "long" | |
}, | |
"backend" : { | |
"type" : "long" | |
}, | |
"frontend" : { | |
"type" : "long" | |
}, | |
"retries" : { | |
"type" : "long" | |
}, | |
"server" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"destination" : { | |
"type" : "object" | |
}, | |
"error_message" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"frontend_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geoip" : { | |
"type" : "object" | |
}, | |
"http" : { | |
"properties" : { | |
"request" : { | |
"properties" : { | |
"captured_cookie" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"captured_headers" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"raw_request_line" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"time_wait_ms" : { | |
"type" : "long" | |
}, | |
"time_wait_without_data_ms" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"response" : { | |
"properties" : { | |
"captured_cookie" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"captured_headers" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"mode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"server_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"server_queue" : { | |
"type" : "long" | |
}, | |
"source" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tcp" : { | |
"properties" : { | |
"connection_waiting_time_ms" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"termination_state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"time_backend_connect" : { | |
"type" : "long" | |
}, | |
"time_queue" : { | |
"type" : "long" | |
}, | |
"total_waiting_time_ms" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"host" : { | |
"properties" : { | |
"architecture" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"containerized" : { | |
"type" : "boolean" | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"os" : { | |
"properties" : { | |
"build" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"codename" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uptime" : { | |
"type" : "long" | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http" : { | |
"properties" : { | |
"request" : { | |
"properties" : { | |
"body" : { | |
"properties" : { | |
"bytes" : { | |
"type" : "long" | |
}, | |
"content" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"method" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"referrer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"response" : { | |
"properties" : { | |
"body" : { | |
"properties" : { | |
"bytes" : { | |
"type" : "long" | |
}, | |
"content" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"status_code" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ibmmq" : { | |
"properties" : { | |
"errorlog" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"arithinsert" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"commentinsert" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"errordescription" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"explanation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"installation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"qmgr" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"icinga" : { | |
"properties" : { | |
"debug" : { | |
"properties" : { | |
"facility" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"main" : { | |
"properties" : { | |
"facility" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"startup" : { | |
"properties" : { | |
"facility" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"icmp" : { | |
"properties" : { | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"igmp" : { | |
"properties" : { | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"iis" : { | |
"properties" : { | |
"access" : { | |
"properties" : { | |
"cookie" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geoip" : { | |
"type" : "object" | |
}, | |
"server_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"site_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sub_status" : { | |
"type" : "long" | |
}, | |
"user_agent" : { | |
"type" : "object" | |
}, | |
"win32_status" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"error" : { | |
"properties" : { | |
"geoip" : { | |
"type" : "object" | |
}, | |
"queue_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reason_phrase" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"input" : { | |
"properties" : { | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"iptables" : { | |
"properties" : { | |
"ether_type" : { | |
"type" : "long" | |
}, | |
"flow_label" : { | |
"type" : "long" | |
}, | |
"fragment_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"fragment_offset" : { | |
"type" : "long" | |
}, | |
"icmp" : { | |
"properties" : { | |
"code" : { | |
"type" : "long" | |
}, | |
"id" : { | |
"type" : "long" | |
}, | |
"parameter" : { | |
"type" : "long" | |
}, | |
"redirect" : { | |
"type" : "ip" | |
}, | |
"seq" : { | |
"type" : "long" | |
}, | |
"type" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"id" : { | |
"type" : "long" | |
}, | |
"incomplete_bytes" : { | |
"type" : "long" | |
}, | |
"input_device" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"length" : { | |
"type" : "long" | |
}, | |
"output_device" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"precedence_bits" : { | |
"type" : "short" | |
}, | |
"tcp" : { | |
"properties" : { | |
"ack" : { | |
"type" : "long" | |
}, | |
"flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reserved_bits" : { | |
"type" : "short" | |
}, | |
"seq" : { | |
"type" : "long" | |
}, | |
"window" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"tos" : { | |
"type" : "long" | |
}, | |
"ttl" : { | |
"type" : "long" | |
}, | |
"ubiquiti" : { | |
"properties" : { | |
"input_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"output_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rule_number" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rule_set" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"udp" : { | |
"properties" : { | |
"length" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"jolokia" : { | |
"properties" : { | |
"agent" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"secured" : { | |
"type" : "boolean" | |
}, | |
"server" : { | |
"properties" : { | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vendor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"kafka" : { | |
"properties" : { | |
"block_timestamp" : { | |
"type" : "date" | |
}, | |
"key" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"log" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"component" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trace" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"offset" : { | |
"type" : "long" | |
}, | |
"partition" : { | |
"type" : "long" | |
}, | |
"topic" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"kibana" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"meta" : { | |
"type" : "object" | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"kubernetes" : { | |
"properties" : { | |
"annotations" : { | |
"properties" : { | |
"*" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"container" : { | |
"properties" : { | |
"image" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"deployment" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"labels" : { | |
"properties" : { | |
"*" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"namespace" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"node" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"pod" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"replicaset" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"statefulset" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"labels" : { | |
"type" : "object" | |
}, | |
"log" : { | |
"properties" : { | |
"file" : { | |
"properties" : { | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"level" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"logger" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"offset" : { | |
"type" : "long" | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"logstash" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"log_event" : { | |
"type" : "object" | |
}, | |
"module" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"thread" : { | |
"type" : "keyword", | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
}, | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"slowlog" : { | |
"properties" : { | |
"event" : { | |
"type" : "keyword", | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
}, | |
"ignore_above" : 1024 | |
}, | |
"module" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"plugin_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"plugin_params" : { | |
"type" : "keyword", | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
}, | |
"ignore_above" : 1024 | |
}, | |
"plugin_params_object" : { | |
"type" : "object" | |
}, | |
"plugin_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"thread" : { | |
"type" : "keyword", | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
}, | |
"ignore_above" : 1024 | |
}, | |
"took_in_millis" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"misp" : { | |
"properties" : { | |
"attack_pattern" : { | |
"properties" : { | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kill_chain_phases" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"campaign" : { | |
"properties" : { | |
"aliases" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"first_seen" : { | |
"type" : "date" | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"last_seen" : { | |
"type" : "date" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"objective" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"course_of_action" : { | |
"properties" : { | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"identity" : { | |
"properties" : { | |
"contact_information" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"identity_class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"labels" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sectors" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"intrusion_set" : { | |
"properties" : { | |
"aliases" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"first_seen" : { | |
"type" : "date" | |
}, | |
"goals" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"last_seen" : { | |
"type" : "date" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"primary_motivation" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"resource_level" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"secondary_motivations" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"malware" : { | |
"properties" : { | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kill_chain_phases" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"labels" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"note" : { | |
"properties" : { | |
"authors" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"object_refs" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"summary" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"observed_data" : { | |
"properties" : { | |
"first_observed" : { | |
"type" : "date" | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"last_observed" : { | |
"type" : "date" | |
}, | |
"number_observed" : { | |
"type" : "long" | |
}, | |
"objects" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"report" : { | |
"properties" : { | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"labels" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"object_refs" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"published" : { | |
"type" : "date" | |
} | |
} | |
}, | |
"threat_actor" : { | |
"properties" : { | |
"aliases" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"goals" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"labels" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"personal_motivations" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"primary_motivation" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"resource_level" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"roles" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"secondary_motivations" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"sophistication" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"threat_indicator" : { | |
"properties" : { | |
"attack_pattern" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"campaign" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"confidence" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"feed" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"intrusion_set" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kill_chain_phases" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"labels" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mitre_tactic" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mitre_technique" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"negate" : { | |
"type" : "boolean" | |
}, | |
"severity" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threat_actor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"valid_from" : { | |
"type" : "date" | |
}, | |
"valid_until" : { | |
"type" : "date" | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"tool" : { | |
"properties" : { | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kill_chain_phases" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"labels" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tool_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vulnerability" : { | |
"properties" : { | |
"description" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"mongodb" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"component" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"context" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"mssql" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"origin" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"mysql" : { | |
"properties" : { | |
"error" : { | |
"type" : "object" | |
}, | |
"slowlog" : { | |
"properties" : { | |
"bytes_received" : { | |
"type" : "long" | |
}, | |
"bytes_sent" : { | |
"type" : "long" | |
}, | |
"current_user" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"filesort" : { | |
"type" : "boolean" | |
}, | |
"filesort_on_disk" : { | |
"type" : "boolean" | |
}, | |
"full_join" : { | |
"type" : "boolean" | |
}, | |
"full_scan" : { | |
"type" : "boolean" | |
}, | |
"innodb" : { | |
"properties" : { | |
"io_r_bytes" : { | |
"type" : "long" | |
}, | |
"io_r_ops" : { | |
"type" : "long" | |
}, | |
"io_r_wait" : { | |
"properties" : { | |
"sec" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"pages_distinct" : { | |
"type" : "long" | |
}, | |
"queue_wait" : { | |
"properties" : { | |
"sec" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"rec_lock_wait" : { | |
"properties" : { | |
"sec" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"trx_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"killed" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"last_errno" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"lock_time" : { | |
"properties" : { | |
"sec" : { | |
"type" : "float" | |
} | |
} | |
}, | |
"log_slow_rate_limit" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"log_slow_rate_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"merge_passes" : { | |
"type" : "long" | |
}, | |
"priority_queue" : { | |
"type" : "boolean" | |
}, | |
"query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"query_cache_hit" : { | |
"type" : "boolean" | |
}, | |
"read_first" : { | |
"type" : "long" | |
}, | |
"read_key" : { | |
"type" : "long" | |
}, | |
"read_last" : { | |
"type" : "long" | |
}, | |
"read_next" : { | |
"type" : "long" | |
}, | |
"read_prev" : { | |
"type" : "long" | |
}, | |
"read_rnd" : { | |
"type" : "long" | |
}, | |
"read_rnd_next" : { | |
"type" : "long" | |
}, | |
"rows_affected" : { | |
"type" : "long" | |
}, | |
"rows_examined" : { | |
"type" : "long" | |
}, | |
"rows_sent" : { | |
"type" : "long" | |
}, | |
"schema" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sort_merge_passes" : { | |
"type" : "long" | |
}, | |
"sort_range_count" : { | |
"type" : "long" | |
}, | |
"sort_rows" : { | |
"type" : "long" | |
}, | |
"sort_scan_count" : { | |
"type" : "long" | |
}, | |
"tmp_disk_tables" : { | |
"type" : "long" | |
}, | |
"tmp_table" : { | |
"type" : "boolean" | |
}, | |
"tmp_table_on_disk" : { | |
"type" : "boolean" | |
}, | |
"tmp_table_sizes" : { | |
"type" : "long" | |
}, | |
"tmp_tables" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"thread_id" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"nats" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"client" : { | |
"properties" : { | |
"id" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"msg" : { | |
"properties" : { | |
"bytes" : { | |
"type" : "long" | |
}, | |
"error" : { | |
"properties" : { | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"max_messages" : { | |
"type" : "long" | |
}, | |
"queue_group" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"reply_to" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sid" : { | |
"type" : "long" | |
}, | |
"subject" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"netflow" : { | |
"properties" : { | |
"absolute_error" : { | |
"type" : "double" | |
}, | |
"address_pool_high_threshold" : { | |
"type" : "long" | |
}, | |
"address_pool_low_threshold" : { | |
"type" : "long" | |
}, | |
"address_port_mapping_high_threshold" : { | |
"type" : "long" | |
}, | |
"address_port_mapping_low_threshold" : { | |
"type" : "long" | |
}, | |
"address_port_mapping_per_user_high_threshold" : { | |
"type" : "long" | |
}, | |
"anonymization_flags" : { | |
"type" : "long" | |
}, | |
"anonymization_technique" : { | |
"type" : "long" | |
}, | |
"application_category_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"application_description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"application_group_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"application_id" : { | |
"type" : "short" | |
}, | |
"application_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"application_sub_category_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bgp_destination_as_number" : { | |
"type" : "long" | |
}, | |
"bgp_next_adjacent_as_number" : { | |
"type" : "long" | |
}, | |
"bgp_next_hop_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"bgp_next_hop_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"bgp_prev_adjacent_as_number" : { | |
"type" : "long" | |
}, | |
"bgp_source_as_number" : { | |
"type" : "long" | |
}, | |
"bgp_validity_state" : { | |
"type" : "short" | |
}, | |
"biflow_direction" : { | |
"type" : "short" | |
}, | |
"class_id" : { | |
"type" : "short" | |
}, | |
"class_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"classification_engine_id" : { | |
"type" : "short" | |
}, | |
"collection_time_milliseconds" : { | |
"type" : "date" | |
}, | |
"collector_certificate" : { | |
"type" : "short" | |
}, | |
"collector_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"collector_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"collector_transport_port" : { | |
"type" : "long" | |
}, | |
"common_properties_id" : { | |
"type" : "long" | |
}, | |
"confidence_level" : { | |
"type" : "double" | |
}, | |
"connection_sum_duration_seconds" : { | |
"type" : "long" | |
}, | |
"connection_transaction_id" : { | |
"type" : "long" | |
}, | |
"data_link_frame_section" : { | |
"type" : "short" | |
}, | |
"data_link_frame_size" : { | |
"type" : "long" | |
}, | |
"data_link_frame_type" : { | |
"type" : "long" | |
}, | |
"data_records_reliability" : { | |
"type" : "boolean" | |
}, | |
"delta_flow_count" : { | |
"type" : "long" | |
}, | |
"destination_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"destination_ipv4_prefix" : { | |
"type" : "ip" | |
}, | |
"destination_ipv4_prefix_length" : { | |
"type" : "short" | |
}, | |
"destination_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"destination_ipv6_prefix" : { | |
"type" : "ip" | |
}, | |
"destination_ipv6_prefix_length" : { | |
"type" : "short" | |
}, | |
"destination_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"destination_transport_port" : { | |
"type" : "long" | |
}, | |
"digest_hash_value" : { | |
"type" : "long" | |
}, | |
"distinct_count_of_destination_ip_address" : { | |
"type" : "long" | |
}, | |
"distinct_count_of_destination_ipv4_address" : { | |
"type" : "long" | |
}, | |
"distinct_count_of_destination_ipv6_address" : { | |
"type" : "long" | |
}, | |
"distinct_count_of_source_ip_address" : { | |
"type" : "long" | |
}, | |
"distinct_count_of_source_ipv4_address" : { | |
"type" : "long" | |
}, | |
"distinct_count_of_source_ipv6_address" : { | |
"type" : "long" | |
}, | |
"dot1q_customer_dei" : { | |
"type" : "boolean" | |
}, | |
"dot1q_customer_destination_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dot1q_customer_priority" : { | |
"type" : "short" | |
}, | |
"dot1q_customer_source_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dot1q_customer_vlan_id" : { | |
"type" : "long" | |
}, | |
"dot1q_dei" : { | |
"type" : "boolean" | |
}, | |
"dot1q_priority" : { | |
"type" : "short" | |
}, | |
"dot1q_service_instance_id" : { | |
"type" : "long" | |
}, | |
"dot1q_service_instance_priority" : { | |
"type" : "short" | |
}, | |
"dot1q_service_instance_tag" : { | |
"type" : "short" | |
}, | |
"dot1q_vlan_id" : { | |
"type" : "long" | |
}, | |
"dropped_layer2_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"dropped_layer2_octet_total_count" : { | |
"type" : "long" | |
}, | |
"dropped_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"dropped_octet_total_count" : { | |
"type" : "long" | |
}, | |
"dropped_packet_delta_count" : { | |
"type" : "long" | |
}, | |
"dropped_packet_total_count" : { | |
"type" : "long" | |
}, | |
"dst_traffic_index" : { | |
"type" : "long" | |
}, | |
"egress_broadcast_packet_total_count" : { | |
"type" : "long" | |
}, | |
"egress_interface" : { | |
"type" : "long" | |
}, | |
"egress_interface_type" : { | |
"type" : "long" | |
}, | |
"egress_physical_interface" : { | |
"type" : "long" | |
}, | |
"egress_unicast_packet_total_count" : { | |
"type" : "long" | |
}, | |
"egress_vrfid" : { | |
"type" : "long" | |
}, | |
"encrypted_technology" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"engine_id" : { | |
"type" : "short" | |
}, | |
"engine_type" : { | |
"type" : "short" | |
}, | |
"ethernet_header_length" : { | |
"type" : "short" | |
}, | |
"ethernet_payload_length" : { | |
"type" : "long" | |
}, | |
"ethernet_total_length" : { | |
"type" : "long" | |
}, | |
"ethernet_type" : { | |
"type" : "long" | |
}, | |
"export_interface" : { | |
"type" : "long" | |
}, | |
"export_protocol_version" : { | |
"type" : "short" | |
}, | |
"export_sctp_stream_id" : { | |
"type" : "long" | |
}, | |
"export_transport_protocol" : { | |
"type" : "short" | |
}, | |
"exported_flow_record_total_count" : { | |
"type" : "long" | |
}, | |
"exported_message_total_count" : { | |
"type" : "long" | |
}, | |
"exported_octet_total_count" : { | |
"type" : "long" | |
}, | |
"exporter" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source_id" : { | |
"type" : "long" | |
}, | |
"timestamp" : { | |
"type" : "date" | |
}, | |
"uptime_millis" : { | |
"type" : "long" | |
}, | |
"version" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"exporter_certificate" : { | |
"type" : "short" | |
}, | |
"exporter_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"exporter_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"exporter_transport_port" : { | |
"type" : "long" | |
}, | |
"exporting_process_id" : { | |
"type" : "long" | |
}, | |
"external_address_realm" : { | |
"type" : "short" | |
}, | |
"firewall_event" : { | |
"type" : "short" | |
}, | |
"flags_and_sampler_id" : { | |
"type" : "long" | |
}, | |
"flow_active_timeout" : { | |
"type" : "long" | |
}, | |
"flow_direction" : { | |
"type" : "short" | |
}, | |
"flow_duration_microseconds" : { | |
"type" : "long" | |
}, | |
"flow_duration_milliseconds" : { | |
"type" : "long" | |
}, | |
"flow_end_delta_microseconds" : { | |
"type" : "long" | |
}, | |
"flow_end_microseconds" : { | |
"type" : "date" | |
}, | |
"flow_end_milliseconds" : { | |
"type" : "date" | |
}, | |
"flow_end_nanoseconds" : { | |
"type" : "date" | |
}, | |
"flow_end_reason" : { | |
"type" : "short" | |
}, | |
"flow_end_seconds" : { | |
"type" : "date" | |
}, | |
"flow_end_sys_up_time" : { | |
"type" : "long" | |
}, | |
"flow_id" : { | |
"type" : "long" | |
}, | |
"flow_idle_timeout" : { | |
"type" : "long" | |
}, | |
"flow_key_indicator" : { | |
"type" : "long" | |
}, | |
"flow_label_ipv6" : { | |
"type" : "long" | |
}, | |
"flow_sampling_time_interval" : { | |
"type" : "long" | |
}, | |
"flow_sampling_time_spacing" : { | |
"type" : "long" | |
}, | |
"flow_selected_flow_delta_count" : { | |
"type" : "long" | |
}, | |
"flow_selected_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"flow_selected_packet_delta_count" : { | |
"type" : "long" | |
}, | |
"flow_selector_algorithm" : { | |
"type" : "long" | |
}, | |
"flow_start_delta_microseconds" : { | |
"type" : "long" | |
}, | |
"flow_start_microseconds" : { | |
"type" : "date" | |
}, | |
"flow_start_milliseconds" : { | |
"type" : "date" | |
}, | |
"flow_start_nanoseconds" : { | |
"type" : "date" | |
}, | |
"flow_start_seconds" : { | |
"type" : "date" | |
}, | |
"flow_start_sys_up_time" : { | |
"type" : "long" | |
}, | |
"forwarding_status" : { | |
"type" : "short" | |
}, | |
"fragment_flags" : { | |
"type" : "short" | |
}, | |
"fragment_identification" : { | |
"type" : "long" | |
}, | |
"fragment_offset" : { | |
"type" : "long" | |
}, | |
"global_address_mapping_high_threshold" : { | |
"type" : "long" | |
}, | |
"gre_key" : { | |
"type" : "long" | |
}, | |
"hash_digest_output" : { | |
"type" : "boolean" | |
}, | |
"hash_flow_domain" : { | |
"type" : "long" | |
}, | |
"hash_initialiser_value" : { | |
"type" : "long" | |
}, | |
"hash_ip_payload_offset" : { | |
"type" : "long" | |
}, | |
"hash_ip_payload_size" : { | |
"type" : "long" | |
}, | |
"hash_output_range_max" : { | |
"type" : "long" | |
}, | |
"hash_output_range_min" : { | |
"type" : "long" | |
}, | |
"hash_selected_range_max" : { | |
"type" : "long" | |
}, | |
"hash_selected_range_min" : { | |
"type" : "long" | |
}, | |
"http_content_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_message_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_reason_phrase" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_request_host" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_request_method" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_request_target" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_status_code" : { | |
"type" : "long" | |
}, | |
"http_user_agent" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"icmp_code_ipv4" : { | |
"type" : "short" | |
}, | |
"icmp_code_ipv6" : { | |
"type" : "short" | |
}, | |
"icmp_type_code_ipv4" : { | |
"type" : "long" | |
}, | |
"icmp_type_code_ipv6" : { | |
"type" : "long" | |
}, | |
"icmp_type_ipv4" : { | |
"type" : "short" | |
}, | |
"icmp_type_ipv6" : { | |
"type" : "short" | |
}, | |
"igmp_type" : { | |
"type" : "short" | |
}, | |
"ignored_data_record_total_count" : { | |
"type" : "long" | |
}, | |
"ignored_layer2_frame_total_count" : { | |
"type" : "long" | |
}, | |
"ignored_layer2_octet_total_count" : { | |
"type" : "long" | |
}, | |
"ignored_octet_total_count" : { | |
"type" : "long" | |
}, | |
"ignored_packet_total_count" : { | |
"type" : "long" | |
}, | |
"information_element_data_type" : { | |
"type" : "short" | |
}, | |
"information_element_description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"information_element_id" : { | |
"type" : "long" | |
}, | |
"information_element_index" : { | |
"type" : "long" | |
}, | |
"information_element_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"information_element_range_begin" : { | |
"type" : "long" | |
}, | |
"information_element_range_end" : { | |
"type" : "long" | |
}, | |
"information_element_semantics" : { | |
"type" : "short" | |
}, | |
"information_element_units" : { | |
"type" : "long" | |
}, | |
"ingress_broadcast_packet_total_count" : { | |
"type" : "long" | |
}, | |
"ingress_interface" : { | |
"type" : "long" | |
}, | |
"ingress_interface_type" : { | |
"type" : "long" | |
}, | |
"ingress_multicast_packet_total_count" : { | |
"type" : "long" | |
}, | |
"ingress_physical_interface" : { | |
"type" : "long" | |
}, | |
"ingress_unicast_packet_total_count" : { | |
"type" : "long" | |
}, | |
"ingress_vrfid" : { | |
"type" : "long" | |
}, | |
"initiator_octets" : { | |
"type" : "long" | |
}, | |
"initiator_packets" : { | |
"type" : "long" | |
}, | |
"interface_description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"interface_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"intermediate_process_id" : { | |
"type" : "long" | |
}, | |
"internal_address_realm" : { | |
"type" : "short" | |
}, | |
"ip_class_of_service" : { | |
"type" : "short" | |
}, | |
"ip_diff_serv_code_point" : { | |
"type" : "short" | |
}, | |
"ip_header_length" : { | |
"type" : "short" | |
}, | |
"ip_header_packet_section" : { | |
"type" : "short" | |
}, | |
"ip_next_hop_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"ip_next_hop_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"ip_payload_length" : { | |
"type" : "long" | |
}, | |
"ip_payload_packet_section" : { | |
"type" : "short" | |
}, | |
"ip_precedence" : { | |
"type" : "short" | |
}, | |
"ip_sec_spi" : { | |
"type" : "long" | |
}, | |
"ip_total_length" : { | |
"type" : "long" | |
}, | |
"ip_ttl" : { | |
"type" : "short" | |
}, | |
"ip_version" : { | |
"type" : "short" | |
}, | |
"ipv4_ihl" : { | |
"type" : "short" | |
}, | |
"ipv4_options" : { | |
"type" : "long" | |
}, | |
"ipv4_router_sc" : { | |
"type" : "ip" | |
}, | |
"ipv6_extension_headers" : { | |
"type" : "long" | |
}, | |
"is_multicast" : { | |
"type" : "short" | |
}, | |
"layer2_frame_delta_count" : { | |
"type" : "long" | |
}, | |
"layer2_frame_total_count" : { | |
"type" : "long" | |
}, | |
"layer2_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"layer2_octet_delta_sum_of_squares" : { | |
"type" : "long" | |
}, | |
"layer2_octet_total_count" : { | |
"type" : "long" | |
}, | |
"layer2_octet_total_sum_of_squares" : { | |
"type" : "long" | |
}, | |
"layer2_segment_id" : { | |
"type" : "long" | |
}, | |
"layer2packet_section_data" : { | |
"type" : "short" | |
}, | |
"layer2packet_section_offset" : { | |
"type" : "long" | |
}, | |
"layer2packet_section_size" : { | |
"type" : "long" | |
}, | |
"line_card_id" : { | |
"type" : "long" | |
}, | |
"lower_ci_limit" : { | |
"type" : "double" | |
}, | |
"max_bib_entries" : { | |
"type" : "long" | |
}, | |
"max_entries_per_user" : { | |
"type" : "long" | |
}, | |
"max_export_seconds" : { | |
"type" : "date" | |
}, | |
"max_flow_end_microseconds" : { | |
"type" : "date" | |
}, | |
"max_flow_end_milliseconds" : { | |
"type" : "date" | |
}, | |
"max_flow_end_nanoseconds" : { | |
"type" : "date" | |
}, | |
"max_flow_end_seconds" : { | |
"type" : "date" | |
}, | |
"max_fragments_pending_reassembly" : { | |
"type" : "long" | |
}, | |
"max_session_entries" : { | |
"type" : "long" | |
}, | |
"max_subscribers" : { | |
"type" : "long" | |
}, | |
"maximum_ip_total_length" : { | |
"type" : "long" | |
}, | |
"maximum_layer2_total_length" : { | |
"type" : "long" | |
}, | |
"maximum_ttl" : { | |
"type" : "short" | |
}, | |
"message_md5_checksum" : { | |
"type" : "short" | |
}, | |
"message_scope" : { | |
"type" : "short" | |
}, | |
"metering_process_id" : { | |
"type" : "long" | |
}, | |
"metro_evc_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"metro_evc_type" : { | |
"type" : "short" | |
}, | |
"mib_capture_time_semantics" : { | |
"type" : "short" | |
}, | |
"mib_context_engine_id" : { | |
"type" : "short" | |
}, | |
"mib_context_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mib_index_indicator" : { | |
"type" : "long" | |
}, | |
"mib_module_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mib_object_description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mib_object_identifier" : { | |
"type" : "short" | |
}, | |
"mib_object_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mib_object_syntax" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mib_object_value_bits" : { | |
"type" : "short" | |
}, | |
"mib_object_value_counter" : { | |
"type" : "long" | |
}, | |
"mib_object_value_gauge" : { | |
"type" : "long" | |
}, | |
"mib_object_value_integer" : { | |
"type" : "long" | |
}, | |
"mib_object_value_ip_address" : { | |
"type" : "ip" | |
}, | |
"mib_object_value_octet_string" : { | |
"type" : "short" | |
}, | |
"mib_object_value_oid" : { | |
"type" : "short" | |
}, | |
"mib_object_value_time_ticks" : { | |
"type" : "long" | |
}, | |
"mib_object_value_unsigned" : { | |
"type" : "long" | |
}, | |
"mib_sub_identifier" : { | |
"type" : "long" | |
}, | |
"min_export_seconds" : { | |
"type" : "date" | |
}, | |
"min_flow_start_microseconds" : { | |
"type" : "date" | |
}, | |
"min_flow_start_milliseconds" : { | |
"type" : "date" | |
}, | |
"min_flow_start_nanoseconds" : { | |
"type" : "date" | |
}, | |
"min_flow_start_seconds" : { | |
"type" : "date" | |
}, | |
"minimum_ip_total_length" : { | |
"type" : "long" | |
}, | |
"minimum_layer2_total_length" : { | |
"type" : "long" | |
}, | |
"minimum_ttl" : { | |
"type" : "short" | |
}, | |
"mobile_imsi" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mobile_msisdn" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"monitoring_interval_end_milli_seconds" : { | |
"type" : "date" | |
}, | |
"monitoring_interval_start_milli_seconds" : { | |
"type" : "date" | |
}, | |
"mpls_label_stack_depth" : { | |
"type" : "long" | |
}, | |
"mpls_label_stack_length" : { | |
"type" : "long" | |
}, | |
"mpls_label_stack_section" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section10" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section2" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section3" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section4" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section5" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section6" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section7" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section8" : { | |
"type" : "short" | |
}, | |
"mpls_label_stack_section9" : { | |
"type" : "short" | |
}, | |
"mpls_payload_length" : { | |
"type" : "long" | |
}, | |
"mpls_payload_packet_section" : { | |
"type" : "short" | |
}, | |
"mpls_top_label_exp" : { | |
"type" : "short" | |
}, | |
"mpls_top_label_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"mpls_top_label_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"mpls_top_label_prefix_length" : { | |
"type" : "short" | |
}, | |
"mpls_top_label_stack_section" : { | |
"type" : "short" | |
}, | |
"mpls_top_label_ttl" : { | |
"type" : "short" | |
}, | |
"mpls_top_label_type" : { | |
"type" : "short" | |
}, | |
"mpls_vpn_route_distinguisher" : { | |
"type" : "short" | |
}, | |
"multicast_replication_factor" : { | |
"type" : "long" | |
}, | |
"nat_event" : { | |
"type" : "short" | |
}, | |
"nat_instance_id" : { | |
"type" : "long" | |
}, | |
"nat_originating_address_realm" : { | |
"type" : "short" | |
}, | |
"nat_pool_id" : { | |
"type" : "long" | |
}, | |
"nat_pool_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat_quota_exceeded_event" : { | |
"type" : "long" | |
}, | |
"nat_threshold_event" : { | |
"type" : "long" | |
}, | |
"nat_type" : { | |
"type" : "short" | |
}, | |
"new_connection_delta_count" : { | |
"type" : "long" | |
}, | |
"next_header_ipv6" : { | |
"type" : "short" | |
}, | |
"not_sent_flow_total_count" : { | |
"type" : "long" | |
}, | |
"not_sent_layer2_octet_total_count" : { | |
"type" : "long" | |
}, | |
"not_sent_octet_total_count" : { | |
"type" : "long" | |
}, | |
"not_sent_packet_total_count" : { | |
"type" : "long" | |
}, | |
"observation_domain_id" : { | |
"type" : "long" | |
}, | |
"observation_domain_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"observation_point_id" : { | |
"type" : "long" | |
}, | |
"observation_point_type" : { | |
"type" : "short" | |
}, | |
"observation_time_microseconds" : { | |
"type" : "date" | |
}, | |
"observation_time_milliseconds" : { | |
"type" : "date" | |
}, | |
"observation_time_nanoseconds" : { | |
"type" : "date" | |
}, | |
"observation_time_seconds" : { | |
"type" : "date" | |
}, | |
"observed_flow_total_count" : { | |
"type" : "long" | |
}, | |
"octet_delta_count" : { | |
"type" : "long" | |
}, | |
"octet_delta_sum_of_squares" : { | |
"type" : "long" | |
}, | |
"octet_total_count" : { | |
"type" : "long" | |
}, | |
"octet_total_sum_of_squares" : { | |
"type" : "long" | |
}, | |
"opaque_octets" : { | |
"type" : "short" | |
}, | |
"original_exporter_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"original_exporter_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"original_flows_completed" : { | |
"type" : "long" | |
}, | |
"original_flows_initiated" : { | |
"type" : "long" | |
}, | |
"original_flows_present" : { | |
"type" : "long" | |
}, | |
"original_observation_domain_id" : { | |
"type" : "long" | |
}, | |
"p2p_technology" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"packet_delta_count" : { | |
"type" : "long" | |
}, | |
"packet_total_count" : { | |
"type" : "long" | |
}, | |
"padding_octets" : { | |
"type" : "short" | |
}, | |
"payload_length_ipv6" : { | |
"type" : "long" | |
}, | |
"port_id" : { | |
"type" : "long" | |
}, | |
"port_range_end" : { | |
"type" : "long" | |
}, | |
"port_range_num_ports" : { | |
"type" : "long" | |
}, | |
"port_range_start" : { | |
"type" : "long" | |
}, | |
"port_range_step_size" : { | |
"type" : "long" | |
}, | |
"post_destination_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"post_dot1q_customer_vlan_id" : { | |
"type" : "long" | |
}, | |
"post_dot1q_vlan_id" : { | |
"type" : "long" | |
}, | |
"post_ip_class_of_service" : { | |
"type" : "short" | |
}, | |
"post_ip_diff_serv_code_point" : { | |
"type" : "short" | |
}, | |
"post_ip_precedence" : { | |
"type" : "short" | |
}, | |
"post_layer2_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"post_layer2_octet_total_count" : { | |
"type" : "long" | |
}, | |
"post_mcast_layer2_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"post_mcast_layer2_octet_total_count" : { | |
"type" : "long" | |
}, | |
"post_mcast_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"post_mcast_octet_total_count" : { | |
"type" : "long" | |
}, | |
"post_mcast_packet_delta_count" : { | |
"type" : "long" | |
}, | |
"post_mcast_packet_total_count" : { | |
"type" : "long" | |
}, | |
"post_mpls_top_label_exp" : { | |
"type" : "short" | |
}, | |
"post_napt_destination_transport_port" : { | |
"type" : "long" | |
}, | |
"post_napt_source_transport_port" : { | |
"type" : "long" | |
}, | |
"post_nat_destination_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"post_nat_destination_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"post_nat_source_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"post_nat_source_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"post_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"post_octet_total_count" : { | |
"type" : "long" | |
}, | |
"post_packet_delta_count" : { | |
"type" : "long" | |
}, | |
"post_packet_total_count" : { | |
"type" : "long" | |
}, | |
"post_source_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"post_vlan_id" : { | |
"type" : "long" | |
}, | |
"private_enterprise_number" : { | |
"type" : "long" | |
}, | |
"protocol_identifier" : { | |
"type" : "short" | |
}, | |
"pseudo_wire_control_word" : { | |
"type" : "long" | |
}, | |
"pseudo_wire_destination_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"pseudo_wire_id" : { | |
"type" : "long" | |
}, | |
"pseudo_wire_type" : { | |
"type" : "long" | |
}, | |
"relative_error" : { | |
"type" : "double" | |
}, | |
"responder_octets" : { | |
"type" : "long" | |
}, | |
"responder_packets" : { | |
"type" : "long" | |
}, | |
"rfc3550_jitter_microseconds" : { | |
"type" : "long" | |
}, | |
"rfc3550_jitter_milliseconds" : { | |
"type" : "long" | |
}, | |
"rfc3550_jitter_nanoseconds" : { | |
"type" : "long" | |
}, | |
"rtp_sequence_number" : { | |
"type" : "long" | |
}, | |
"sampler_id" : { | |
"type" : "short" | |
}, | |
"sampler_mode" : { | |
"type" : "short" | |
}, | |
"sampler_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sampler_random_interval" : { | |
"type" : "long" | |
}, | |
"sampling_algorithm" : { | |
"type" : "short" | |
}, | |
"sampling_flow_interval" : { | |
"type" : "long" | |
}, | |
"sampling_flow_spacing" : { | |
"type" : "long" | |
}, | |
"sampling_interval" : { | |
"type" : "long" | |
}, | |
"sampling_packet_interval" : { | |
"type" : "long" | |
}, | |
"sampling_packet_space" : { | |
"type" : "long" | |
}, | |
"sampling_population" : { | |
"type" : "long" | |
}, | |
"sampling_probability" : { | |
"type" : "double" | |
}, | |
"sampling_size" : { | |
"type" : "long" | |
}, | |
"sampling_time_interval" : { | |
"type" : "long" | |
}, | |
"sampling_time_space" : { | |
"type" : "long" | |
}, | |
"section_exported_octets" : { | |
"type" : "long" | |
}, | |
"section_offset" : { | |
"type" : "long" | |
}, | |
"selection_sequence_id" : { | |
"type" : "long" | |
}, | |
"selector_algorithm" : { | |
"type" : "long" | |
}, | |
"selector_id" : { | |
"type" : "long" | |
}, | |
"selector_id_total_flows_observed" : { | |
"type" : "long" | |
}, | |
"selector_id_total_flows_selected" : { | |
"type" : "long" | |
}, | |
"selector_id_total_pkts_observed" : { | |
"type" : "long" | |
}, | |
"selector_id_total_pkts_selected" : { | |
"type" : "long" | |
}, | |
"selector_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"session_scope" : { | |
"type" : "short" | |
}, | |
"source_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"source_ipv4_prefix" : { | |
"type" : "ip" | |
}, | |
"source_ipv4_prefix_length" : { | |
"type" : "short" | |
}, | |
"source_ipv6_address" : { | |
"type" : "ip" | |
}, | |
"source_ipv6_prefix" : { | |
"type" : "ip" | |
}, | |
"source_ipv6_prefix_length" : { | |
"type" : "short" | |
}, | |
"source_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source_transport_port" : { | |
"type" : "long" | |
}, | |
"source_transport_ports_limit" : { | |
"type" : "long" | |
}, | |
"src_traffic_index" : { | |
"type" : "long" | |
}, | |
"sta_ipv4_address" : { | |
"type" : "ip" | |
}, | |
"sta_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"system_init_time_milliseconds" : { | |
"type" : "date" | |
}, | |
"tcp_ack_total_count" : { | |
"type" : "long" | |
}, | |
"tcp_acknowledgement_number" : { | |
"type" : "long" | |
}, | |
"tcp_control_bits" : { | |
"type" : "long" | |
}, | |
"tcp_destination_port" : { | |
"type" : "long" | |
}, | |
"tcp_fin_total_count" : { | |
"type" : "long" | |
}, | |
"tcp_header_length" : { | |
"type" : "short" | |
}, | |
"tcp_options" : { | |
"type" : "long" | |
}, | |
"tcp_psh_total_count" : { | |
"type" : "long" | |
}, | |
"tcp_rst_total_count" : { | |
"type" : "long" | |
}, | |
"tcp_sequence_number" : { | |
"type" : "long" | |
}, | |
"tcp_source_port" : { | |
"type" : "long" | |
}, | |
"tcp_syn_total_count" : { | |
"type" : "long" | |
}, | |
"tcp_urg_total_count" : { | |
"type" : "long" | |
}, | |
"tcp_urgent_pointer" : { | |
"type" : "long" | |
}, | |
"tcp_window_scale" : { | |
"type" : "long" | |
}, | |
"tcp_window_size" : { | |
"type" : "long" | |
}, | |
"template_id" : { | |
"type" : "long" | |
}, | |
"total_length_ipv4" : { | |
"type" : "long" | |
}, | |
"transport_octet_delta_count" : { | |
"type" : "long" | |
}, | |
"transport_packet_delta_count" : { | |
"type" : "long" | |
}, | |
"tunnel_technology" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"udp_destination_port" : { | |
"type" : "long" | |
}, | |
"udp_message_length" : { | |
"type" : "long" | |
}, | |
"udp_source_port" : { | |
"type" : "long" | |
}, | |
"upper_ci_limit" : { | |
"type" : "double" | |
}, | |
"user_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"value_distribution_method" : { | |
"type" : "short" | |
}, | |
"virtual_station_interface_id" : { | |
"type" : "short" | |
}, | |
"virtual_station_interface_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"virtual_station_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"virtual_station_uuid" : { | |
"type" : "short" | |
}, | |
"vlan_id" : { | |
"type" : "long" | |
}, | |
"vpn_identifier" : { | |
"type" : "short" | |
}, | |
"vr_fname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"wlan_channel_id" : { | |
"type" : "short" | |
}, | |
"wlan_ssid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"wtp_mac_address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"network" : { | |
"properties" : { | |
"application" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"community_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"direction" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"forwarded_ip" : { | |
"type" : "ip" | |
}, | |
"iana_number" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"transport" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"nginx" : { | |
"properties" : { | |
"access" : { | |
"properties" : { | |
"geoip" : { | |
"type" : "object" | |
}, | |
"user_agent" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"error" : { | |
"properties" : { | |
"connection_id" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"object_key" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"observer" : { | |
"properties" : { | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"os" : { | |
"properties" : { | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"serial_number" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vendor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"organization" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"os" : { | |
"properties" : { | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"osquery" : { | |
"properties" : { | |
"result" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"calendar_time" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"host_identifier" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"unix_time" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"panw" : { | |
"properties" : { | |
"panos" : { | |
"properties" : { | |
"destination" : { | |
"properties" : { | |
"interface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"file" : { | |
"properties" : { | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"flow_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"network" : { | |
"properties" : { | |
"nat" : { | |
"properties" : { | |
"community_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"pcap_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ruleset" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sequence_number" : { | |
"type" : "long" | |
}, | |
"source" : { | |
"properties" : { | |
"interface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"threat" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resource" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"url" : { | |
"properties" : { | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"postgresql" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"core_id" : { | |
"type" : "long" | |
}, | |
"database" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"error" : { | |
"properties" : { | |
"code" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"query_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"query_step" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"timestamp" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"process" : { | |
"properties" : { | |
"args" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"executable" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"pgid" : { | |
"type" : "long" | |
}, | |
"pid" : { | |
"type" : "long" | |
}, | |
"ppid" : { | |
"type" : "long" | |
}, | |
"program" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"start" : { | |
"type" : "date" | |
}, | |
"thread" : { | |
"properties" : { | |
"id" : { | |
"type" : "long" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"title" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uptime" : { | |
"type" : "long" | |
}, | |
"working_directory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"rabbitmq" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"pid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"redis" : { | |
"properties" : { | |
"log" : { | |
"properties" : { | |
"role" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"slowlog" : { | |
"properties" : { | |
"args" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"cmd" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"duration" : { | |
"properties" : { | |
"us" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"id" : { | |
"type" : "long" | |
}, | |
"key" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"related" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
} | |
} | |
}, | |
"santa" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"decision" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"disk" : { | |
"properties" : { | |
"bsdname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bus" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"fs" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"model" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mount" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"serial" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"volume" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"mode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"server" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"service" : { | |
"properties" : { | |
"ephemeral_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"source" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"service" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"stream" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"suricata" : { | |
"properties" : { | |
"eve" : { | |
"properties" : { | |
"alert" : { | |
"properties" : { | |
"action" : { | |
"type" : "alias", | |
"path" : "event.outcome" | |
}, | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"gid" : { | |
"type" : "long" | |
}, | |
"rev" : { | |
"type" : "long" | |
}, | |
"severity" : { | |
"type" : "alias", | |
"path" : "event.severity" | |
}, | |
"signature" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"signature_id" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"app_proto" : { | |
"type" : "alias", | |
"path" : "network.protocol" | |
}, | |
"app_proto_expected" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"app_proto_orig" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"app_proto_tc" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"app_proto_ts" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dest_ip" : { | |
"type" : "alias", | |
"path" : "destination.ip" | |
}, | |
"dest_port" : { | |
"type" : "alias", | |
"path" : "destination.port" | |
}, | |
"dns" : { | |
"properties" : { | |
"id" : { | |
"type" : "long" | |
}, | |
"rcode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rdata" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rrname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rrtype" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ttl" : { | |
"type" : "long" | |
}, | |
"tx_id" : { | |
"type" : "long" | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"email" : { | |
"properties" : { | |
"status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"event_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"fileinfo" : { | |
"properties" : { | |
"filename" : { | |
"type" : "alias", | |
"path" : "file.path" | |
}, | |
"gaps" : { | |
"type" : "boolean" | |
}, | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"size" : { | |
"type" : "alias", | |
"path" : "file.size" | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"stored" : { | |
"type" : "boolean" | |
}, | |
"tx_id" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"flags" : { | |
"type" : "object" | |
}, | |
"flow" : { | |
"properties" : { | |
"age" : { | |
"type" : "long" | |
}, | |
"alerted" : { | |
"type" : "boolean" | |
}, | |
"bytes_toclient" : { | |
"type" : "alias", | |
"path" : "destination.bytes" | |
}, | |
"bytes_toserver" : { | |
"type" : "alias", | |
"path" : "source.bytes" | |
}, | |
"end" : { | |
"type" : "date" | |
}, | |
"pkts_toclient" : { | |
"type" : "alias", | |
"path" : "destination.packets" | |
}, | |
"pkts_toserver" : { | |
"type" : "alias", | |
"path" : "source.packets" | |
}, | |
"reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"start" : { | |
"type" : "alias", | |
"path" : "event.start" | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"flow_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http" : { | |
"properties" : { | |
"hostname" : { | |
"type" : "alias", | |
"path" : "url.domain" | |
}, | |
"http_content_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"http_method" : { | |
"type" : "alias", | |
"path" : "http.request.method" | |
}, | |
"http_refer" : { | |
"type" : "alias", | |
"path" : "http.request.referrer" | |
}, | |
"http_user_agent" : { | |
"type" : "alias", | |
"path" : "user_agent.original" | |
}, | |
"length" : { | |
"type" : "alias", | |
"path" : "http.response.body.bytes" | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"redirect" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"status" : { | |
"type" : "alias", | |
"path" : "http.response.status_code" | |
}, | |
"url" : { | |
"type" : "alias", | |
"path" : "url.original" | |
} | |
} | |
}, | |
"icmp_code" : { | |
"type" : "long" | |
}, | |
"icmp_type" : { | |
"type" : "long" | |
}, | |
"in_iface" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"pcap_cnt" : { | |
"type" : "long" | |
}, | |
"proto" : { | |
"type" : "alias", | |
"path" : "network.transport" | |
}, | |
"smtp" : { | |
"properties" : { | |
"helo" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mail_from" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rcpt_to" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"src_ip" : { | |
"type" : "alias", | |
"path" : "source.ip" | |
}, | |
"src_port" : { | |
"type" : "alias", | |
"path" : "source.port" | |
}, | |
"ssh" : { | |
"properties" : { | |
"client" : { | |
"properties" : { | |
"proto_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"software_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"server" : { | |
"properties" : { | |
"proto_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"software_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"stats" : { | |
"properties" : { | |
"app_layer" : { | |
"properties" : { | |
"flow" : { | |
"properties" : { | |
"dcerpc_tcp" : { | |
"type" : "long" | |
}, | |
"dcerpc_udp" : { | |
"type" : "long" | |
}, | |
"dns_tcp" : { | |
"type" : "long" | |
}, | |
"dns_udp" : { | |
"type" : "long" | |
}, | |
"failed_tcp" : { | |
"type" : "long" | |
}, | |
"failed_udp" : { | |
"type" : "long" | |
}, | |
"ftp" : { | |
"type" : "long" | |
}, | |
"http" : { | |
"type" : "long" | |
}, | |
"imap" : { | |
"type" : "long" | |
}, | |
"msn" : { | |
"type" : "long" | |
}, | |
"smb" : { | |
"type" : "long" | |
}, | |
"smtp" : { | |
"type" : "long" | |
}, | |
"ssh" : { | |
"type" : "long" | |
}, | |
"tls" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"tx" : { | |
"properties" : { | |
"dcerpc_tcp" : { | |
"type" : "long" | |
}, | |
"dcerpc_udp" : { | |
"type" : "long" | |
}, | |
"dns_tcp" : { | |
"type" : "long" | |
}, | |
"dns_udp" : { | |
"type" : "long" | |
}, | |
"ftp" : { | |
"type" : "long" | |
}, | |
"http" : { | |
"type" : "long" | |
}, | |
"smb" : { | |
"type" : "long" | |
}, | |
"smtp" : { | |
"type" : "long" | |
}, | |
"ssh" : { | |
"type" : "long" | |
}, | |
"tls" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"capture" : { | |
"properties" : { | |
"kernel_drops" : { | |
"type" : "long" | |
}, | |
"kernel_ifdrops" : { | |
"type" : "long" | |
}, | |
"kernel_packets" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"decoder" : { | |
"properties" : { | |
"avg_pkt_size" : { | |
"type" : "long" | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"dce" : { | |
"properties" : { | |
"pkt_too_small" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"erspan" : { | |
"type" : "long" | |
}, | |
"ethernet" : { | |
"type" : "long" | |
}, | |
"gre" : { | |
"type" : "long" | |
}, | |
"icmpv4" : { | |
"type" : "long" | |
}, | |
"icmpv6" : { | |
"type" : "long" | |
}, | |
"ieee8021ah" : { | |
"type" : "long" | |
}, | |
"invalid" : { | |
"type" : "long" | |
}, | |
"ipraw" : { | |
"properties" : { | |
"invalid_ip_version" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"ipv4" : { | |
"type" : "long" | |
}, | |
"ipv4_in_ipv6" : { | |
"type" : "long" | |
}, | |
"ipv6" : { | |
"type" : "long" | |
}, | |
"ipv6_in_ipv6" : { | |
"type" : "long" | |
}, | |
"ltnull" : { | |
"properties" : { | |
"pkt_too_small" : { | |
"type" : "long" | |
}, | |
"unsupported_type" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"max_pkt_size" : { | |
"type" : "long" | |
}, | |
"mpls" : { | |
"type" : "long" | |
}, | |
"null" : { | |
"type" : "long" | |
}, | |
"pkts" : { | |
"type" : "long" | |
}, | |
"ppp" : { | |
"type" : "long" | |
}, | |
"pppoe" : { | |
"type" : "long" | |
}, | |
"raw" : { | |
"type" : "long" | |
}, | |
"sctp" : { | |
"type" : "long" | |
}, | |
"sll" : { | |
"type" : "long" | |
}, | |
"tcp" : { | |
"type" : "long" | |
}, | |
"teredo" : { | |
"type" : "long" | |
}, | |
"udp" : { | |
"type" : "long" | |
}, | |
"vlan" : { | |
"type" : "long" | |
}, | |
"vlan_qinq" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"defrag" : { | |
"properties" : { | |
"ipv4" : { | |
"properties" : { | |
"fragments" : { | |
"type" : "long" | |
}, | |
"reassembled" : { | |
"type" : "long" | |
}, | |
"timeouts" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"ipv6" : { | |
"properties" : { | |
"fragments" : { | |
"type" : "long" | |
}, | |
"reassembled" : { | |
"type" : "long" | |
}, | |
"timeouts" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"max_frag_hits" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"detect" : { | |
"properties" : { | |
"alert" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"dns" : { | |
"properties" : { | |
"memcap_global" : { | |
"type" : "long" | |
}, | |
"memcap_state" : { | |
"type" : "long" | |
}, | |
"memuse" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"file_store" : { | |
"properties" : { | |
"open_files" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"flow" : { | |
"properties" : { | |
"emerg_mode_entered" : { | |
"type" : "long" | |
}, | |
"emerg_mode_over" : { | |
"type" : "long" | |
}, | |
"icmpv4" : { | |
"type" : "long" | |
}, | |
"icmpv6" : { | |
"type" : "long" | |
}, | |
"memcap" : { | |
"type" : "long" | |
}, | |
"memuse" : { | |
"type" : "long" | |
}, | |
"spare" : { | |
"type" : "long" | |
}, | |
"tcp" : { | |
"type" : "long" | |
}, | |
"tcp_reuse" : { | |
"type" : "long" | |
}, | |
"udp" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"flow_mgr" : { | |
"properties" : { | |
"bypassed_pruned" : { | |
"type" : "long" | |
}, | |
"closed_pruned" : { | |
"type" : "long" | |
}, | |
"est_pruned" : { | |
"type" : "long" | |
}, | |
"flows_checked" : { | |
"type" : "long" | |
}, | |
"flows_notimeout" : { | |
"type" : "long" | |
}, | |
"flows_removed" : { | |
"type" : "long" | |
}, | |
"flows_timeout" : { | |
"type" : "long" | |
}, | |
"flows_timeout_inuse" : { | |
"type" : "long" | |
}, | |
"new_pruned" : { | |
"type" : "long" | |
}, | |
"rows_busy" : { | |
"type" : "long" | |
}, | |
"rows_checked" : { | |
"type" : "long" | |
}, | |
"rows_empty" : { | |
"type" : "long" | |
}, | |
"rows_maxlen" : { | |
"type" : "long" | |
}, | |
"rows_skipped" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"http" : { | |
"properties" : { | |
"memcap" : { | |
"type" : "long" | |
}, | |
"memuse" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"tcp" : { | |
"properties" : { | |
"insert_data_normal_fail" : { | |
"type" : "long" | |
}, | |
"insert_data_overlap_fail" : { | |
"type" : "long" | |
}, | |
"insert_list_fail" : { | |
"type" : "long" | |
}, | |
"invalid_checksum" : { | |
"type" : "long" | |
}, | |
"memuse" : { | |
"type" : "long" | |
}, | |
"no_flow" : { | |
"type" : "long" | |
}, | |
"overlap" : { | |
"type" : "long" | |
}, | |
"overlap_diff_data" : { | |
"type" : "long" | |
}, | |
"pseudo" : { | |
"type" : "long" | |
}, | |
"pseudo_failed" : { | |
"type" : "long" | |
}, | |
"reassembly_gap" : { | |
"type" : "long" | |
}, | |
"reassembly_memuse" : { | |
"type" : "long" | |
}, | |
"rst" : { | |
"type" : "long" | |
}, | |
"segment_memcap_drop" : { | |
"type" : "long" | |
}, | |
"sessions" : { | |
"type" : "long" | |
}, | |
"ssn_memcap_drop" : { | |
"type" : "long" | |
}, | |
"stream_depth_reached" : { | |
"type" : "long" | |
}, | |
"syn" : { | |
"type" : "long" | |
}, | |
"synack" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"uptime" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"tcp" : { | |
"properties" : { | |
"ack" : { | |
"type" : "boolean" | |
}, | |
"fin" : { | |
"type" : "boolean" | |
}, | |
"psh" : { | |
"type" : "boolean" | |
}, | |
"rst" : { | |
"type" : "boolean" | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"syn" : { | |
"type" : "boolean" | |
}, | |
"tcp_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tcp_flags_tc" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tcp_flags_ts" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"timestamp" : { | |
"type" : "alias", | |
"path" : "@timestamp" | |
}, | |
"tls" : { | |
"properties" : { | |
"fingerprint" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"issuerdn" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"notafter" : { | |
"type" : "date" | |
}, | |
"notbefore" : { | |
"type" : "date" | |
}, | |
"serial" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"session_resumed" : { | |
"type" : "boolean" | |
}, | |
"sni" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"tx_id" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"syslog" : { | |
"properties" : { | |
"facility" : { | |
"type" : "long" | |
}, | |
"facility_label" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"priority" : { | |
"type" : "long" | |
}, | |
"severity_label" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"system" : { | |
"properties" : { | |
"auth" : { | |
"properties" : { | |
"groupadd" : { | |
"type" : "object" | |
}, | |
"ssh" : { | |
"properties" : { | |
"dropped_ip" : { | |
"type" : "ip" | |
}, | |
"event" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geoip" : { | |
"type" : "object" | |
}, | |
"method" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"signature" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"sudo" : { | |
"properties" : { | |
"command" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"error" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"pwd" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tty" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"useradd" : { | |
"properties" : { | |
"home" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"shell" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"syslog" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"tags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"timeseries" : { | |
"properties" : { | |
"instance" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"tracing" : { | |
"properties" : { | |
"trace" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"transaction" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"traefik" : { | |
"properties" : { | |
"access" : { | |
"properties" : { | |
"backend_url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"frontend_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geoip" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "alias", | |
"path" : "source.geo.city_name" | |
}, | |
"continent_name" : { | |
"type" : "alias", | |
"path" : "source.geo.continent_name" | |
}, | |
"country_iso_code" : { | |
"type" : "alias", | |
"path" : "source.geo.country_iso_code" | |
}, | |
"location" : { | |
"type" : "alias", | |
"path" : "source.geo.location" | |
}, | |
"region_iso_code" : { | |
"type" : "alias", | |
"path" : "source.geo.region_iso_code" | |
}, | |
"region_name" : { | |
"type" : "alias", | |
"path" : "source.geo.region_name" | |
} | |
} | |
}, | |
"request_count" : { | |
"type" : "long" | |
}, | |
"user_agent" : { | |
"properties" : { | |
"device" : { | |
"type" : "alias", | |
"path" : "user_agent.device.name" | |
}, | |
"name" : { | |
"type" : "alias", | |
"path" : "user_agent.name" | |
}, | |
"original" : { | |
"type" : "alias", | |
"path" : "user_agent.original" | |
}, | |
"os" : { | |
"type" : "alias", | |
"path" : "user_agent.os.full_name" | |
}, | |
"os_name" : { | |
"type" : "alias", | |
"path" : "user_agent.os.name" | |
} | |
} | |
}, | |
"user_identifier" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"url" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"fragment" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"password" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"scheme" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"username" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user" : { | |
"properties" : { | |
"audit" : { | |
"properties" : { | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"effective" : { | |
"properties" : { | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"filesystem" : { | |
"properties" : { | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"owner" : { | |
"properties" : { | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"saved" : { | |
"properties" : { | |
"group" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"terminal" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user_agent" : { | |
"properties" : { | |
"device" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"os" : { | |
"properties" : { | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"zeek" : { | |
"properties" : { | |
"connection" : { | |
"properties" : { | |
"history" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"inner_vlan" : { | |
"type" : "long" | |
}, | |
"local_orig" : { | |
"type" : "boolean" | |
}, | |
"local_resp" : { | |
"type" : "boolean" | |
}, | |
"missed_bytes" : { | |
"type" : "long" | |
}, | |
"orig_l2_addr" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resp_l2_addr" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vlan" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"dns" : { | |
"properties" : { | |
"AA" : { | |
"type" : "boolean" | |
}, | |
"RA" : { | |
"type" : "boolean" | |
}, | |
"RD" : { | |
"type" : "boolean" | |
}, | |
"TC" : { | |
"type" : "boolean" | |
}, | |
"TTLs" : { | |
"type" : "double" | |
}, | |
"answers" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"qclass" : { | |
"type" : "long" | |
}, | |
"qclass_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"qtype" : { | |
"type" : "long" | |
}, | |
"qtype_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rcode" : { | |
"type" : "long" | |
}, | |
"rcode_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rejected" : { | |
"type" : "boolean" | |
}, | |
"rtt" : { | |
"type" : "double" | |
}, | |
"saw_query" : { | |
"type" : "boolean" | |
}, | |
"saw_reply" : { | |
"type" : "boolean" | |
}, | |
"total_answers" : { | |
"type" : "long" | |
}, | |
"total_replies" : { | |
"type" : "long" | |
}, | |
"trans_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"files" : { | |
"properties" : { | |
"analyzers" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"depth" : { | |
"type" : "long" | |
}, | |
"duration" : { | |
"type" : "double" | |
}, | |
"entropy" : { | |
"type" : "double" | |
}, | |
"extracted" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"extracted_cutoff" : { | |
"type" : "boolean" | |
}, | |
"extracted_size" : { | |
"type" : "long" | |
}, | |
"filename" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"fuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"is_orig" : { | |
"type" : "boolean" | |
}, | |
"local_orig" : { | |
"type" : "boolean" | |
}, | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mime_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"missing_bytes" : { | |
"type" : "long" | |
}, | |
"overflow_bytes" : { | |
"type" : "long" | |
}, | |
"parent_fuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"rx_host" : { | |
"type" : "ip" | |
}, | |
"seen_bytes" : { | |
"type" : "long" | |
}, | |
"session_ids" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"source" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"timedout" : { | |
"type" : "boolean" | |
}, | |
"total_bytes" : { | |
"type" : "long" | |
}, | |
"tx_host" : { | |
"type" : "ip" | |
} | |
} | |
}, | |
"fnotice" : { | |
"properties" : { | |
"file" : { | |
"properties" : { | |
"total_bytes" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"http" : { | |
"properties" : { | |
"captured_password" : { | |
"type" : "boolean" | |
}, | |
"client_header_names" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"info_code" : { | |
"type" : "long" | |
}, | |
"info_msg" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"orig_filenames" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"orig_fuids" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"orig_mime_depth" : { | |
"type" : "long" | |
}, | |
"orig_mime_types" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"password" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"proxied" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"range_request" : { | |
"type" : "boolean" | |
}, | |
"resp_filenames" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resp_fuids" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resp_mime_depth" : { | |
"type" : "long" | |
}, | |
"resp_mime_types" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"server_header_names" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"status_msg" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trans_depth" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"notice" : { | |
"properties" : { | |
"actions" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"connection_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"dropped" : { | |
"type" : "boolean" | |
}, | |
"email_body_sections" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"email_delay_tokens" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"file" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"is_orig" : { | |
"type" : "boolean" | |
}, | |
"mime_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"missing_bytes" : { | |
"type" : "long" | |
}, | |
"overflow_bytes" : { | |
"type" : "long" | |
}, | |
"parent_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"seen_bytes" : { | |
"type" : "long" | |
}, | |
"source" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"fuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"icmp_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"identifier" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"msg" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"n" : { | |
"type" : "long" | |
}, | |
"note" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"peer_descr" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"peer_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sub" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"suppress_for" : { | |
"type" : "double" | |
} | |
} | |
}, | |
"session_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ssl" : { | |
"properties" : { | |
"cert_chain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"cert_chain_fuids" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"cipher" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client_cert_chain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client_cert_chain_fuids" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client_issuer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client_subject" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"curve" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"established" : { | |
"type" : "boolean" | |
}, | |
"issuer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"last_alert" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"next_protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resumed" : { | |
"type" : "boolean" | |
}, | |
"server_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"validation_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"validation_status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"settings" : { | |
"index" : { | |
"lifecycle" : { | |
"name" : "filebeat-7.5.0", | |
"rollover_alias" : "filebeat-7.5.0" | |
}, | |
"mapping" : { | |
"total_fields" : { | |
"limit" : "10000" | |
} | |
}, | |
"refresh_interval" : "5s", | |
"number_of_shards" : "1", | |
"provided_name" : "<filebeat-7.5.0-{now/d}-000003>", | |
"query" : { | |
"default_field" : [ | |
"message", | |
"tags", | |
... | |
"event.original", | |
... | |
"fields.*" | |
] | |
}, | |
"creation_date" : "1576694675699", | |
"number_of_replicas" : "1", | |
"uuid" : "Fhu-EoXqSSiSBlBZL2-geA", | |
"version" : { | |
"created" : "7050099" | |
} | |
} | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment