Skip to content

Instantly share code, notes, and snippets.

@grigorescu

grigorescu/elasticsearch.yml

Last active October 13, 2015 18:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save grigorescu/4237360 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save grigorescu/4237360 to your computer and use it in GitHub Desktop.
Download ZIP
ElasticSearch Config
Raw
elasticsearch.yml
cluster.name: logs
# Puppet-ism to put in the hostname and IP
node.name: <%= @hostname %>
network.host: <%= @ipaddress %>
# Turn off multicast autodiscovery
discovery.zen.ping.unicast.hosts: 172.1.1.100:9300, 172.1.1.101:9300
index.number_of_shards: 4
index.routing.allocation.total_shards_per_node: 1
index.number_of_replicas: 0
bootstrap.mlockall: true
http.max_content_length: 256mb
index.translog.flush_threshold_period: 15s
index.merge.policy.use_compound_file: false
index.refresh_interval: 15s
indices.memory.index_buffer_size: 25%
index.cache.field.type: soft
index.gateway.snapshot_interval: 1m
Raw
elasticsearch_defaults.config
# This is a Puppet-ism to set the heap size to 75% of the RAM.
ES_HEAP_SIZE=<%= (@memorysize.sub(/[ A-Z]+/, "").to_f*0.75).to_i %>g
# Important!
#
# "We cannot stress enough how crucial it is to run ElasticSearch through Oracle’s official Java 7 distribution (no OpenJDK or Java 6).
# The performance is orders of magnitude better!" Source: <http://blog.bugsense.com/post/35580279634/indexing-bigdata-with-elasticsearch>
JAVA_HOME=/usr/java/jre1.7.0_09
ES_JAVA_OPTS="-XX:+UseTLAB -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled"
Raw
limits.conf
# Add the following to /etc/security/limits.conf
elasticsearch - nofile 65535
elasticsearch - memlock unlimited
Raw
limits_pam.conf
# Add the following to /etc/pam.d/common-session
session required pam_limits.so
Raw
template_bro_logs.json
{
"bro_logs": {
"template": "bro-*",
"settings": {
"number_of_shards": 4,
"number_of_replicas": 0,
"index.cache.field.type": "soft",
"index.refresh_interval": "30s",
"index.analysis": {
"analyzer": {
"HostnameAnalyzer": {
"type": "custom",
"tokenizer": "ReverseDotPath"
},
"IPAnalyzer": {
"type": "custom",
"char_filter" : ["ColonsToPeriods"],
"tokenizer" : "DotPath"
},
"PercentAnalyzer": {
"type": "custom",
"char_filter" : ["StripPercent"],
"tokenizer" : "whitespace"
}
},
"tokenizer": {
"ReverseDotPath": {
"type": "path_hierarchy",
"delimiter": ".",
"reverse": "true"
},
"DotPath": {
"type": "path_hierarchy",
"delimiter": "."
}
},
"char_filter": {
"ColonsToPeriods": {
"type": "mapping",
"mappings" : [":=>."]
},
"StripPercent": {
"type": "mapping",
"mappings": ["%=>0"]
}
}
}
},
"mappings": {
"_default_": {
"_all": {"enabled": false}
},
"capture_loss": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"ts_delta": {"type": "float", "index": "no"},
"peer": {"type": "string", "index": "not_analyzed"},
"gaps": {"type": "long", "index": "not_analyzed"},
"acks": {"type": "long", "index": "not_analyzed"},
"percent_lost": {"type": "string", "analyzer": "PercentAnalyzer"}
}
},
"cluster": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"message": {"type": "float", "index": "no"}
}
},
"communication": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"peer": {"type": "string", "index": "not_analyzed"},
"src_name": {"type": "string", "index": "not_analyzed"},
"connected_peer_desc": {"type": "string", "index": "not_analyzed"},
"connected_peer_addr": {"type": "string", "index": "not_analyzed"},
"connected_peer_port": {"type": "integer", "index": "not_analyzed"},
"level": {"type": "string", "index": "not_analyzed"},
"message": {"type": "string", "analyzer": "whitespace"}
}
},
"conn": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"proto": {"type": "string", "index": "not_analyzed"},
"service": {"type": "string", "index": "not_analyzed"},
"duration": {"type": "double", "index": "not_analyzed"},
"orig_bytes": {"type": "long", "index": "not_analyzed"},
"resp_bytes": {"type": "long", "index": "not_analyzed"},
"conn_state": {"type": "string", "index": "not_analyzed"},
"local_orig": {"type": "boolean", "index": "not_analyzed"},
"missed_bytes": {"type": "long", "index": "not_analyzed"},
"history": {"type": "string", "index": "not_analyzed"},
"orig_pkts": {"type": "long", "index": "not_analyzed"},
"orig_ip_bytes": {"type": "long", "index": "not_analyzed"},
"resp_pkts": {"type": "long", "index": "not_analyzed"},
"resp_ip_bytes": {"type": "long", "index": "not_analyzed"},
"orig_cc": {"type": "string", "index": "not_analyzed"},
"resp_cc": {"type": "string", "index": "not_analyzed"}
}
},
"dhcp": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"mac": {"type": "string", "index": "not_analyzed"},
"assigned_ip": {"type": "string", "analyzer": "IPAnalyzer"},
"lease_time": {"type": "float", "index": "not_analyzed"},
"trans_id": {"type": "long", "index": "not_analyzed"}
}
},
"dns": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"proto": {"type": "string", "index": "not_analyzed"},
"trans_id": {"type": "long", "index": "not_analyzed"},
"query": {"type": "string", "analyzer": "HostnameAnalyzer"},
"qclass": {"type": "integer", "index": "not_analyzed"},
"qclass_name": {"type": "string", "index": "not_analyzed"},
"qtype": {"type": "integer", "index": "not_analyzed"},
"qtype_name": {"type": "string", "index": "not_analyzed"},
"rcode": {"type": "integer", "index": "not_analyzed"},
"rcode_name": {"type": "string", "index": "not_analyzed"},
"AA": {"type": "boolean", "index": "not_analyzed"},
"TC": {"type": "boolean", "index": "not_analyzed"},
"RD": {"type": "boolean", "index": "not_analyzed"},
"RA": {"type": "boolean", "index": "not_analyzed"},
"Z": {"type": "boolean", "index": "not_analyzed"},
"answers": {"type": "string", "analyzer": "HostnameAnalyzer"},
"TTLs": {"type": "long", "index": "not_analyzed"}
}
},
"dpd": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"proto": {"type": "string", "index": "not_analyzed"},
"analyzer": {"type": "string", "index": "not_analyzed"},
"failure_reason": {"type": "string", "index": "no"}
}
},
"ftp": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"user": {"type": "string", "index": "not_analyzed"},
"password": {"type": "string", "index": "not_analyzed"},
"command": {"type": "string", "index": "not_analyzed"},
"arg": {"type": "string", "analyzer": "simple"},
"mime_type": {"type": "string", "analyzer": "simple"},
"mime_desc": {"type": "string", "index": "not_analyzed"},
"file_size": {"type": "long", "index": "not_analyzed"},
"reply_code": {"type": "integer", "index": "not_analyzed"},
"reply_msg": {"type": "string", "index": "not_analyzed"},
"tags": {"type": "string", "index": "not_analyzed"},
"cwd": {"type": "string", "analyzer": "simple"},
"cmdarg": {"type": "string", "index": "not_analyzed"},
"passive": {"type": "boolean", "index": "not_analyzed"}
}
},
"http": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"trans_depth": {"type": "integer", "index": "not_analyzed"},
"method": {"type": "string", "index": "not_analyzed"},
"host": {"type": "string", "analyzer": "HostnameAnalyzer"},
"uri": {"type": "string", "analyzer": "simple"},
"referrer": {"type": "string", "analyzer": "simple"},
"user_agent": {"type": "string", "analyzer": "simple"},
"request_body_len": {"type": "long", "index": "not_analyzed"},
"response_body_len": {"type": "long", "index": "not_analyzed"},
"status_code": {"type": "integer", "index": "not_analyzed"},
"status_msg": {"type": "string", "index": "not_analyzed"},
"info_code": {"type": "integer", "index": "not_analyzed"},
"info_msg": {"type": "string", "index": "not_analyzed"},
"filename": {"type": "string", "index": "not_analyzed"},
"tags": {"type": "string", "index": "not_analyzed"},
"username": {"type": "string", "index": "not_analyzed"},
"password": {"type": "string", "index": "not_analyzed"},
"proxied": {"type": "boolean", "index": "not_analyzed"}
}
},
"irc": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"nick": {"type": "string", "index": "not_analyzed"},
"user": {"type": "string", "index": "not_analyzed"},
"command": {"type": "string", "index": "not_analyzed"},
"value": {"type": "string", "analyzer": "simple"},
"addl": {"type": "string", "analyzer": "simple"}
}
},
"known_certs": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"host": {"type": "string", "analyzer": "IPAnalyzer"},
"port_num": {"type": "integer", "index": "not_analyzed"},
"subject": {"type": "string", "analyzer": "simple"},
"issuer_subject": {"type": "string", "analyzer": "simple"},
"serial": {"type": "string", "index": "not_analyzed"}
}
},
"known_hosts": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"host": {"type": "string", "analyzer": "IPAnalyzer"}
}
},
"known_services": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"host": {"type": "string", "analyzer": "IPAnalyzer"},
"port_num": {"type": "integer", "index": "not_analyzed"},
"port_proto": {"type": "string", "index": "not_analyzed"},
"service": {"type": "string", "index": "not_analyzed"}
}
},
"intel": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"seen.host": {"type": "string", "analyzer": "IPAnalyzer"},
"seen.where": {"type": "string", "analyzer": "simple"},
"sources": {"type": "string", "index": "not_analyzed"}
}
},
"loaded_scripts": {
"properties": {
"name": {"type": "string", "index": "not_analyzed"}
}
},
"modbus": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"func": {"type": "string", "index": "not_analyzed"},
"exception": {"type": "string", "index": "not_analyzed"}
}
},
"notice": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"proto": {"type": "string", "index": "not_analyzed"},
"note": {"type": "string", "analyzer": "simple"},
"msg": {"type": "string", "analyzer": "simple"},
"sub": {"type": "string", "analyzer": "simple"},
"src": {"type": "string", "analyzer": "IPAnalyzer"},
"dst": {"type": "string", "analyzer": "IPAnalyzer"},
"p": {"type": "integer", "index": "not_analyzed"},
"n": {"type": "integer", "index": "not_analyzed"},
"src_peer": {"type": "string", "analyzer": "IPAnalyzer"},
"peer_descr": {"type": "string", "index": "not_analyzed"},
"actions": {"type": "string", "analyzer": "simple"},
"suppress_for": {"type": "double", "index": "not_analyzed"}
}
},
"notice_alarm": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"proto": {"type": "string", "index": "not_analyzed"},
"note": {"type": "string", "analyzer": "simple"},
"msg": {"type": "string", "analyzer": "simple"},
"sub": {"type": "string", "analyzer": "simple"},
"src": {"type": "string", "analyzer": "IPAnalyzer"},
"dst": {"type": "string", "analyzer": "IPAnalyzer"},
"p": {"type": "integer", "index": "not_analyzed"},
"n": {"type": "integer", "index": "not_analyzed"},
"src_peer": {"type": "string", "analyzer": "IPAnalyzer"},
"peer_descr": {"type": "string", "index": "not_analyzed"},
"actions": {"type": "string", "analyzer": "simple"},
"suppress_for": {"type": "double", "index": "not_analyzed"}
}
},
"packet_filter": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"node": {"type": "string", "analyzer": "IPAnalyzer"},
"filter": {"type": "string", "analyzer": "simple"},
"init": {"type": "boolean", "index": "not_analyzed"},
"success": {"type": "boolean", "index": "not_analyzed"}
}
},
"reporter": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"level": {"type": "string", "analyzer": "simple"},
"message": {"type": "string", "analyzer": "simple"},
"location": {"type": "string", "analyzer": "simple"}
}
},
"signatures": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"src_addr": {"type": "string", "analyzer": "IPAnalyzer"},
"src_port": {"type": "integer", "index": "not_analyzed"},
"dst_addr": {"type": "string", "analyzer": "IPAnalyzer"},
"dst_port": {"type": "integer", "index": "not_analyzed"},
"note": {"type": "string", "analyzer": "simple"},
"sig_id": {"type": "string", "index": "not_analyzed"},
"event_msg": {"type": "string", "analyzer": "simple"},
"sub_msg": {"type": "string", "analyzer": "simple"},
"sig_count": {"type": "long", "index": "not_analyzed"},
"host_count": {"type": "long", "index": "not_analyzed"}
}
},
"smtp": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"trans_depth": {"type": "integer", "index": "not_analyzed"},
"helo": {"type": "string", "analyzer": "HostnameAnalyzer"},
"mailfrom": {"type": "string", "analyzer": "simple"},
"rcptto": {"type": "string", "analyzer": "simple"},
"date": {"type": "string", "index": "not_analyzed"},
"from": {"type": "string", "analyzer": "simple"},
"to": {"type": "string", "analyzer": "simple"},
"reply_to": {"type": "string", "analyzer": "simple"},
"msg_id": {"type": "string", "index": "not_analyzed"},
"in_reply_to": {"type": "string", "index": "not_analyzed"},
"subject": {"type": "string", "analyzer": "simple"},
"x_originating_ip": {"type": "string", "analyzer": "IPAnalyzer"},
"first_received": {"type": "string", "index": "not_analyzed"},
"second_received": {"type": "string", "analyzer": "simple"},
"last_reply": {"type": "string", "analyzer": "simple"},
"path": {"type": "string", "analyzer": "IPAnalyzer"},
"user_agent": {"type": "string", "index": "not_analyzed"}
}
},
"smtp_entities": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"trans_depth": {"type": "integer", "index": "not_analyzed"},
"filename": {"type": "string", "index": "not_analyzed"},
"content_len": {"type": "long", "index": "not_analyzed"},
"mime_type": {"type": "string", "analyzer": "simple"},
"md5": {"type": "string", "index": "not_analyzed"},
"calc_md5": {"type": "boolean", "index": "not_analyzed"},
"extract_file": {"type": "boolean", "index": "not_analyzed"},
"file": {"type": "string", "index": "not_analyzed"}
}
},
"sip" : {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"trans_depth": {"type": "integer", "index": "not_analyzed"},
"method": {"type": "string", "index": "not_analyzed"},
"from": {"type": "string", "analyzer": "simple"},
"to": {"type": "string", "analyzer": "simple"},
"call_id": {"type": "string", "index": "not_analyzed"},
"seq": {"type": "string", "index": "not_analyzed"},
"path": {"type": "string", "analyzer": "simple"},
"user_agent": {"type": "string", "index": "not_analyzed"},
"request_body_len": {"type": "long", "index": "not_analyzed"},
"response_body_len": {"type": "long", "index": "not_analyzed"}
},
"socks": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"version": {"type": "integer", "index": "not_analyzed"},
"user": {"type": "string", "index": "not_analyzed"},
"status": {"type": "string", "index": "not_analyzed"},
"request": {"type": "string", "index": "not_analyzed"},
"request_p": {"type": "integer", "index": "not_analyzed"},
"bound": {"type": "string", "index": "not_analyzed"},
"bound_p": {"type": "integer", "index": "not_analyzed"}
}
},
"software": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"host": {"type": "string", "analyzer": "IPAnalyzer"},
"host_p": {"type": "integer", "index": "not_analyzed"},
"software_type": {"type": "string", "analyzer": "simple"},
"name": {"type": "string", "analyzer": "simple"},
"version": {"type": "string", "index": "not_analyzed"},
"version.major": {"type": "string", "index": "not_analyzed"},
"version.minor": {"type": "string", "index": "not_analyzed"},
"version.minor2": {"type": "string", "index": "not_analyzed"},
"unparsed_version": {"type": "string", "analyzer": "simple"},
"url": {"type": "string", "analyzer": "simple"}
}
},
"ssh": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"status": {"type": "string", "index": "not_analyzed"},
"direction": {"type": "string", "index": "not_analyzed"},
"client": {"type": "string", "analyzer": "simple"},
"server": {"type": "string", "analyzer": "simple"},
"resp_size": {"type": "long", "index": "not_analyzed"}
}
},
"ssl": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"version": {"type": "string", "index": "not_analyzed"},
"cipher": {"type": "string", "index": "not_analyzed"},
"server_name": {"type": "string", "index": "not_analyzed"},
"session_id": {"type": "string", "index": "not_analyzed"},
"subject": {"type": "string", "analyzer": "simple"},
"issuer_subject": {"type": "string", "analyzer": "simple"},
"not_valid_before": {"type": "date", "format": "basic_date_time"},
"not_valid_after": {"type": "date", "format": "basic_date_time"},
"cert_hash": {"type": "string", "index": "not_analyzed"},
"validation_status": {"type": "string", "index": "not_analyzed"}
}
},
"stats": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"peer": {"type": "string", "index": "not_analzyed"},
"mem": {"type": "long", "index": "not_analyzed"},
"pkts_proc": {"type": "long", "index": "not_analyzed"},
"events_proc": {"type": "long", "index": "not_analyzed"},
"events_queued": {"type": "long", "index": "not_analyzed"},
"lag": {"type": "float", "index": "not_analyzed"},
"pkts_recv": {"type": "long", "index": "not_analyzed"},
"pkts_dropped": {"type": "long", "index": "not_analyzed"},
"pkts_link": {"type": "long", "index": "not_analyzed"}
}
},
"syslog": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"proto": {"type": "string", "index": "not_analyzed"},
"facility": {"type": "string", "index": "not_analyzed"},
"severity": {"type": "string", "index": "not_analyzed"},
"message": {"type": "string", "analyzer": "simple"}
}
},
"tunnel": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"tunnel_type": {"type": "string", "analyzer": "simple"},
"action": {"type": "string", "analyzer": "simple"}
}
},
"weird": {
"_timestamp": {"type": "date", "enabled": "true", "path": "ts"},
"properties": {
"ts": {"type": "date", "format": "basic_date_time"},
"uid": {"type": "string", "index": "not_analyzed"},
"id.orig_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.orig_p": {"type": "integer", "index": "not_analyzed"},
"id.resp_h": {"type": "string", "analyzer": "IPAnalyzer"},
"id.resp_p": {"type": "integer", "index": "not_analyzed"},
"name": {"type": "string", "index": "not_analyzed"},
"addl": {"type": "string", "index": "not_analyzed"},
"notice": {"type": "boolean", "index": "not_analyzed"},
"peer": {"type": "string", "index": "not_analyzed"}
}
}
}
}
}
Raw
template_bro_meta.json
# REMOVE THIS LINE - This file is to be stored in /etc/elasticsearch/templates
{
"bro_meta": {
"template": "@bro-meta",
"settings": {
"index.number_of_shards": 1,
"index.auto_expand_replicas": "0-all",
"mappings": {
"index": {
"properties": {
"name": {"type": "string", "index": "no"},
"start": {"type": "float", "index": "not_analyzed"},
"end": {"type": "float", "index": "not_analyzed"}
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment