Last active
October 13, 2015 18:27
-
-
Save grigorescu/4237360 to your computer and use it in GitHub Desktop.
ElasticSearch Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cluster.name: logs | |
# Puppet-ism to put in the hostname and IP | |
node.name: <%= @hostname %> | |
network.host: <%= @ipaddress %> | |
# Turn off multicast autodiscovery | |
discovery.zen.ping.unicast.hosts: 172.1.1.100:9300, 172.1.1.101:9300 | |
index.number_of_shards: 4 | |
index.routing.allocation.total_shards_per_node: 1 | |
index.number_of_replicas: 0 | |
bootstrap.mlockall: true | |
http.max_content_length: 256mb | |
index.translog.flush_threshold_period: 15s | |
index.merge.policy.use_compound_file: false | |
index.refresh_interval: 15s | |
indices.memory.index_buffer_size: 25% | |
index.cache.field.type: soft | |
index.gateway.snapshot_interval: 1m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a Puppet-ism to set the heap size to 75% of the RAM. | |
ES_HEAP_SIZE=<%= (@memorysize.sub(/[ A-Z]+/, "").to_f*0.75).to_i %>g | |
# Important! | |
# | |
# "We cannot stress enough how crucial it is to run ElasticSearch through Oracle’s official Java 7 distribution (no OpenJDK or Java 6). | |
# The performance is orders of magnitude better!" Source: <http://blog.bugsense.com/post/35580279634/indexing-bigdata-with-elasticsearch> | |
JAVA_HOME=/usr/java/jre1.7.0_09 | |
ES_JAVA_OPTS="-XX:+UseTLAB -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Add the following to /etc/security/limits.conf | |
elasticsearch - nofile 65535 | |
elasticsearch - memlock unlimited |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Add the following to /etc/pam.d/common-session | |
session required pam_limits.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"bro_logs": { | |
"template": "bro-*", | |
"settings": { | |
"number_of_shards": 4, | |
"number_of_replicas": 0, | |
"index.cache.field.type": "soft", | |
"index.refresh_interval": "30s", | |
"index.analysis": { | |
"analyzer": { | |
"HostnameAnalyzer": { | |
"type": "custom", | |
"tokenizer": "ReverseDotPath" | |
}, | |
"IPAnalyzer": { | |
"type": "custom", | |
"char_filter" : ["ColonsToPeriods"], | |
"tokenizer" : "DotPath" | |
}, | |
"PercentAnalyzer": { | |
"type": "custom", | |
"char_filter" : ["StripPercent"], | |
"tokenizer" : "whitespace" | |
} | |
}, | |
"tokenizer": { | |
"ReverseDotPath": { | |
"type": "path_hierarchy", | |
"delimiter": ".", | |
"reverse": "true" | |
}, | |
"DotPath": { | |
"type": "path_hierarchy", | |
"delimiter": "." | |
} | |
}, | |
"char_filter": { | |
"ColonsToPeriods": { | |
"type": "mapping", | |
"mappings" : [":=>."] | |
}, | |
"StripPercent": { | |
"type": "mapping", | |
"mappings": ["%=>0"] | |
} | |
} | |
} | |
}, | |
"mappings": { | |
"_default_": { | |
"_all": {"enabled": false} | |
}, | |
"capture_loss": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"ts_delta": {"type": "float", "index": "no"}, | |
"peer": {"type": "string", "index": "not_analyzed"}, | |
"gaps": {"type": "long", "index": "not_analyzed"}, | |
"acks": {"type": "long", "index": "not_analyzed"}, | |
"percent_lost": {"type": "string", "analyzer": "PercentAnalyzer"} | |
} | |
}, | |
"cluster": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"message": {"type": "float", "index": "no"} | |
} | |
}, | |
"communication": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"peer": {"type": "string", "index": "not_analyzed"}, | |
"src_name": {"type": "string", "index": "not_analyzed"}, | |
"connected_peer_desc": {"type": "string", "index": "not_analyzed"}, | |
"connected_peer_addr": {"type": "string", "index": "not_analyzed"}, | |
"connected_peer_port": {"type": "integer", "index": "not_analyzed"}, | |
"level": {"type": "string", "index": "not_analyzed"}, | |
"message": {"type": "string", "analyzer": "whitespace"} | |
} | |
}, | |
"conn": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"proto": {"type": "string", "index": "not_analyzed"}, | |
"service": {"type": "string", "index": "not_analyzed"}, | |
"duration": {"type": "double", "index": "not_analyzed"}, | |
"orig_bytes": {"type": "long", "index": "not_analyzed"}, | |
"resp_bytes": {"type": "long", "index": "not_analyzed"}, | |
"conn_state": {"type": "string", "index": "not_analyzed"}, | |
"local_orig": {"type": "boolean", "index": "not_analyzed"}, | |
"missed_bytes": {"type": "long", "index": "not_analyzed"}, | |
"history": {"type": "string", "index": "not_analyzed"}, | |
"orig_pkts": {"type": "long", "index": "not_analyzed"}, | |
"orig_ip_bytes": {"type": "long", "index": "not_analyzed"}, | |
"resp_pkts": {"type": "long", "index": "not_analyzed"}, | |
"resp_ip_bytes": {"type": "long", "index": "not_analyzed"}, | |
"orig_cc": {"type": "string", "index": "not_analyzed"}, | |
"resp_cc": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"dhcp": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"mac": {"type": "string", "index": "not_analyzed"}, | |
"assigned_ip": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"lease_time": {"type": "float", "index": "not_analyzed"}, | |
"trans_id": {"type": "long", "index": "not_analyzed"} | |
} | |
}, | |
"dns": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"proto": {"type": "string", "index": "not_analyzed"}, | |
"trans_id": {"type": "long", "index": "not_analyzed"}, | |
"query": {"type": "string", "analyzer": "HostnameAnalyzer"}, | |
"qclass": {"type": "integer", "index": "not_analyzed"}, | |
"qclass_name": {"type": "string", "index": "not_analyzed"}, | |
"qtype": {"type": "integer", "index": "not_analyzed"}, | |
"qtype_name": {"type": "string", "index": "not_analyzed"}, | |
"rcode": {"type": "integer", "index": "not_analyzed"}, | |
"rcode_name": {"type": "string", "index": "not_analyzed"}, | |
"AA": {"type": "boolean", "index": "not_analyzed"}, | |
"TC": {"type": "boolean", "index": "not_analyzed"}, | |
"RD": {"type": "boolean", "index": "not_analyzed"}, | |
"RA": {"type": "boolean", "index": "not_analyzed"}, | |
"Z": {"type": "boolean", "index": "not_analyzed"}, | |
"answers": {"type": "string", "analyzer": "HostnameAnalyzer"}, | |
"TTLs": {"type": "long", "index": "not_analyzed"} | |
} | |
}, | |
"dpd": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"proto": {"type": "string", "index": "not_analyzed"}, | |
"analyzer": {"type": "string", "index": "not_analyzed"}, | |
"failure_reason": {"type": "string", "index": "no"} | |
} | |
}, | |
"ftp": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"user": {"type": "string", "index": "not_analyzed"}, | |
"password": {"type": "string", "index": "not_analyzed"}, | |
"command": {"type": "string", "index": "not_analyzed"}, | |
"arg": {"type": "string", "analyzer": "simple"}, | |
"mime_type": {"type": "string", "analyzer": "simple"}, | |
"mime_desc": {"type": "string", "index": "not_analyzed"}, | |
"file_size": {"type": "long", "index": "not_analyzed"}, | |
"reply_code": {"type": "integer", "index": "not_analyzed"}, | |
"reply_msg": {"type": "string", "index": "not_analyzed"}, | |
"tags": {"type": "string", "index": "not_analyzed"}, | |
"cwd": {"type": "string", "analyzer": "simple"}, | |
"cmdarg": {"type": "string", "index": "not_analyzed"}, | |
"passive": {"type": "boolean", "index": "not_analyzed"} | |
} | |
}, | |
"http": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"trans_depth": {"type": "integer", "index": "not_analyzed"}, | |
"method": {"type": "string", "index": "not_analyzed"}, | |
"host": {"type": "string", "analyzer": "HostnameAnalyzer"}, | |
"uri": {"type": "string", "analyzer": "simple"}, | |
"referrer": {"type": "string", "analyzer": "simple"}, | |
"user_agent": {"type": "string", "analyzer": "simple"}, | |
"request_body_len": {"type": "long", "index": "not_analyzed"}, | |
"response_body_len": {"type": "long", "index": "not_analyzed"}, | |
"status_code": {"type": "integer", "index": "not_analyzed"}, | |
"status_msg": {"type": "string", "index": "not_analyzed"}, | |
"info_code": {"type": "integer", "index": "not_analyzed"}, | |
"info_msg": {"type": "string", "index": "not_analyzed"}, | |
"filename": {"type": "string", "index": "not_analyzed"}, | |
"tags": {"type": "string", "index": "not_analyzed"}, | |
"username": {"type": "string", "index": "not_analyzed"}, | |
"password": {"type": "string", "index": "not_analyzed"}, | |
"proxied": {"type": "boolean", "index": "not_analyzed"} | |
} | |
}, | |
"irc": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"nick": {"type": "string", "index": "not_analyzed"}, | |
"user": {"type": "string", "index": "not_analyzed"}, | |
"command": {"type": "string", "index": "not_analyzed"}, | |
"value": {"type": "string", "analyzer": "simple"}, | |
"addl": {"type": "string", "analyzer": "simple"} | |
} | |
}, | |
"known_certs": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"host": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"port_num": {"type": "integer", "index": "not_analyzed"}, | |
"subject": {"type": "string", "analyzer": "simple"}, | |
"issuer_subject": {"type": "string", "analyzer": "simple"}, | |
"serial": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"known_hosts": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"host": {"type": "string", "analyzer": "IPAnalyzer"} | |
} | |
}, | |
"known_services": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"host": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"port_num": {"type": "integer", "index": "not_analyzed"}, | |
"port_proto": {"type": "string", "index": "not_analyzed"}, | |
"service": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"intel": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"seen.host": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"seen.where": {"type": "string", "analyzer": "simple"}, | |
"sources": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"loaded_scripts": { | |
"properties": { | |
"name": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"modbus": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"func": {"type": "string", "index": "not_analyzed"}, | |
"exception": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"notice": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"proto": {"type": "string", "index": "not_analyzed"}, | |
"note": {"type": "string", "analyzer": "simple"}, | |
"msg": {"type": "string", "analyzer": "simple"}, | |
"sub": {"type": "string", "analyzer": "simple"}, | |
"src": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"dst": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"p": {"type": "integer", "index": "not_analyzed"}, | |
"n": {"type": "integer", "index": "not_analyzed"}, | |
"src_peer": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"peer_descr": {"type": "string", "index": "not_analyzed"}, | |
"actions": {"type": "string", "analyzer": "simple"}, | |
"suppress_for": {"type": "double", "index": "not_analyzed"} | |
} | |
}, | |
"notice_alarm": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"proto": {"type": "string", "index": "not_analyzed"}, | |
"note": {"type": "string", "analyzer": "simple"}, | |
"msg": {"type": "string", "analyzer": "simple"}, | |
"sub": {"type": "string", "analyzer": "simple"}, | |
"src": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"dst": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"p": {"type": "integer", "index": "not_analyzed"}, | |
"n": {"type": "integer", "index": "not_analyzed"}, | |
"src_peer": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"peer_descr": {"type": "string", "index": "not_analyzed"}, | |
"actions": {"type": "string", "analyzer": "simple"}, | |
"suppress_for": {"type": "double", "index": "not_analyzed"} | |
} | |
}, | |
"packet_filter": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"node": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"filter": {"type": "string", "analyzer": "simple"}, | |
"init": {"type": "boolean", "index": "not_analyzed"}, | |
"success": {"type": "boolean", "index": "not_analyzed"} | |
} | |
}, | |
"reporter": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"level": {"type": "string", "analyzer": "simple"}, | |
"message": {"type": "string", "analyzer": "simple"}, | |
"location": {"type": "string", "analyzer": "simple"} | |
} | |
}, | |
"signatures": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"src_addr": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"src_port": {"type": "integer", "index": "not_analyzed"}, | |
"dst_addr": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"dst_port": {"type": "integer", "index": "not_analyzed"}, | |
"note": {"type": "string", "analyzer": "simple"}, | |
"sig_id": {"type": "string", "index": "not_analyzed"}, | |
"event_msg": {"type": "string", "analyzer": "simple"}, | |
"sub_msg": {"type": "string", "analyzer": "simple"}, | |
"sig_count": {"type": "long", "index": "not_analyzed"}, | |
"host_count": {"type": "long", "index": "not_analyzed"} | |
} | |
}, | |
"smtp": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"trans_depth": {"type": "integer", "index": "not_analyzed"}, | |
"helo": {"type": "string", "analyzer": "HostnameAnalyzer"}, | |
"mailfrom": {"type": "string", "analyzer": "simple"}, | |
"rcptto": {"type": "string", "analyzer": "simple"}, | |
"date": {"type": "string", "index": "not_analyzed"}, | |
"from": {"type": "string", "analyzer": "simple"}, | |
"to": {"type": "string", "analyzer": "simple"}, | |
"reply_to": {"type": "string", "analyzer": "simple"}, | |
"msg_id": {"type": "string", "index": "not_analyzed"}, | |
"in_reply_to": {"type": "string", "index": "not_analyzed"}, | |
"subject": {"type": "string", "analyzer": "simple"}, | |
"x_originating_ip": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"first_received": {"type": "string", "index": "not_analyzed"}, | |
"second_received": {"type": "string", "analyzer": "simple"}, | |
"last_reply": {"type": "string", "analyzer": "simple"}, | |
"path": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"user_agent": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"smtp_entities": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"trans_depth": {"type": "integer", "index": "not_analyzed"}, | |
"filename": {"type": "string", "index": "not_analyzed"}, | |
"content_len": {"type": "long", "index": "not_analyzed"}, | |
"mime_type": {"type": "string", "analyzer": "simple"}, | |
"md5": {"type": "string", "index": "not_analyzed"}, | |
"calc_md5": {"type": "boolean", "index": "not_analyzed"}, | |
"extract_file": {"type": "boolean", "index": "not_analyzed"}, | |
"file": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"sip" : { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"trans_depth": {"type": "integer", "index": "not_analyzed"}, | |
"method": {"type": "string", "index": "not_analyzed"}, | |
"from": {"type": "string", "analyzer": "simple"}, | |
"to": {"type": "string", "analyzer": "simple"}, | |
"call_id": {"type": "string", "index": "not_analyzed"}, | |
"seq": {"type": "string", "index": "not_analyzed"}, | |
"path": {"type": "string", "analyzer": "simple"}, | |
"user_agent": {"type": "string", "index": "not_analyzed"}, | |
"request_body_len": {"type": "long", "index": "not_analyzed"}, | |
"response_body_len": {"type": "long", "index": "not_analyzed"} | |
}, | |
"socks": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"version": {"type": "integer", "index": "not_analyzed"}, | |
"user": {"type": "string", "index": "not_analyzed"}, | |
"status": {"type": "string", "index": "not_analyzed"}, | |
"request": {"type": "string", "index": "not_analyzed"}, | |
"request_p": {"type": "integer", "index": "not_analyzed"}, | |
"bound": {"type": "string", "index": "not_analyzed"}, | |
"bound_p": {"type": "integer", "index": "not_analyzed"} | |
} | |
}, | |
"software": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"host": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"host_p": {"type": "integer", "index": "not_analyzed"}, | |
"software_type": {"type": "string", "analyzer": "simple"}, | |
"name": {"type": "string", "analyzer": "simple"}, | |
"version": {"type": "string", "index": "not_analyzed"}, | |
"version.major": {"type": "string", "index": "not_analyzed"}, | |
"version.minor": {"type": "string", "index": "not_analyzed"}, | |
"version.minor2": {"type": "string", "index": "not_analyzed"}, | |
"unparsed_version": {"type": "string", "analyzer": "simple"}, | |
"url": {"type": "string", "analyzer": "simple"} | |
} | |
}, | |
"ssh": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"status": {"type": "string", "index": "not_analyzed"}, | |
"direction": {"type": "string", "index": "not_analyzed"}, | |
"client": {"type": "string", "analyzer": "simple"}, | |
"server": {"type": "string", "analyzer": "simple"}, | |
"resp_size": {"type": "long", "index": "not_analyzed"} | |
} | |
}, | |
"ssl": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"version": {"type": "string", "index": "not_analyzed"}, | |
"cipher": {"type": "string", "index": "not_analyzed"}, | |
"server_name": {"type": "string", "index": "not_analyzed"}, | |
"session_id": {"type": "string", "index": "not_analyzed"}, | |
"subject": {"type": "string", "analyzer": "simple"}, | |
"issuer_subject": {"type": "string", "analyzer": "simple"}, | |
"not_valid_before": {"type": "date", "format": "basic_date_time"}, | |
"not_valid_after": {"type": "date", "format": "basic_date_time"}, | |
"cert_hash": {"type": "string", "index": "not_analyzed"}, | |
"validation_status": {"type": "string", "index": "not_analyzed"} | |
} | |
}, | |
"stats": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"peer": {"type": "string", "index": "not_analzyed"}, | |
"mem": {"type": "long", "index": "not_analyzed"}, | |
"pkts_proc": {"type": "long", "index": "not_analyzed"}, | |
"events_proc": {"type": "long", "index": "not_analyzed"}, | |
"events_queued": {"type": "long", "index": "not_analyzed"}, | |
"lag": {"type": "float", "index": "not_analyzed"}, | |
"pkts_recv": {"type": "long", "index": "not_analyzed"}, | |
"pkts_dropped": {"type": "long", "index": "not_analyzed"}, | |
"pkts_link": {"type": "long", "index": "not_analyzed"} | |
} | |
}, | |
"syslog": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"proto": {"type": "string", "index": "not_analyzed"}, | |
"facility": {"type": "string", "index": "not_analyzed"}, | |
"severity": {"type": "string", "index": "not_analyzed"}, | |
"message": {"type": "string", "analyzer": "simple"} | |
} | |
}, | |
"tunnel": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"tunnel_type": {"type": "string", "analyzer": "simple"}, | |
"action": {"type": "string", "analyzer": "simple"} | |
} | |
}, | |
"weird": { | |
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"}, | |
"properties": { | |
"ts": {"type": "date", "format": "basic_date_time"}, | |
"uid": {"type": "string", "index": "not_analyzed"}, | |
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.orig_p": {"type": "integer", "index": "not_analyzed"}, | |
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"}, | |
"id.resp_p": {"type": "integer", "index": "not_analyzed"}, | |
"name": {"type": "string", "index": "not_analyzed"}, | |
"addl": {"type": "string", "index": "not_analyzed"}, | |
"notice": {"type": "boolean", "index": "not_analyzed"}, | |
"peer": {"type": "string", "index": "not_analyzed"} | |
} | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# REMOVE THIS LINE - This file is to be stored in /etc/elasticsearch/templates | |
{ | |
"bro_meta": { | |
"template": "@bro-meta", | |
"settings": { | |
"index.number_of_shards": 1, | |
"index.auto_expand_replicas": "0-all", | |
"mappings": { | |
"index": { | |
"properties": { | |
"name": {"type": "string", "index": "no"}, | |
"start": {"type": "float", "index": "not_analyzed"}, | |
"end": {"type": "float", "index": "not_analyzed"} | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment