From 50de0fd03c01d4aef2197fb02f6710285f44fb0f Mon Sep 17 00:00:00 2001 From: Elastic Machine Date: Mon, 17 Jul 2023 07:50:42 -0500 Subject: [PATCH] [automation] Publish kubernetes templates for elastic-agent (#3089) Co-authored-by: apmmachine --- .../templates.d/apache.yml | 38 +++-- .../templates.d/cef.yml | 20 +++ .../templates.d/checkpoint.yml | 3 +- .../templates.d/cockroachdb.yml | 4 +- .../templates.d/cyberarkpas.yml | 35 ++-- .../templates.d/elasticsearch.yml | 128 +++++++------- .../templates.d/iis.yml | 3 +- .../templates.d/infoblox_nios.yml | 37 +++-- .../templates.d/iptables.yml | 2 + .../templates.d/kafka.yml | 60 +++---- .../templates.d/kibana.yml | 112 ++++++++----- .../templates.d/log.yml | 12 +- .../templates.d/logstash.yml | 50 +++--- .../templates.d/mattermost.yml | 3 +- .../templates.d/microsoft_sqlserver.yml | 58 +++---- .../templates.d/mimecast.yml | 32 ++-- .../templates.d/modsecurity.yml | 3 +- .../templates.d/mongodb.yml | 22 ++- .../templates.d/netflow.yml | 1 + .../templates.d/nginx.yml | 8 +- .../templates.d/panw.yml | 1 + .../templates.d/pfsense.yml | 42 ++--- .../templates.d/postgresql.yml | 8 + .../templates.d/prometheus.yml | 5 +- .../templates.d/rabbitmq.yml | 56 +++---- .../templates.d/redis.yml | 72 ++++---- .../templates.d/snort.yml | 32 ++-- .../templates.d/symantec_endpoint.yml | 44 ++--- .../templates.d/synthetics.yml | 42 +++-- .../templates.d/tcp.yml | 1 + .../templates.d/tomcat.yml | 44 ++--- .../templates.d/udp.yml | 1 + .../templates.d/zeek.yml | 156 +++++++++++++----- 33 files changed, 661 insertions(+), 474 deletions(-) diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml index f99e78d36f7..42ae66a4d2e 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml @@ -1,19 +1,4 @@ inputs: - - name: apache/metrics-apache - type: apache/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true - data_stream: - dataset: apache.status - type: metrics - hosts: - - ${kubernetes.hints.apache.status.host|kubernetes.hints.apache.host|'http://127.0.0.1'} - metricsets: - - status - period: ${kubernetes.hints.apache.status.period|kubernetes.hints.apache.period|'30s'} - server_status_path: /server-status - data_stream.namespace: default - name: filestream-apache type: filestream use_output: default @@ -59,7 +44,9 @@ inputs: type: httpjson use_output: default streams: - - condition: ${kubernetes.hints.apache.access.enabled} == true and ${kubernetes.hints.apache.enabled} == true + - auth.basic.password: ${kubernetes.hints.apache.access.password|kubernetes.hints.apache.password|''} + auth.basic.user: ${kubernetes.hints.apache.access.username|kubernetes.hints.apache.username|''} + condition: ${kubernetes.hints.apache.access.enabled} == true and ${kubernetes.hints.apache.enabled} == true config_version: "2" cursor: index_earliest: @@ -95,7 +82,9 @@ inputs: tags: - forwarded - apache-access - - condition: ${kubernetes.hints.apache.error.enabled} == true and ${kubernetes.hints.apache.enabled} == true + - auth.basic.password: ${kubernetes.hints.apache.error.password|kubernetes.hints.apache.password|''} + auth.basic.user: ${kubernetes.hints.apache.error.username|kubernetes.hints.apache.username|''} + condition: ${kubernetes.hints.apache.error.enabled} == true and ${kubernetes.hints.apache.enabled} == true config_version: 2 cursor: index_earliest: @@ -132,3 +121,18 @@ inputs: - forwarded - apache-error data_stream.namespace: default + - name: apache/metrics-apache + type: apache/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.status + type: metrics + hosts: + - ${kubernetes.hints.apache.status.host|kubernetes.hints.apache.host|'http://127.0.0.1'} + metricsets: + - status + period: ${kubernetes.hints.apache.status.period|kubernetes.hints.apache.period|'30s'} + server_status_path: /server-status + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml index 524cb6159f3..7cfc79e1ea9 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml @@ -49,3 +49,23 @@ inputs: - cef - forwarded data_stream.namespace: default + - name: tcp-cef + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.cef.log.enabled} == true or ${kubernetes.hints.cef.enabled} == true + data_stream: + dataset: cef.log + type: logs + host: localhost:9004 + processors: + - rename: + fields: + - from: message + to: event.original + - decode_cef: + field: event.original + tags: + - cef + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml index c8d49475fb3..c46ce17f6b2 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml @@ -13,7 +13,8 @@ inputs: - container: format: auto stream: ${kubernetes.hints.checkpoint.firewall.stream|'all'} - paths: null + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log processors: - add_locale: null - add_fields: diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml index ef637384ddc..2810a327a8e 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml @@ -15,11 +15,11 @@ inputs: metrics_path: /_status/vars metricsets: - collector - password: null + password: ${kubernetes.hints.cockroachdb.status.password|kubernetes.hints.cockroachdb.password|''} period: ${kubernetes.hints.cockroachdb.status.period|kubernetes.hints.cockroachdb.period|'10s'} ssl.certificate_authorities: null use_types: true - username: null + username: ${kubernetes.hints.cockroachdb.status.username|kubernetes.hints.cockroachdb.username|''} data_stream.namespace: default - name: filestream-cockroachdb type: filestream diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml index 481f33da6d6..efd5f7211d7 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml @@ -1,4 +1,20 @@ inputs: + - name: tcp-cyberarkpas + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true + data_stream: + dataset: cyberarkpas.audit + type: logs + host: localhost:9301 + processors: + - add_locale: null + tags: + - cyberarkpas-audit + - forwarded + tcp: null + data_stream.namespace: default - name: udp-cyberarkpas type: udp use_output: default @@ -29,7 +45,8 @@ inputs: - container: format: auto stream: ${kubernetes.hints.cyberarkpas.audit.stream|'all'} - paths: null + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log processors: - add_locale: null prospector: @@ -39,19 +56,3 @@ inputs: - forwarded - cyberarkpas-audit data_stream.namespace: default - - name: tcp-cyberarkpas - type: tcp - use_output: default - streams: - - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true - data_stream: - dataset: cyberarkpas.audit - type: logs - host: localhost:9301 - processors: - - add_locale: null - tags: - - cyberarkpas-audit - - forwarded - tcp: null - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml index 82060c4d961..ed5aae8dcc6 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml @@ -21,36 +21,18 @@ inputs: fields: ecs.version: 1.10.0 target: "" - - else: - - script: - id: elasticsearch_audit - lang: javascript - source: | - var requestRegex = new RegExp("request_body=\\\[(.*)\\\]$"); function process(event) { - var message = event.Get("message"); - if (message !== null) { - var matches = message.match(requestRegex); - if (matches && matches.length > 1) { - event.Put("_request", matches[1]); - } - } - } - if: - regexp: - message: ^{ - then: - - decode_json_fields: - fields: - - message - target: _json - - rename: - fields: - - from: _json.request.body - to: _request - ignore_missing: true - - drop_fields: - fields: - - _json + - decode_json_fields: + fields: + - message + target: _json + - rename: + fields: + - from: _json.request.body + to: _request + ignore_missing: true + - drop_fields: + fields: + - _json - detect_mime_type: field: _request target: http.request.mime_type @@ -69,22 +51,12 @@ inputs: - .gz$ - _slowlog.log$ - _access.log$ - multiline: - match: after - negate: true - pattern: ^(\[[0-9]{4}-[0-9]{2}-[0-9]{2}|{) parsers: - container: format: auto stream: ${kubernetes.hints.elasticsearch.deprecation.stream|'all'} paths: - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale.when.not.regexp.message: ^{ - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" prospector: scanner: symlinks: true @@ -126,22 +98,12 @@ inputs: - _slowlog.log$ - _access.log$ - _deprecation.log$ - multiline: - match: after - negate: true - pattern: ^(\[[0-9]{4}-[0-9]{2}-[0-9]{2}|{) parsers: - container: format: auto stream: ${kubernetes.hints.elasticsearch.server.stream|'all'} paths: - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale.when.not.regexp.message: ^{ - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" prospector: scanner: symlinks: true @@ -151,22 +113,12 @@ inputs: type: logs exclude_files: - .gz$ - multiline: - match: after - negate: true - pattern: ^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{) parsers: - container: format: auto stream: ${kubernetes.hints.elasticsearch.slowlog.stream|'all'} paths: - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale.when.not.regexp.message: ^{ - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" prospector: scanner: symlinks: true @@ -183,8 +135,10 @@ inputs: - ${kubernetes.hints.elasticsearch.ccr.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - ccr - period: null + password: ${kubernetes.hints.elasticsearch.ccr.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.ccr.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.ccr.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.cluster_stats.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.cluster_stats @@ -193,8 +147,10 @@ inputs: - ${kubernetes.hints.elasticsearch.cluster_stats.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - cluster_stats - period: null + password: ${kubernetes.hints.elasticsearch.cluster_stats.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.cluster_stats.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.cluster_stats.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.enrich.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.enrich @@ -203,8 +159,10 @@ inputs: - ${kubernetes.hints.elasticsearch.enrich.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - enrich - period: null + password: ${kubernetes.hints.elasticsearch.enrich.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.enrich.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.enrich.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.index.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.index @@ -213,18 +171,23 @@ inputs: - ${kubernetes.hints.elasticsearch.index.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - index - period: null + password: ${kubernetes.hints.elasticsearch.index.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.index.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.index.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.index_recovery.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.index_recovery type: metrics hosts: - ${kubernetes.hints.elasticsearch.index_recovery.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} + index_recovery.active_only: true metricsets: - index_recovery - period: null + password: ${kubernetes.hints.elasticsearch.index_recovery.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.index_recovery.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.index_recovery.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.index_summary.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.index_summary @@ -233,8 +196,23 @@ inputs: - ${kubernetes.hints.elasticsearch.index_summary.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - index_summary + password: ${kubernetes.hints.elasticsearch.index_summary.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.index_summary.period|kubernetes.hints.elasticsearch.period|'10s'} + scope: node + username: ${kubernetes.hints.elasticsearch.index_summary.username|kubernetes.hints.elasticsearch.username|''} + - condition: ${kubernetes.hints.elasticsearch.ingest_pipeline.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.ingest_pipeline + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.ingest_pipeline.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} + ingest_pipeline.processor_sample_rate: 0.25 + metricsets: + - ingest_pipeline + password: ${kubernetes.hints.elasticsearch.ingest_pipeline.password|kubernetes.hints.elasticsearch.password|''} period: null scope: node + username: ${kubernetes.hints.elasticsearch.ingest_pipeline.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.ml_job.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.ml_job @@ -243,8 +221,10 @@ inputs: - ${kubernetes.hints.elasticsearch.ml_job.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - ml_job - period: null + password: ${kubernetes.hints.elasticsearch.ml_job.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.ml_job.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.ml_job.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.node.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.node @@ -253,8 +233,10 @@ inputs: - ${kubernetes.hints.elasticsearch.node.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - node - period: null + password: ${kubernetes.hints.elasticsearch.node.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.node.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.node.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.node_stats.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.node_stats @@ -263,8 +245,10 @@ inputs: - ${kubernetes.hints.elasticsearch.node_stats.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - node_stats - period: null + password: ${kubernetes.hints.elasticsearch.node_stats.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.node_stats.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.node_stats.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.pending_tasks.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.pending_tasks @@ -273,8 +257,10 @@ inputs: - ${kubernetes.hints.elasticsearch.pending_tasks.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - pending_tasks - period: null + password: ${kubernetes.hints.elasticsearch.pending_tasks.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.pending_tasks.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.pending_tasks.username|kubernetes.hints.elasticsearch.username|''} - condition: ${kubernetes.hints.elasticsearch.shard.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true data_stream: dataset: elasticsearch.stack_monitoring.shard @@ -283,6 +269,8 @@ inputs: - ${kubernetes.hints.elasticsearch.shard.host|kubernetes.hints.elasticsearch.host|'http://localhost:9200'} metricsets: - shard - period: null + password: ${kubernetes.hints.elasticsearch.shard.password|kubernetes.hints.elasticsearch.password|''} + period: ${kubernetes.hints.elasticsearch.shard.period|kubernetes.hints.elasticsearch.period|'10s'} scope: node + username: ${kubernetes.hints.elasticsearch.shard.username|kubernetes.hints.elasticsearch.username|''} data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml index 8ff2f64baf7..53b68610de2 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml @@ -48,8 +48,7 @@ inputs: type: iis/metrics use_output: default streams: - - application_pool.name: null - condition: ${kubernetes.hints.iis.application_pool.enabled} == true or ${kubernetes.hints.iis.enabled} == true + - condition: ${kubernetes.hints.iis.application_pool.enabled} == true or ${kubernetes.hints.iis.enabled} == true data_stream: dataset: iis.application_pool type: metrics diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml index 5fbbf3aca51..ae91786e742 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml @@ -1,4 +1,21 @@ inputs: + - name: tcp-infoblox_nios + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.infoblox_nios.log.enabled} == true or ${kubernetes.hints.infoblox_nios.enabled} == true + data_stream: + dataset: infoblox_nios.log + type: logs + fields: + _conf: + tz_offset: local + fields_under_root: true + host: localhost:9027 + tags: + - forwarded + - infoblox_nios-log + data_stream.namespace: default - name: udp-infoblox_nios type: udp use_output: default @@ -34,7 +51,8 @@ inputs: - container: format: auto stream: ${kubernetes.hints.infoblox_nios.log.stream|'all'} - paths: null + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log processors: - add_locale: null prospector: @@ -44,20 +62,3 @@ inputs: - forwarded - infoblox_nios-log data_stream.namespace: default - - name: tcp-infoblox_nios - type: tcp - use_output: default - streams: - - condition: ${kubernetes.hints.infoblox_nios.log.enabled} == true or ${kubernetes.hints.infoblox_nios.enabled} == true - data_stream: - dataset: infoblox_nios.log - type: logs - fields: - _conf: - tz_offset: local - fields_under_root: true - host: localhost:9027 - tags: - - forwarded - - infoblox_nios-log - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml index 02d1d8330d3..662f0a4bf18 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml @@ -49,6 +49,8 @@ inputs: type: logs include_matches: - _TRANSPORT=kernel + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log tags: - iptables-log data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml index f8e3de9e81a..c403b902c23 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml @@ -1,32 +1,4 @@ inputs: - - name: filestream-kafka - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.kafka.log.enabled} == true or ${kubernetes.hints.kafka.enabled} == true - data_stream: - dataset: kafka.log - type: logs - exclude_files: - - .gz$ - multiline: - match: after - negate: true - pattern: ^\[ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.kafka.log.stream|'all'} - paths: - - /opt/kafka*/var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - prospector: - scanner: - symlinks: true - tags: - - kafka-log - data_stream.namespace: default - name: kafka/metrics-kafka type: kafka/metrics use_output: default @@ -48,7 +20,9 @@ inputs: - ${kubernetes.hints.kafka.consumergroup.host|kubernetes.hints.kafka.host|'localhost:9092'} metricsets: - consumergroup + password: ${kubernetes.hints.kafka.consumergroup.password|kubernetes.hints.kafka.password|''} period: ${kubernetes.hints.kafka.consumergroup.period|kubernetes.hints.kafka.period|'10s'} + username: ${kubernetes.hints.kafka.consumergroup.username|kubernetes.hints.kafka.username|''} - condition: ${kubernetes.hints.kafka.partition.enabled} == true or ${kubernetes.hints.kafka.enabled} == true data_stream: dataset: kafka.partition @@ -57,5 +31,35 @@ inputs: - ${kubernetes.hints.kafka.partition.host|kubernetes.hints.kafka.host|'localhost:9092'} metricsets: - partition + password: ${kubernetes.hints.kafka.partition.password|kubernetes.hints.kafka.password|''} period: ${kubernetes.hints.kafka.partition.period|kubernetes.hints.kafka.period|'10s'} + username: ${kubernetes.hints.kafka.partition.username|kubernetes.hints.kafka.username|''} + data_stream.namespace: default + - name: filestream-kafka + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.kafka.log.enabled} == true or ${kubernetes.hints.kafka.enabled} == true + data_stream: + dataset: kafka.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^\[ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kafka.log.stream|'all'} + paths: + - /opt/kafka*/var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - kafka-log data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml index 78ab5f35128..5f33f274c14 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml @@ -1,38 +1,29 @@ inputs: - - name: filestream-kibana - type: filestream + - name: http/metrics-kibana + type: http/metrics use_output: default streams: - - condition: ${kubernetes.hints.kibana.audit.enabled} == true or ${kubernetes.hints.kibana.enabled} == true - data_stream: - dataset: kibana.audit - type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.kibana.audit.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - - condition: ${kubernetes.hints.kibana.log.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + - condition: ${kubernetes.hints.kibana.background_task_utilization.enabled} == true or ${kubernetes.hints.kibana.enabled} == true data_stream: - dataset: kibana.log - type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.kibana.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true + dataset: kibana.background_task_utilization + type: metrics + hosts: + - ${kubernetes.hints.kibana.background_task_utilization.host|kubernetes.hints.kibana.host|'http://localhost:5601'} + method: GET + metricsets: + - json + namespace: background_task_utilization + password: ${kubernetes.hints.kibana.background_task_utilization.password|kubernetes.hints.kibana.password|''} + path: /api/task_manager/_background_task_utilization + period: ${kubernetes.hints.kibana.background_task_utilization.period|kubernetes.hints.kibana.period|'10s'} + processors: + - rename: + fail_on_error: false + fields: + - from: http.background_task_utilization + to: kibana.background_task_utilization + ignore_missing: true + username: ${kubernetes.hints.kibana.background_task_utilization.username|kubernetes.hints.kibana.username|''} data_stream.namespace: default - name: kibana/metrics-kibana type: kibana/metrics @@ -46,7 +37,9 @@ inputs: - ${kubernetes.hints.kibana.cluster_actions.host|kubernetes.hints.kibana.host|'http://localhost:5601'} metricsets: - cluster_actions - period: null + password: ${kubernetes.hints.kibana.cluster_actions.password|kubernetes.hints.kibana.password|''} + period: ${kubernetes.hints.kibana.cluster_actions.period|kubernetes.hints.kibana.period|'10s'} + username: ${kubernetes.hints.kibana.cluster_actions.username|kubernetes.hints.kibana.username|''} - condition: ${kubernetes.hints.kibana.cluster_rules.enabled} == true or ${kubernetes.hints.kibana.enabled} == true data_stream: dataset: kibana.stack_monitoring.cluster_rules @@ -55,7 +48,9 @@ inputs: - ${kubernetes.hints.kibana.cluster_rules.host|kubernetes.hints.kibana.host|'http://localhost:5601'} metricsets: - cluster_rules - period: null + password: ${kubernetes.hints.kibana.cluster_rules.password|kubernetes.hints.kibana.password|''} + period: ${kubernetes.hints.kibana.cluster_rules.period|kubernetes.hints.kibana.period|'10s'} + username: ${kubernetes.hints.kibana.cluster_rules.username|kubernetes.hints.kibana.username|''} - condition: ${kubernetes.hints.kibana.node_actions.enabled} == true or ${kubernetes.hints.kibana.enabled} == true data_stream: dataset: kibana.stack_monitoring.node_actions @@ -64,7 +59,9 @@ inputs: - ${kubernetes.hints.kibana.node_actions.host|kubernetes.hints.kibana.host|'http://localhost:5601'} metricsets: - node_actions - period: null + password: ${kubernetes.hints.kibana.node_actions.password|kubernetes.hints.kibana.password|''} + period: ${kubernetes.hints.kibana.node_actions.period|kubernetes.hints.kibana.period|'10s'} + username: ${kubernetes.hints.kibana.node_actions.username|kubernetes.hints.kibana.username|''} - condition: ${kubernetes.hints.kibana.node_rules.enabled} == true or ${kubernetes.hints.kibana.enabled} == true data_stream: dataset: kibana.stack_monitoring.node_rules @@ -73,7 +70,9 @@ inputs: - ${kubernetes.hints.kibana.node_rules.host|kubernetes.hints.kibana.host|'http://localhost:5601'} metricsets: - node_rules - period: null + password: ${kubernetes.hints.kibana.node_rules.password|kubernetes.hints.kibana.password|''} + period: ${kubernetes.hints.kibana.node_rules.period|kubernetes.hints.kibana.period|'10s'} + username: ${kubernetes.hints.kibana.node_rules.username|kubernetes.hints.kibana.username|''} - condition: ${kubernetes.hints.kibana.stats.enabled} == true or ${kubernetes.hints.kibana.enabled} == true data_stream: dataset: kibana.stack_monitoring.stats @@ -82,7 +81,9 @@ inputs: - ${kubernetes.hints.kibana.stats.host|kubernetes.hints.kibana.host|'http://localhost:5601'} metricsets: - stats - period: null + password: ${kubernetes.hints.kibana.stats.password|kubernetes.hints.kibana.password|''} + period: ${kubernetes.hints.kibana.stats.period|kubernetes.hints.kibana.period|'10s'} + username: ${kubernetes.hints.kibana.stats.username|kubernetes.hints.kibana.username|''} - condition: ${kubernetes.hints.kibana.status.enabled} == true or ${kubernetes.hints.kibana.enabled} == true data_stream: dataset: kibana.stack_monitoring.status @@ -91,5 +92,42 @@ inputs: - ${kubernetes.hints.kibana.status.host|kubernetes.hints.kibana.host|'http://localhost:5601'} metricsets: - status - period: null + password: ${kubernetes.hints.kibana.status.password|kubernetes.hints.kibana.password|''} + period: ${kubernetes.hints.kibana.status.period|kubernetes.hints.kibana.period|'10s'} + username: ${kubernetes.hints.kibana.status.username|kubernetes.hints.kibana.username|''} + data_stream.namespace: default + - name: filestream-kibana + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.kibana.audit.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kibana.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.kibana.log.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kibana.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml index b4627a13814..284ffe589ee 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml @@ -3,16 +3,20 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.log.log.enabled} == true or ${kubernetes.hints.log.enabled} == true + - condition: ${kubernetes.hints.log.container_logs.enabled} == true data_stream: - dataset: log.log + dataset: log.container_logs type: logs + exclude_files: [] + exclude_lines: [] parsers: - container: format: auto - stream: ${kubernetes.hints.log.log.stream|'all'} - paths: null + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log prospector: scanner: symlinks: true + tags: [] data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml index f4b3c2a23b3..fbe4bb2f0b6 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml @@ -1,4 +1,31 @@ inputs: + - name: logstash/metrics-logstash + type: logstash/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.logstash.node.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.stack_monitoring.node + type: metrics + hosts: + - ${kubernetes.hints.logstash.node.host|kubernetes.hints.logstash.host|'http://localhost:9600'} + metricsets: + - node + password: ${kubernetes.hints.logstash.node.password|kubernetes.hints.logstash.password|''} + period: ${kubernetes.hints.logstash.node.period|kubernetes.hints.logstash.period|'10s'} + username: ${kubernetes.hints.logstash.node.username|kubernetes.hints.logstash.username|''} + - condition: ${kubernetes.hints.logstash.node_stats.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.stack_monitoring.node_stats + type: metrics + hosts: + - ${kubernetes.hints.logstash.node_stats.host|kubernetes.hints.logstash.host|'http://localhost:9600'} + metricsets: + - node_stats + password: ${kubernetes.hints.logstash.node_stats.password|kubernetes.hints.logstash.password|''} + period: ${kubernetes.hints.logstash.node_stats.period|kubernetes.hints.logstash.period|'10s'} + username: ${kubernetes.hints.logstash.node_stats.username|kubernetes.hints.logstash.username|''} + data_stream.namespace: default - name: filestream-logstash type: filestream use_output: default @@ -50,26 +77,3 @@ inputs: scanner: symlinks: true data_stream.namespace: default - - name: logstash/metrics-logstash - type: logstash/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.logstash.node.enabled} == true or ${kubernetes.hints.logstash.enabled} == true - data_stream: - dataset: logstash.stack_monitoring.node - type: metrics - hosts: - - ${kubernetes.hints.logstash.node.host|kubernetes.hints.logstash.host|'http://localhost:9600'} - metricsets: - - node - period: ${kubernetes.hints.logstash.node.period|kubernetes.hints.logstash.period|'10s'} - - condition: ${kubernetes.hints.logstash.node_stats.enabled} == true or ${kubernetes.hints.logstash.enabled} == true - data_stream: - dataset: logstash.stack_monitoring.node_stats - type: metrics - hosts: - - ${kubernetes.hints.logstash.node_stats.host|kubernetes.hints.logstash.host|'http://localhost:9600'} - metricsets: - - node_stats - period: ${kubernetes.hints.logstash.node_stats.period|kubernetes.hints.logstash.period|'10s'} - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml index de5c8932af1..3f4144bd41e 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml @@ -13,7 +13,8 @@ inputs: - container: format: auto stream: ${kubernetes.hints.mattermost.audit.stream|'all'} - paths: null + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log prospector: scanner: symlinks: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml index f34a2d0423a..d3885086fc3 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml @@ -1,21 +1,9 @@ inputs: - - name: winlog-microsoft_sqlserver - type: winlog - use_output: default - streams: - - condition: ${kubernetes.hints.microsoft_sqlserver.audit.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true - data_stream: - dataset: microsoft_sqlserver.audit - type: logs - event_id: 33205 - ignore_older: 72h - name: Security - data_stream.namespace: default - name: filestream-microsoft_sqlserver type: filestream use_output: default streams: - - condition: ${kubernetes.hints.microsoft_sqlserver.log.enabled} == true and ${kubernetes.hints.microsoft_sqlserver.enabled} == true + - condition: ${kubernetes.hints.microsoft_sqlserver.log.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true data_stream: dataset: microsoft_sqlserver.log type: logs @@ -41,7 +29,7 @@ inputs: type: sql/metrics use_output: default streams: - - condition: ${kubernetes.hints.microsoft_sqlserver.performance.enabled} == true and ${kubernetes.hints.microsoft_sqlserver.enabled} == true + - condition: ${kubernetes.hints.microsoft_sqlserver.performance.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true data_stream: dataset: microsoft_sqlserver.performance type: metrics @@ -55,6 +43,8 @@ inputs: period: ${kubernetes.hints.microsoft_sqlserver.performance.period|kubernetes.hints.microsoft_sqlserver.period|'60s'} raw_data.enabled: true sql_queries: + - query: SELECT @@servername AS server_name, @@servicename AS instance_name; + response_format: table - query: SELECT cntr_value As 'user_connections' FROM sys.dm_os_performance_counters WHERE counter_name= 'User Connections' response_format: table - query: SELECT cntr_value As 'active_temp_tables' FROM sys.dm_os_performance_counters WHERE counter_name = 'Active Temp Tables' AND object_name like '%General Statistics%' @@ -77,7 +67,7 @@ inputs: response_format: table - query: SELECT cntr_value As 'buffer_target_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Target pages' AND object_name like '%Buffer Manager%' response_format: table - - query: SELECT cntr_value As 'connection_reset_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Connection Reset/sec' AND object_name like '%Buffer Manager%' + - query: SELECT cntr_value As 'connection_reset_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Connection Reset/sec' AND object_name like '%General Statistics%' response_format: table - query: SELECT cntr_value As 'logins_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logins/sec' AND object_name like '%General Statistics%' response_format: table @@ -89,7 +79,7 @@ inputs: response_format: table - query: SELECT counter_name, cntr_value FROM sys.dm_os_performance_counters WHERE counter_name like 'Memory Grants Pend%' response_format: variables - - condition: ${kubernetes.hints.microsoft_sqlserver.transaction_log.enabled} == true and ${kubernetes.hints.microsoft_sqlserver.enabled} == true + - condition: ${kubernetes.hints.microsoft_sqlserver.transaction_log.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true data_stream: dataset: microsoft_sqlserver.transaction_log type: metrics @@ -101,28 +91,40 @@ inputs: period: ${kubernetes.hints.microsoft_sqlserver.transaction_log.period|kubernetes.hints.microsoft_sqlserver.period|'60s'} raw_data.enabled: true sql_queries: - - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=1; + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', database_id FROM sys.databases WHERE name='master'; response_format: table - - query: SELECT 'master' As database_name, database_id,total_log_size_mb,active_log_size_mb,log_backup_time,log_since_last_log_backup_mb,log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(1) master + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_mb, l.active_log_size_mb,l.log_backup_time,l.log_since_last_log_backup_mb,l.log_since_last_checkpoint_mb,l.log_recovery_size_mb from sys.dm_db_log_stats(DB_ID('master')) l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('master') ; response_format: table - - query: SELECT 'master' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage master + - query: USE [master] ; SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_in_bytes As total_log_size_bytes, l.used_log_space_in_bytes As used_log_space_bytes, l.used_log_space_in_percent As used_log_space_pct, l.log_space_in_bytes_since_last_backup from sys.dm_db_log_space_usage l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('master') ; response_format: table - - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=2; + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', database_id FROM sys.databases WHERE name='model'; response_format: table - - query: SELECT 'tempdb' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(2) tempdb + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_mb, l.active_log_size_mb,l.log_backup_time,l.log_since_last_log_backup_mb,l.log_since_last_checkpoint_mb,l.log_recovery_size_mb from sys.dm_db_log_stats(DB_ID('model')) l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('model') ; response_format: table - - query: SELECT 'tempdb' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage tempdb + - query: USE [model] ; SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_in_bytes As total_log_size_bytes, l.used_log_space_in_bytes As used_log_space_bytes, l.used_log_space_in_percent As used_log_space_pct, l.log_space_in_bytes_since_last_backup from sys.dm_db_log_space_usage l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('model') ; response_format: table - - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=3; + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', database_id FROM sys.databases WHERE name='tempdb'; response_format: table - - query: SELECT 'model' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(3) model + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_mb, l.active_log_size_mb,l.log_backup_time,l.log_since_last_log_backup_mb,l.log_since_last_checkpoint_mb,l.log_recovery_size_mb from sys.dm_db_log_stats(DB_ID('tempdb')) l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('tempdb') ; response_format: table - - query: SELECT 'model' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage model + - query: USE [tempdb] ; SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_in_bytes As total_log_size_bytes, l.used_log_space_in_bytes As used_log_space_bytes, l.used_log_space_in_percent As used_log_space_pct, l.log_space_in_bytes_since_last_backup from sys.dm_db_log_space_usage l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('tempdb') ; response_format: table - - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=4; + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', database_id FROM sys.databases WHERE name='msdb'; response_format: table - - query: SELECT 'msdb' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(4) msdb + - query: SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_mb, l.active_log_size_mb,l.log_backup_time,l.log_since_last_log_backup_mb,l.log_since_last_checkpoint_mb,l.log_recovery_size_mb from sys.dm_db_log_stats(DB_ID('msdb')) l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('msdb') ; response_format: table - - query: SELECT 'msdb' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage msdb + - query: USE [msdb] ; SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_in_bytes As total_log_size_bytes, l.used_log_space_in_bytes As used_log_space_bytes, l.used_log_space_in_percent As used_log_space_pct, l.log_space_in_bytes_since_last_backup from sys.dm_db_log_space_usage l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('msdb') ; response_format: table data_stream.namespace: default + - name: winlog-microsoft_sqlserver + type: winlog + use_output: default + streams: + - condition: ${kubernetes.hints.microsoft_sqlserver.audit.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true + data_stream: + dataset: microsoft_sqlserver.audit + type: logs + event_id: 33205 + ignore_older: 72h + name: Security + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml index 7cf3de85c20..58841855549 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml @@ -43,27 +43,31 @@ inputs: - set: fail_on_template_error: true target: body.meta.pagination.pageToken - value: '[[.last_response.body.meta.pagination.next]]' + value: |- + [[- if index .last_response.body.meta.pagination "next" -]] + [[- .last_response.body.meta.pagination.next -]] + [[- end -]] response.split: + ignore_empty_value: true target: body.data tags: - forwarded - mimecast-audit-events - condition: ${kubernetes.hints.mimecast.dlp_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true config_version: "2" - cursor: null + cursor: + next_date: + value: '[[.first_event.eventTime]]' data_stream: dataset: mimecast.dlp_logs type: logs interval: 5m - next_date: - value: '[[.first_event.eventTime]]' request.method: POST request.transforms: - set: default: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05-0700"]]", "from":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05-0700"]]"}]' target: body.data - value: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05-0700"]]", "from":"[[.cursor.eventTime]]"}]' + value: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05-0700"]]", "from":"[[.cursor.next_date]]"}]' value_type: json - set: target: header.x-mc-app-id @@ -88,6 +92,7 @@ inputs: target: body.meta.pagination.pageToken value: '[[.last_response.body.meta.pagination.next]]' response.split: + ignore_empty_value: true split: target: body.dlpLogs target: body.data @@ -169,6 +174,7 @@ inputs: request.url: https://eu-api.mimecast.com/api/ttp/threat-intel/get-feed response.decode_as: application/json response.split: + ignore_empty_value: true target: body.objects transforms: - set: @@ -209,6 +215,7 @@ inputs: request.url: https://eu-api.mimecast.com/api/ttp/threat-intel/get-feed response.decode_as: application/json response.split: + ignore_empty_value: true target: body.objects transforms: - set: @@ -219,13 +226,13 @@ inputs: - mimecast-threat-intel-feed-malware-grid - condition: ${kubernetes.hints.mimecast.ttp_ap_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true config_version: "2" - cursor: null + cursor: + next_date: + value: '[[.first_event.date]]' data_stream: dataset: mimecast.ttp_ap_logs type: logs interval: 5m - next_date: - value: '[[.first_event.date]]' request.method: POST request.transforms: - set: @@ -256,6 +263,7 @@ inputs: target: body.meta.pagination.pageToken value: '[[.last_response.body.meta.pagination.next]]' response.split: + ignore_empty_value: true split: target: body.attachmentLogs target: body.data @@ -264,13 +272,13 @@ inputs: - mimecast-ttp-ap - condition: ${kubernetes.hints.mimecast.ttp_ip_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true config_version: "2" - cursor: null + cursor: + next_date: + value: '[[.first_event.eventTime]]' data_stream: dataset: mimecast.ttp_ip_logs type: logs interval: 5m - next_date: - value: '[[.first_event.eventTime]]' request.method: POST request.transforms: - set: @@ -301,6 +309,7 @@ inputs: target: body.meta.pagination.pageToken value: '[[.last_response.body.meta.pagination.next]]' response.split: + ignore_empty_value: true split: target: body.impersonationLogs target: body.data @@ -346,6 +355,7 @@ inputs: target: body.meta.pagination.pageToken value: '[[.last_response.body.meta.pagination.next]]' response.split: + ignore_empty_value: true split: target: body.clickLogs target: body.data diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml index cc9e109d5ed..511ebeb16d9 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml @@ -10,7 +10,8 @@ inputs: exclude_files: - .gz$ fields: - tz_offset: null + _conf: + tz_offset: local fields_under_root: true parsers: - container: diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml index 63793c98636..79ea7a4de93 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml @@ -33,11 +33,13 @@ inputs: - ${kubernetes.hints.mongodb.collstats.host|kubernetes.hints.mongodb.host|'localhost:27017'} metricsets: - collstats + password: ${kubernetes.hints.mongodb.collstats.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.collstats.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null + username: ${kubernetes.hints.mongodb.collstats.username|kubernetes.hints.mongodb.username|''} - condition: ${kubernetes.hints.mongodb.dbstats.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true data_stream: dataset: mongodb.dbstats @@ -46,11 +48,13 @@ inputs: - ${kubernetes.hints.mongodb.dbstats.host|kubernetes.hints.mongodb.host|'localhost:27017'} metricsets: - dbstats + password: ${kubernetes.hints.mongodb.dbstats.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.dbstats.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null + username: ${kubernetes.hints.mongodb.dbstats.username|kubernetes.hints.mongodb.username|''} - condition: ${kubernetes.hints.mongodb.metrics.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true data_stream: dataset: mongodb.metrics @@ -59,7 +63,13 @@ inputs: - ${kubernetes.hints.mongodb.metrics.host|kubernetes.hints.mongodb.host|'localhost:27017'} metricsets: - metrics + password: ${kubernetes.hints.mongodb.metrics.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.metrics.period|kubernetes.hints.mongodb.period|'10s'} + ssl.certificate: null + ssl.enabled: false + ssl.key: null + ssl.verification_mode: null + username: ${kubernetes.hints.mongodb.metrics.username|kubernetes.hints.mongodb.username|''} - condition: ${kubernetes.hints.mongodb.replstatus.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true data_stream: dataset: mongodb.replstatus @@ -68,11 +78,13 @@ inputs: - ${kubernetes.hints.mongodb.replstatus.host|kubernetes.hints.mongodb.host|'localhost:27017'} metricsets: - replstatus + password: ${kubernetes.hints.mongodb.replstatus.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.replstatus.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null + username: ${kubernetes.hints.mongodb.replstatus.username|kubernetes.hints.mongodb.username|''} - condition: ${kubernetes.hints.mongodb.status.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true data_stream: dataset: mongodb.status @@ -81,9 +93,11 @@ inputs: - ${kubernetes.hints.mongodb.status.host|kubernetes.hints.mongodb.host|'localhost:27017'} metricsets: - status + password: ${kubernetes.hints.mongodb.status.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.status.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null + username: ${kubernetes.hints.mongodb.status.username|kubernetes.hints.mongodb.username|''} data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml index 7976c094a38..bbb1f92261d 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml @@ -23,6 +23,7 @@ inputs: tags: - netflow - forwarded + timeout: ${kubernetes.hints.netflow.log.timeout|kubernetes.hints.netflow.timeout|'} data_stream.namespace: default - name: filestream-netflow type: filestream diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml index c42fff19dd3..098fecf78af 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml @@ -52,7 +52,9 @@ inputs: type: httpjson use_output: default streams: - - condition: ${kubernetes.hints.nginx.access.enabled} == true and ${kubernetes.hints.nginx.enabled} == true + - auth.basic.password: ${kubernetes.hints.nginx.access.password|kubernetes.hints.nginx.password|''} + auth.basic.user: ${kubernetes.hints.nginx.access.username|kubernetes.hints.nginx.username|''} + condition: ${kubernetes.hints.nginx.access.enabled} == true and ${kubernetes.hints.nginx.enabled} == true config_version: 2 cursor: index_earliest: @@ -88,7 +90,9 @@ inputs: tags: - forwarded - nginx-access - - condition: ${kubernetes.hints.nginx.error.enabled} == true and ${kubernetes.hints.nginx.enabled} == true + - auth.basic.password: ${kubernetes.hints.nginx.error.password|kubernetes.hints.nginx.password|''} + auth.basic.user: ${kubernetes.hints.nginx.error.username|kubernetes.hints.nginx.username|''} + condition: ${kubernetes.hints.nginx.error.enabled} == true and ${kubernetes.hints.nginx.enabled} == true config_version: 2 cursor: index_earliest: diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml index 93c07883f03..ad50f49f29c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml @@ -7,6 +7,7 @@ inputs: data_stream: dataset: panw.panos type: logs + framing: rfc6587 host: localhost:9001 max_message_size: 50KiB processors: diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml index 3a52d749ed7..814bd0dc2ce 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml @@ -1,25 +1,4 @@ inputs: - - name: udp-pfsense - type: udp - use_output: default - streams: - - condition: ${kubernetes.hints.pfsense.log.enabled} == true or ${kubernetes.hints.pfsense.enabled} == true - data_stream: - dataset: pfsense.log - type: logs - host: localhost:9001 - processors: - - add_locale: null - - add_fields: - fields: - internal_networks: - - private - tz_offset: local - target: _tmp - tags: - - pfsense - - forwarded - data_stream.namespace: default - name: tcp-pfsense type: tcp use_output: default @@ -60,3 +39,24 @@ inputs: symlinks: true tags: [] data_stream.namespace: default + - name: udp-pfsense + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.pfsense.log.enabled} == true or ${kubernetes.hints.pfsense.enabled} == true + data_stream: + dataset: pfsense.log + type: logs + host: localhost:9001 + processors: + - add_locale: null + - add_fields: + fields: + internal_networks: + - private + tz_offset: local + target: _tmp + tags: + - pfsense + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml index 8b40d2524d2..c6ba715606c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml @@ -37,7 +37,9 @@ inputs: - ${kubernetes.hints.postgresql.activity.host|kubernetes.hints.postgresql.host|'postgres://localhost:5432'} metricsets: - activity + password: ${kubernetes.hints.postgresql.activity.password|kubernetes.hints.postgresql.password|''} period: ${kubernetes.hints.postgresql.activity.period|kubernetes.hints.postgresql.period|'10s'} + username: ${kubernetes.hints.postgresql.activity.username|kubernetes.hints.postgresql.username|''} - condition: ${kubernetes.hints.postgresql.bgwriter.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true data_stream: dataset: postgresql.bgwriter @@ -46,7 +48,9 @@ inputs: - ${kubernetes.hints.postgresql.bgwriter.host|kubernetes.hints.postgresql.host|'postgres://localhost:5432'} metricsets: - bgwriter + password: ${kubernetes.hints.postgresql.bgwriter.password|kubernetes.hints.postgresql.password|''} period: ${kubernetes.hints.postgresql.bgwriter.period|kubernetes.hints.postgresql.period|'10s'} + username: ${kubernetes.hints.postgresql.bgwriter.username|kubernetes.hints.postgresql.username|''} - condition: ${kubernetes.hints.postgresql.database.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true data_stream: dataset: postgresql.database @@ -55,7 +59,9 @@ inputs: - ${kubernetes.hints.postgresql.database.host|kubernetes.hints.postgresql.host|'postgres://localhost:5432'} metricsets: - database + password: ${kubernetes.hints.postgresql.database.password|kubernetes.hints.postgresql.password|''} period: ${kubernetes.hints.postgresql.database.period|kubernetes.hints.postgresql.period|'10s'} + username: ${kubernetes.hints.postgresql.database.username|kubernetes.hints.postgresql.username|''} - condition: ${kubernetes.hints.postgresql.statement.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true data_stream: dataset: postgresql.statement @@ -64,5 +70,7 @@ inputs: - ${kubernetes.hints.postgresql.statement.host|kubernetes.hints.postgresql.host|'postgres://localhost:5432'} metricsets: - statement + password: ${kubernetes.hints.postgresql.statement.password|kubernetes.hints.postgresql.password|''} period: ${kubernetes.hints.postgresql.statement.period|kubernetes.hints.postgresql.period|'10s'} + username: ${kubernetes.hints.postgresql.statement.username|kubernetes.hints.postgresql.username|''} data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml index 1bb26ac4da2..0d1783f7741 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml @@ -17,6 +17,7 @@ inputs: password: ${kubernetes.hints.prometheus.collector.password|kubernetes.hints.prometheus.password|'secret'} period: ${kubernetes.hints.prometheus.collector.period|kubernetes.hints.prometheus.period|'10s'} rate_counters: true + timeout: ${kubernetes.hints.prometheus.collector.timeout|kubernetes.hints.prometheus.timeout|''} use_types: true username: ${kubernetes.hints.prometheus.collector.username|kubernetes.hints.prometheus.username|'user'} - condition: ${kubernetes.hints.prometheus.query.enabled} == true and ${kubernetes.hints.prometheus.enabled} == true @@ -57,9 +58,9 @@ inputs: - remote_write port: 9201 rate_counters: true - ssl.certificate: /etc/pki/server/cert.pem + ssl.certificate: null ssl.enabled: null - ssl.key: null + ssl.key: /etc/pki/server/cert.key types_patterns.exclude: null types_patterns.include: null use_types: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml index 53701dfa769..7117fd1d369 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml @@ -1,32 +1,4 @@ inputs: - - name: filestream-rabbitmq - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.rabbitmq.log.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true - data_stream: - dataset: rabbitmq.log - type: logs - exclude_files: - - .gz$ - multiline: - match: after - negate: true - pattern: '[0-9]{4}-[0-9]{2}-[0-9]{2}' - parsers: - - container: - format: auto - stream: ${kubernetes.hints.rabbitmq.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - prospector: - scanner: - symlinks: true - tags: - - forwarded - data_stream.namespace: default - name: rabbitmq/metrics-rabbitmq type: rabbitmq/metrics use_output: default @@ -77,3 +49,31 @@ inputs: period: ${kubernetes.hints.rabbitmq.queue.period|kubernetes.hints.rabbitmq.period|'10s'} username: ${kubernetes.hints.rabbitmq.queue.username|kubernetes.hints.rabbitmq.username|''} data_stream.namespace: default + - name: filestream-rabbitmq + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.rabbitmq.log.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true + data_stream: + dataset: rabbitmq.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: '[0-9]{4}-[0-9]{2}-[0-9]{2}' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.rabbitmq.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml index d8db78aee6d..00e548b50f5 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml @@ -1,40 +1,4 @@ inputs: - - name: filestream-redis - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.redis.log.enabled} == true or ${kubernetes.hints.redis.enabled} == true - data_stream: - dataset: redis.log - type: logs - exclude_files: - - .gz$ - exclude_lines: - - ^\s+[\-`('.|_] - parsers: - - container: - format: auto - stream: ${kubernetes.hints.redis.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: - - redis-log - data_stream.namespace: default - - name: redis-redis - type: redis - use_output: default - streams: - - condition: ${kubernetes.hints.redis.slowlog.enabled} == true or ${kubernetes.hints.redis.enabled} == true - data_stream: - dataset: redis.slowlog - type: logs - hosts: - - ${kubernetes.hints.redis.slowlog.host|kubernetes.hints.redis.host|'127.0.0.1:6379'} - password: ${kubernetes.hints.redis.slowlog.password|kubernetes.hints.redis.password|''} - data_stream.namespace: default - name: redis/metrics-redis type: redis/metrics use_output: default @@ -82,3 +46,39 @@ inputs: password: ${kubernetes.hints.redis.keyspace.password|kubernetes.hints.redis.password|''} period: ${kubernetes.hints.redis.keyspace.period|kubernetes.hints.redis.period|'10s'} data_stream.namespace: default + - name: filestream-redis + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.redis.log.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.log + type: logs + exclude_files: + - .gz$ + exclude_lines: + - ^\s+[\-`('.|_] + parsers: + - container: + format: auto + stream: ${kubernetes.hints.redis.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - redis-log + data_stream.namespace: default + - name: redis-redis + type: redis + use_output: default + streams: + - condition: ${kubernetes.hints.redis.slowlog.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.slowlog + type: logs + hosts: + - ${kubernetes.hints.redis.slowlog.host|kubernetes.hints.redis.host|'127.0.0.1:6379'} + password: ${kubernetes.hints.redis.slowlog.password|kubernetes.hints.redis.password|''} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml index 3c95adb5be5..80ed6df384a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml @@ -1,13 +1,20 @@ inputs: - - name: udp-snort - type: udp + - name: filestream-snort + type: filestream use_output: default streams: - condition: ${kubernetes.hints.snort.log.enabled} == true or ${kubernetes.hints.snort.enabled} == true data_stream: dataset: snort.log type: logs - host: localhost:9514 + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.snort.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log processors: - add_locale: null - add_fields: @@ -16,26 +23,22 @@ inputs: - private tz_offset: local target: _tmp + prospector: + scanner: + symlinks: true tags: - forwarded - snort.log data_stream.namespace: default - - name: filestream-snort - type: filestream + - name: udp-snort + type: udp use_output: default streams: - condition: ${kubernetes.hints.snort.log.enabled} == true or ${kubernetes.hints.snort.enabled} == true data_stream: dataset: snort.log type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.snort.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log + host: localhost:9514 processors: - add_locale: null - add_fields: @@ -44,9 +47,6 @@ inputs: - private tz_offset: local target: _tmp - prospector: - scanner: - symlinks: true tags: - forwarded - snort.log diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml index 91412c6b0ee..006729bc60f 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml @@ -1,28 +1,37 @@ inputs: - - name: tcp-symantec_endpoint - type: tcp + - name: filestream-symantec_endpoint + type: filestream use_output: default streams: - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true and ${kubernetes.hints.symantec_endpoint.enabled} == true data_stream: dataset: symantec_endpoint.log type: logs + exclude_files: + - .gz$ fields: _conf: remove_mapped_fields: false tz_offset: UTC fields_under_root: true - host: localhost:9008 - max_message_size: 1 MiB + parsers: + - container: + format: auto + stream: ${kubernetes.hints.symantec_endpoint.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true tags: - symantec-endpoint-log - forwarded data_stream.namespace: default - - name: udp-symantec_endpoint - type: udp + - name: tcp-symantec_endpoint + type: tcp use_output: default streams: - - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true or ${kubernetes.hints.symantec_endpoint.enabled} == true + - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true and ${kubernetes.hints.symantec_endpoint.enabled} == true data_stream: dataset: symantec_endpoint.log type: logs @@ -32,35 +41,26 @@ inputs: tz_offset: UTC fields_under_root: true host: localhost:9008 - max_message_size: 1MiB + max_message_size: 1 MiB tags: - symantec-endpoint-log - forwarded data_stream.namespace: default - - name: filestream-symantec_endpoint - type: filestream + - name: udp-symantec_endpoint + type: udp use_output: default streams: - - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true and ${kubernetes.hints.symantec_endpoint.enabled} == true + - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true or ${kubernetes.hints.symantec_endpoint.enabled} == true data_stream: dataset: symantec_endpoint.log type: logs - exclude_files: - - .gz$ fields: _conf: remove_mapped_fields: false tz_offset: UTC fields_under_root: true - parsers: - - container: - format: auto - stream: ${kubernetes.hints.symantec_endpoint.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true + host: localhost:9008 + max_message_size: 1MiB tags: - symantec-endpoint-log - forwarded diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml index 53b1ab17f99..78bbf49a5c6 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml @@ -10,22 +10,25 @@ inputs: dataset: http type: synthetics enabled: true + ipv4: true + ipv6: true max_redirects: null name: null + password: ${kubernetes.hints.synthetics.http.password|kubernetes.hints.synthetics.password|''} processors: - - add_observer_metadata: - geo: - name: Fleet managed - add_fields: fields: monitor.fleet_managed: true target: "" response.include_body: null response.include_headers: null + run_from.geo.name: Fleet managed + run_from.id: fleet_managed schedule: '@every 3m' - timeout: null + timeout: ${kubernetes.hints.synthetics.http.timeout|kubernetes.hints.synthetics.timeout|''} type: http urls: null + username: ${kubernetes.hints.synthetics.http.username|kubernetes.hints.synthetics.username|''} data_stream.namespace: default - name: synthetics/tcp-synthetics type: synthetics/tcp @@ -38,18 +41,19 @@ inputs: type: synthetics enabled: true hosts: ${kubernetes.hints.synthetics.tcp.host|kubernetes.hints.synthetics.host|''} + ipv4: true + ipv6: true name: null processors: - - add_observer_metadata: - geo: - name: Fleet managed - add_fields: fields: monitor.fleet_managed: true target: "" proxy_use_local_resolver: false + run_from.geo.name: Fleet managed + run_from.id: fleet_managed schedule: '@every 3m' - timeout: null + timeout: ${kubernetes.hints.synthetics.tcp.timeout|kubernetes.hints.synthetics.timeout|''} type: tcp data_stream.namespace: default - name: synthetics/icmp-synthetics @@ -63,17 +67,18 @@ inputs: type: synthetics enabled: true hosts: ${kubernetes.hints.synthetics.icmp.host|kubernetes.hints.synthetics.host|''} + ipv4: true + ipv6: true name: null processors: - - add_observer_metadata: - geo: - name: Fleet managed - add_fields: fields: monitor.fleet_managed: true target: "" + run_from.geo.name: Fleet managed + run_from.id: fleet_managed schedule: '@every 3m' - timeout: null + timeout: ${kubernetes.hints.synthetics.icmp.timeout|kubernetes.hints.synthetics.timeout|''} type: icmp wait: 1s data_stream.namespace: default @@ -89,25 +94,21 @@ inputs: enabled: true name: null processors: - - add_observer_metadata: - geo: - name: Fleet managed - add_fields: fields: monitor.fleet_managed: true target: "" + run_from.geo.name: Fleet managed + run_from.id: fleet_managed schedule: '@every 3m' throttling: null - timeout: null + timeout: ${kubernetes.hints.synthetics.browser.timeout|kubernetes.hints.synthetics.timeout|''} type: browser - condition: ${kubernetes.hints.synthetics.browser_network.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true data_stream: dataset: browser.network type: synthetics processors: - - add_observer_metadata: - geo: - name: Fleet managed - add_fields: fields: monitor.fleet_managed: true @@ -117,9 +118,6 @@ inputs: dataset: browser.screenshot type: synthetics processors: - - add_observer_metadata: - geo: - name: Fleet managed - add_fields: fields: monitor.fleet_managed: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml index 0f20d16dfd1..678e905e473 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml @@ -8,6 +8,7 @@ inputs: dataset: tcp.generic type: logs host: localhost:8080 + timeout: ${kubernetes.hints.tcp.generic.timeout|kubernetes.hints.tcp.timeout|''} data_stream.namespace: default - name: filestream-tcp type: filestream diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml index 1355b57befa..e31b69fcbf1 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml @@ -1,19 +1,26 @@ inputs: - - name: udp-tomcat - type: udp + - name: filestream-tomcat + type: filestream use_output: default streams: - - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true + - condition: ${kubernetes.hints.tomcat.log.enabled} == true and ${kubernetes.hints.tomcat.enabled} == true data_stream: dataset: tomcat.log type: logs + exclude_files: + - .gz$ fields: observer: product: TomCat type: Web vendor: Apache fields_under_root: true - host: localhost:9523 + parsers: + - container: + format: auto + stream: ${kubernetes.hints.tomcat.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log processors: - script: lang: javascript @@ -2756,13 +2763,15 @@ inputs: target_field: url.registered_domain target_subdomain_field: url.subdomain - add_locale: null + prospector: + scanner: + symlinks: true tags: - tomcat-log - forwarded - udp: null data_stream.namespace: default - - name: tcp-tomcat - type: tcp + - name: udp-tomcat + type: udp use_output: default streams: - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true @@ -5521,30 +5530,23 @@ inputs: tags: - tomcat-log - forwarded - tcp: null + udp: null data_stream.namespace: default - - name: filestream-tomcat - type: filestream + - name: tcp-tomcat + type: tcp use_output: default streams: - - condition: ${kubernetes.hints.tomcat.log.enabled} == true and ${kubernetes.hints.tomcat.enabled} == true + - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true data_stream: dataset: tomcat.log type: logs - exclude_files: - - .gz$ fields: observer: product: TomCat type: Web vendor: Apache fields_under_root: true - parsers: - - container: - format: auto - stream: ${kubernetes.hints.tomcat.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log + host: localhost:9523 processors: - script: lang: javascript @@ -8287,10 +8289,8 @@ inputs: target_field: url.registered_domain target_subdomain_field: url.subdomain - add_locale: null - prospector: - scanner: - symlinks: true tags: - tomcat-log - forwarded + tcp: null data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml index 5bc223fdb2f..48e547ede3b 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml @@ -9,6 +9,7 @@ inputs: type: logs host: localhost:8080 max_message_size: 10KiB + timeout: ${kubernetes.hints.udp.generic.timeout|kubernetes.hints.udp.timeout|''} data_stream.namespace: default - name: filestream-udp type: filestream diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml index 22bcc875894..0bd6c14afb4 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml @@ -865,7 +865,9 @@ inputs: type: httpjson use_output: default streams: - - condition: ${kubernetes.hints.zeek.capture_loss.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.capture_loss.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.capture_loss.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.capture_loss.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -901,7 +903,9 @@ inputs: tags: - forwarded - zeek-capture-loss - - condition: ${kubernetes.hints.zeek.connection.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.connection.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.connection.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.connection.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -937,7 +941,9 @@ inputs: tags: - forwarded - zeek-connection - - condition: ${kubernetes.hints.zeek.dce_rpc.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.dce_rpc.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.dce_rpc.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.dce_rpc.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -973,7 +979,9 @@ inputs: tags: - forwarded - zeek-dce-rpc - - condition: ${kubernetes.hints.zeek.dhcp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.dhcp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.dhcp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.dhcp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1009,7 +1017,9 @@ inputs: tags: - forwarded - zeek-dhcp - - condition: ${kubernetes.hints.zeek.dnp3.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.dnp3.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.dnp3.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.dnp3.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1045,7 +1055,9 @@ inputs: tags: - forwarded - zeek-dnp3 - - condition: ${kubernetes.hints.zeek.dns.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.dns.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.dns.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.dns.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1081,7 +1093,9 @@ inputs: tags: - forwarded - zeek-dns - - condition: ${kubernetes.hints.zeek.dpd.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.dpd.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.dpd.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.dpd.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1117,7 +1131,9 @@ inputs: tags: - forwarded - zeek-dpd - - condition: ${kubernetes.hints.zeek.files.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.files.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.files.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.files.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1153,7 +1169,9 @@ inputs: tags: - forwarded - zeek-files - - condition: ${kubernetes.hints.zeek.ftp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.ftp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.ftp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.ftp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1189,7 +1207,9 @@ inputs: tags: - forwarded - zeek-ftp - - condition: ${kubernetes.hints.zeek.http.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.http.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.http.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.http.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1225,7 +1245,9 @@ inputs: tags: - forwarded - zeek-http - - condition: ${kubernetes.hints.zeek.intel.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.intel.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.intel.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.intel.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1261,7 +1283,9 @@ inputs: tags: - forwarded - zeek-intel - - condition: ${kubernetes.hints.zeek.irc.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.irc.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.irc.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.irc.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1297,7 +1321,9 @@ inputs: tags: - forwarded - zeek-irc - - condition: ${kubernetes.hints.zeek.kerberos.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.kerberos.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.kerberos.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.kerberos.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1333,7 +1359,9 @@ inputs: tags: - forwarded - zeek-kerberos - - condition: ${kubernetes.hints.zeek.modbus.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.modbus.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.modbus.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.modbus.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1369,7 +1397,9 @@ inputs: tags: - forwarded - zeek-modbus - - condition: ${kubernetes.hints.zeek.mysql.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.mysql.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.mysql.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.mysql.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1405,7 +1435,9 @@ inputs: tags: - forwarded - zeek-mysql - - condition: ${kubernetes.hints.zeek.notice.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.notice.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.notice.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.notice.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1441,7 +1473,9 @@ inputs: tags: - forwarded - zeek-notice - - condition: ${kubernetes.hints.zeek.ntlm.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.ntlm.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.ntlm.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.ntlm.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1477,7 +1511,9 @@ inputs: tags: - forwarded - zeek-ntlm - - condition: ${kubernetes.hints.zeek.ntp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.ntp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.ntp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.ntp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1513,7 +1549,9 @@ inputs: tags: - forwarded - zeek-ntp - - condition: ${kubernetes.hints.zeek.ocsp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.ocsp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.ocsp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.ocsp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1549,7 +1587,9 @@ inputs: tags: - forwarded - zeek-ocsp - - condition: ${kubernetes.hints.zeek.pe.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.pe.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.pe.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.pe.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1585,7 +1625,9 @@ inputs: tags: - forwarded - zeek-pe - - condition: ${kubernetes.hints.zeek.radius.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.radius.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.radius.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.radius.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1621,7 +1663,9 @@ inputs: tags: - forwarded - zeek-radius - - condition: ${kubernetes.hints.zeek.rdp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.rdp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.rdp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.rdp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1657,7 +1701,9 @@ inputs: tags: - forwarded - zeek-rdp - - condition: ${kubernetes.hints.zeek.rfb.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.rfb.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.rfb.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.rfb.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1693,7 +1739,9 @@ inputs: tags: - forwarded - zeek-rfb - - condition: ${kubernetes.hints.zeek.signature.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.signature.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.signature.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.signature.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1729,7 +1777,9 @@ inputs: tags: - forwarded - zeek-signature - - condition: ${kubernetes.hints.zeek.sip.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.sip.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.sip.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.sip.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1765,7 +1815,9 @@ inputs: tags: - forwarded - zeek-sip - - condition: ${kubernetes.hints.zeek.smb_cmd.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.smb_cmd.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.smb_cmd.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.smb_cmd.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1801,7 +1853,9 @@ inputs: tags: - forwarded - zeek-smb-cmd - - condition: ${kubernetes.hints.zeek.smb_files.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.smb_files.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.smb_files.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.smb_files.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1837,7 +1891,9 @@ inputs: tags: - forwarded - zeek-smb-files - - condition: ${kubernetes.hints.zeek.smb_mapping.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.smb_mapping.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.smb_mapping.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.smb_mapping.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1872,7 +1928,9 @@ inputs: type: string tags: - forwarded - - condition: ${kubernetes.hints.zeek.smtp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.smtp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.smtp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.smtp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1908,7 +1966,9 @@ inputs: tags: - forwarded - zeek-smtp - - condition: ${kubernetes.hints.zeek.snmp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.snmp.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.snmp.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.snmp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1944,7 +2004,9 @@ inputs: tags: - forwarded - zeek-snmp - - condition: ${kubernetes.hints.zeek.socks.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.socks.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.socks.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.socks.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -1980,7 +2042,9 @@ inputs: tags: - forwarded - zeek-socks - - condition: ${kubernetes.hints.zeek.ssh.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.ssh.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.ssh.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.ssh.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2016,7 +2080,9 @@ inputs: tags: - forwarded - zeek-ssh - - condition: ${kubernetes.hints.zeek.ssl.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.ssl.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.ssl.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.ssl.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2052,7 +2118,9 @@ inputs: tags: - forwarded - zeek-ssl - - condition: ${kubernetes.hints.zeek.stats.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.stats.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.stats.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.stats.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2088,7 +2156,9 @@ inputs: tags: - forwarded - zeek-stats - - condition: ${kubernetes.hints.zeek.syslog.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.syslog.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.syslog.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.syslog.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2124,7 +2194,9 @@ inputs: tags: - forwarded - zeek-syslog - - condition: ${kubernetes.hints.zeek.traceroute.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.traceroute.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.traceroute.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.traceroute.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2160,7 +2232,9 @@ inputs: tags: - forwarded - zeek-traceroute - - condition: ${kubernetes.hints.zeek.tunnel.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.tunnel.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.tunnel.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.tunnel.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2196,7 +2270,9 @@ inputs: tags: - forwarded - zeek-tunnel - - condition: ${kubernetes.hints.zeek.weird.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.weird.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.weird.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.weird.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: @@ -2232,7 +2308,9 @@ inputs: tags: - forwarded - zeek-weird - - condition: ${kubernetes.hints.zeek.x509.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + - auth.basic.password: ${kubernetes.hints.zeek.x509.password|kubernetes.hints.zeek.password|''} + auth.basic.user: ${kubernetes.hints.zeek.x509.username|kubernetes.hints.zeek.username|''} + condition: ${kubernetes.hints.zeek.x509.enabled} == true and ${kubernetes.hints.zeek.enabled} == true config_version: 2 cursor: index_earliest: