index/stream template mapping

elastic-mgmt | osearch-mgmt | elastic-mgmt-users | osearch-mgmt-users | elastic-mgmt-mapping

it is important to have a few fields as type ip and some others as geo_point

here’s our sample: https://pub.nethence.com/bin/logging/logs-template-mapping.json

suricata fields

dest_ip
dest_port
flow.age
flow.bytes_toclient
flow.bytes_toserver
flow.dest_ip
flow.dest_port
flow.pkts_toclient
flow.pkts_toserver
flow.src_ip
flow.src_port
src_ip
src_port

ECS fields

destination.geo.location
destination.geo.name
destination.ip
geo.location
source.geo.location
source.geo.name
source.ip

peers & brutes fields

destination.bytes
source.bytes

acceptance

check the index template

echo $endpoint
echo $user
echo $passwd

template=logs-template

curl -sk "$endpoint/_index_template/$template?pretty" -u $user:$passwd

resources

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/indices-get-template.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/index-templates.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/indices-get-settings.html

total fields limit

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/mapping-settings-limit.html

https://stackoverflow.com/questions/55372330/what-does-limit-of-total-fields-1000-in-index-has-been-exceeded-means-in


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun