From 8a248b15cbf58cf4ceea06c7c6d7bcd318a01cc6 Mon Sep 17 00:00:00 2001 From: elasticmachine Date: Thu, 9 Jan 2025 12:54:22 +0000 Subject: [PATCH] [automation] Publish kubernetes templates for elastic-agent --- .../templates.d/activemq.yml | 100 +++--- .../templates.d/apache.yml | 136 ++++---- .../templates.d/cassandra.yml | 2 +- .../templates.d/cef.yml | 44 +-- .../templates.d/checkpoint.yml | 2 +- .../templates.d/cockroachdb.yml | 46 +-- .../templates.d/crowdstrike.yml | 66 ++-- .../templates.d/cyberarkpas.yml | 62 ++-- .../templates.d/elasticsearch.yml | 300 +++++++++--------- .../templates.d/endpoint.yml | 4 +- .../templates.d/fireeye.yml | 18 +- .../templates.d/haproxy.yml | 36 +-- .../templates.d/hashicorp_vault.yml | 34 +- .../templates.d/hid_bravura_monitor.yml | 1 - .../templates.d/iis.yml | 58 ++-- .../templates.d/infoblox_nios.yml | 2 +- .../templates.d/iptables.yml | 34 +- .../templates.d/kafka.yml | 2 +- .../templates.d/keycloak.yml | 1 - .../templates.d/kibana.yml | 4 +- .../templates.d/log.yml | 4 +- .../templates.d/logstash.yml | 180 +++++------ .../templates.d/mattermost.yml | 2 +- .../templates.d/microsoft_sqlserver.yml | 28 +- .../templates.d/mimecast.yml | 4 +- .../templates.d/modsecurity.yml | 2 +- .../templates.d/mongodb.yml | 10 +- .../templates.d/mysql.yml | 4 +- .../templates.d/mysql_enterprise.yml | 1 - .../templates.d/nats.yml | 2 +- .../templates.d/netflow.yml | 46 +-- .../templates.d/nginx.yml | 4 +- .../templates.d/nginx_ingress_controller.yml | 2 - .../templates.d/oracle.yml | 1 - .../templates.d/panw.yml | 86 ++--- .../templates.d/panw_cortex_xdr.yml | 46 +-- .../templates.d/pfsense.yml | 24 +- .../templates.d/postgresql.yml | 2 +- .../templates.d/prometheus.yml | 46 +-- .../templates.d/qnap_nas.yml | 46 +-- .../templates.d/rabbitmq.yml | 2 +- .../templates.d/redis.yml | 60 ++-- .../templates.d/santa.yml | 2 +- .../templates.d/security_detection_engine.yml | 4 +- .../templates.d/sentinel_one.yml | 4 +- .../templates.d/snort.yml | 2 +- .../templates.d/snyk.yml | 46 +-- .../templates.d/stan.yml | 2 +- .../templates.d/suricata.yml | 2 +- .../templates.d/symantec_endpoint.yml | 2 +- .../templates.d/synthetics.yml | 144 ++++----- .../templates.d/tcp.yml | 28 +- .../templates.d/tomcat.yml | 52 +-- .../templates.d/traefik.yml | 2 +- .../templates.d/udp.yml | 4 +- .../templates.d/zeek.yml | 44 ++- .../templates.d/zookeeper.yml | 46 +-- 57 files changed, 987 insertions(+), 951 deletions(-) diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml index 705f3370e7b..0a298892a31 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml @@ -1,11 +1,58 @@ inputs: + - name: activemq/metrics-activemq + id: activemq/metrics-activemq-${kubernetes.hints.container_id} + type: activemq/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.activemq.broker.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.broker + type: metrics + hosts: + - ${kubernetes.hints.activemq.broker.host|kubernetes.hints.activemq.host|'localhost:8161'} + metricsets: + - broker + password: ${kubernetes.hints.activemq.broker.password|kubernetes.hints.activemq.password|'admin'} + path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.activemq.broker.period|kubernetes.hints.activemq.period|'10s'} + tags: + - activemq-broker + username: ${kubernetes.hints.activemq.broker.username|kubernetes.hints.activemq.username|'admin'} + - condition: ${kubernetes.hints.activemq.queue.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.queue + type: metrics + hosts: + - ${kubernetes.hints.activemq.queue.host|kubernetes.hints.activemq.host|'localhost:8161'} + metricsets: + - queue + password: ${kubernetes.hints.activemq.queue.password|kubernetes.hints.activemq.password|'admin'} + path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.activemq.queue.period|kubernetes.hints.activemq.period|'10s'} + tags: + - activemq-queue + username: ${kubernetes.hints.activemq.queue.username|kubernetes.hints.activemq.username|'admin'} + - condition: ${kubernetes.hints.activemq.topic.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.topic + type: metrics + hosts: + - ${kubernetes.hints.activemq.topic.host|kubernetes.hints.activemq.host|'localhost:8161'} + metricsets: + - topic + password: ${kubernetes.hints.activemq.topic.password|kubernetes.hints.activemq.password|'admin'} + path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.activemq.topic.period|kubernetes.hints.activemq.period|'10s'} + tags: + - activemq-topic + username: ${kubernetes.hints.activemq.topic.username|kubernetes.hints.activemq.username|'admin'} + data_stream.namespace: default - name: filestream-activemq id: filestream-activemq-${kubernetes.hints.container_id} type: filestream use_output: default streams: - condition: ${kubernetes.hints.activemq.audit.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - id: filestream-activemq-audit-${kubernetes.hints.container_id} data_stream: dataset: activemq.audit type: logs @@ -13,6 +60,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-activemq-activemq-audit-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -28,7 +76,6 @@ inputs: - forwarded - activemq-audit - condition: ${kubernetes.hints.activemq.log.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - id: filestream-activemq-log-${kubernetes.hints.container_id} data_stream: dataset: activemq.log type: logs @@ -36,6 +83,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-activemq-activemq-log-${kubernetes.hints.container_id} multiline: match: after negate: true @@ -55,51 +103,3 @@ inputs: - forwarded - activemq-log data_stream.namespace: default - - name: activemq/metrics-activemq - id: activemq/metrics-activemq-${kubernetes.hints.container_id} - type: activemq/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.activemq.broker.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - data_stream: - dataset: activemq.broker - type: metrics - hosts: - - ${kubernetes.hints.activemq.broker.host|kubernetes.hints.activemq.host|'localhost:8161'} - metricsets: - - broker - password: ${kubernetes.hints.activemq.broker.password|kubernetes.hints.activemq.password|'admin'} - path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false - period: ${kubernetes.hints.activemq.broker.period|kubernetes.hints.activemq.period|'10s'} - tags: - - activemq-broker - username: ${kubernetes.hints.activemq.broker.username|kubernetes.hints.activemq.username|'admin'} - - condition: ${kubernetes.hints.activemq.queue.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - data_stream: - dataset: activemq.queue - type: metrics - hosts: - - ${kubernetes.hints.activemq.queue.host|kubernetes.hints.activemq.host|'localhost:8161'} - metricsets: - - queue - password: ${kubernetes.hints.activemq.queue.password|kubernetes.hints.activemq.password|'admin'} - path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false - period: ${kubernetes.hints.activemq.queue.period|kubernetes.hints.activemq.period|'10s'} - tags: - - activemq-queue - username: ${kubernetes.hints.activemq.queue.username|kubernetes.hints.activemq.username|'admin'} - - condition: ${kubernetes.hints.activemq.topic.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - data_stream: - dataset: activemq.topic - type: metrics - hosts: - - ${kubernetes.hints.activemq.topic.host|kubernetes.hints.activemq.host|'localhost:8161'} - metricsets: - - topic - password: ${kubernetes.hints.activemq.topic.password|kubernetes.hints.activemq.password|'admin'} - path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false - period: ${kubernetes.hints.activemq.topic.period|kubernetes.hints.activemq.period|'10s'} - tags: - - activemq-topic - username: ${kubernetes.hints.activemq.topic.username|kubernetes.hints.activemq.username|'admin'} - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml index 26de98f64c5..e37f8b55ee8 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml @@ -1,4 +1,72 @@ inputs: + - name: apache/metrics-apache + id: apache/metrics-apache-${kubernetes.hints.container_id} + type: apache/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.status + type: metrics + hosts: + - ${kubernetes.hints.apache.status.host|kubernetes.hints.apache.host|'http://127.0.0.1'} + metricsets: + - status + period: ${kubernetes.hints.apache.status.period|kubernetes.hints.apache.period|'30s'} + server_status_path: /server-status + data_stream.namespace: default + - name: filestream-apache + id: filestream-apache-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.apache.access.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.access + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-apache-apache-access-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.apache.access.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + tags: + - apache-access + - condition: ${kubernetes.hints.apache.error.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.error + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-apache-apache-error-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.apache.error.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + tags: + - apache-error + data_stream.namespace: default - name: httpjson-apache id: httpjson-apache-${kubernetes.hints.container_id} type: httpjson @@ -81,71 +149,3 @@ inputs: - forwarded - apache-error data_stream.namespace: default - - name: apache/metrics-apache - id: apache/metrics-apache-${kubernetes.hints.container_id} - type: apache/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true - data_stream: - dataset: apache.status - type: metrics - hosts: - - ${kubernetes.hints.apache.status.host|kubernetes.hints.apache.host|'http://127.0.0.1'} - metricsets: - - status - period: ${kubernetes.hints.apache.status.period|kubernetes.hints.apache.period|'30s'} - server_status_path: /server-status - data_stream.namespace: default - - name: filestream-apache - id: filestream-apache-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.apache.access.enabled} == true or ${kubernetes.hints.apache.enabled} == true - id: filestream-apache-access-${kubernetes.hints.container_id} - data_stream: - dataset: apache.access - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.apache.access.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - tags: - - apache-access - - condition: ${kubernetes.hints.apache.error.enabled} == true or ${kubernetes.hints.apache.enabled} == true - id: filestream-apache-error-${kubernetes.hints.container_id} - data_stream: - dataset: apache.error - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.apache.error.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - tags: - - apache-error - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml index 8eef2d1978c..ce413b16cbb 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.cassandra.log.enabled} == true or ${kubernetes.hints.cassandra.enabled} == true - id: filestream-cassandra-log-${kubernetes.hints.container_id} data_stream: dataset: cassandra.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-cassandra-cassandra-log-${kubernetes.hints.container_id} multiline: match: after negate: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml index 4f02183a9a3..3aa2907fc28 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml @@ -1,32 +1,10 @@ inputs: - - name: tcp-cef - id: tcp-cef-${kubernetes.hints.container_id} - type: tcp - use_output: default - streams: - - condition: ${kubernetes.hints.cef.log.enabled} == true or ${kubernetes.hints.cef.enabled} == true - data_stream: - dataset: cef.log - type: logs - host: localhost:9004 - processors: - - rename: - fields: - - from: message - to: event.original - - decode_cef: - field: event.original - tags: - - cef - - forwarded - data_stream.namespace: default - name: filestream-cef id: filestream-cef-${kubernetes.hints.container_id} type: filestream use_output: default streams: - condition: ${kubernetes.hints.cef.log.enabled} == true or ${kubernetes.hints.cef.enabled} == true - id: filestream-cef-log-${kubernetes.hints.container_id} data_stream: dataset: cef.log type: logs @@ -34,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-cef-cef-log-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -56,6 +35,27 @@ inputs: - cef - forwarded data_stream.namespace: default + - name: tcp-cef + id: tcp-cef-${kubernetes.hints.container_id} + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.cef.log.enabled} == true or ${kubernetes.hints.cef.enabled} == true + data_stream: + dataset: cef.log + type: logs + host: localhost:9004 + processors: + - rename: + fields: + - from: message + to: event.original + - decode_cef: + field: event.original + tags: + - cef + - forwarded + data_stream.namespace: default - name: udp-cef id: udp-cef-${kubernetes.hints.container_id} type: udp diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml index 3685cdc69e6..eaf71e2c1f2 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.checkpoint.firewall.enabled} == true or ${kubernetes.hints.checkpoint.enabled} == true - id: filestream-checkpoint-firewall-${kubernetes.hints.container_id} data_stream: dataset: checkpoint.firewall type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-checkpoint-checkpoint-firewall-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml index e9dfc83eb06..1e32955b655 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-cockroachdb + id: filestream-cockroachdb-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: cockroachdb-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.cockroachdb.container_logs.enabled} == true + data_stream: + dataset: cockroachdb.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: prometheus/metrics-cockroachdb id: prometheus/metrics-cockroachdb-${kubernetes.hints.container_id} type: prometheus/metrics @@ -22,26 +45,3 @@ inputs: use_types: true username: ${kubernetes.hints.cockroachdb.status.username|kubernetes.hints.cockroachdb.username|''} data_stream.namespace: default - - name: filestream-cockroachdb - id: filestream-cockroachdb-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.cockroachdb.container_logs.enabled} == true - id: filestream-cockroachdb-logs-${kubernetes.hints.container_id} - data_stream: - dataset: cockroachdb.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml index 8699b4d6366..dc29e6bd906 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml @@ -1,11 +1,41 @@ inputs: + - name: aws-s3-crowdstrike + id: aws-s3-crowdstrike-${kubernetes.hints.container_id} + type: aws-s3 + use_output: default + streams: + - condition: ${kubernetes.hints.crowdstrike.fdr.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true + data_stream: + dataset: crowdstrike.fdr + type: logs + queue_url: null + sqs.notification_parsing_script.source: | + function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + return evts; + } + tags: + - forwarded + - crowdstrike-fdr + data_stream.namespace: default - name: filestream-crowdstrike id: filestream-crowdstrike-${kubernetes.hints.container_id} type: filestream use_output: default streams: - condition: ${kubernetes.hints.crowdstrike.falcon.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true - id: filestream-crowdstrike-falcon-${kubernetes.hints.container_id} data_stream: dataset: crowdstrike.falcon type: logs @@ -13,6 +43,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-crowdstrike-crowdstrike-falcon-${kubernetes.hints.container_id} multiline.match: after multiline.max_lines: 5000 multiline.negate: true @@ -33,7 +64,6 @@ inputs: - forwarded - crowdstrike-falcon - condition: ${kubernetes.hints.crowdstrike.fdr.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true - id: filestream-crowdstrike-fdr-${kubernetes.hints.container_id} data_stream: dataset: crowdstrike.fdr type: logs @@ -41,6 +71,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-crowdstrike-crowdstrike-fdr-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -58,34 +89,3 @@ inputs: - forwarded - crowdstrike-fdr data_stream.namespace: default - - name: aws-s3-crowdstrike - id: aws-s3-crowdstrike-${kubernetes.hints.container_id} - type: aws-s3 - use_output: default - streams: - - condition: ${kubernetes.hints.crowdstrike.fdr.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true - data_stream: - dataset: crowdstrike.fdr - type: logs - queue_url: null - sqs.notification_parsing_script.source: | - function parse(n) { - var m = JSON.parse(n); - var evts = []; - var files = m.files; - var bucket = m.bucket; - if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { - return evts; - } - files.forEach(function(f){ - var evt = new S3EventV2(); - evt.SetS3BucketName(bucket); - evt.SetS3ObjectKey(f.path); - evts.push(evt); - }); - return evts; - } - tags: - - forwarded - - crowdstrike-fdr - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml index 3363ddf1cd5..53ff481892c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml @@ -1,4 +1,35 @@ inputs: + - name: filestream-cyberarkpas + id: filestream-cyberarkpas-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true and ${kubernetes.hints.cyberarkpas.enabled} == true + data_stream: + dataset: cyberarkpas.audit + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-cyberarkpas-cyberarkpas-audit-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.cyberarkpas.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + tags: + - forwarded + - cyberarkpas-audit + data_stream.namespace: default - name: tcp-cyberarkpas id: tcp-cyberarkpas-${kubernetes.hints.container_id} type: tcp @@ -33,34 +64,3 @@ inputs: - forwarded udp: null data_stream.namespace: default - - name: filestream-cyberarkpas - id: filestream-cyberarkpas-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true and ${kubernetes.hints.cyberarkpas.enabled} == true - id: filestream-cyberarkpas-audit-${kubernetes.hints.container_id} - data_stream: - dataset: cyberarkpas.audit - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.cyberarkpas.audit.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - tags: - - forwarded - - cyberarkpas-audit - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml index 7f4cab7fd21..cf86231c352 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml @@ -1,154 +1,4 @@ inputs: - - name: filestream-elasticsearch - id: filestream-elasticsearch-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.elasticsearch.audit.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true - id: filestream-elasticsearch-audit-${kubernetes.hints.container_id} - data_stream: - dataset: elasticsearch.audit - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.elasticsearch.audit.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" - - decode_json_fields: - fields: - - message - target: _json - - rename: - fields: - - from: _json.request.body - to: _request - ignore_missing: true - - drop_fields: - fields: - - _json - - detect_mime_type: - field: _request - target: http.request.mime_type - - drop_fields: - fields: - - _request - ignore_missing: true - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - - condition: ${kubernetes.hints.elasticsearch.deprecation.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true - id: filestream-elasticsearch-deprecation-${kubernetes.hints.container_id} - data_stream: - dataset: elasticsearch.deprecation - type: logs - exclude_files: - - .gz$ - - _slowlog.log$ - - _access.log$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.elasticsearch.deprecation.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - - condition: ${kubernetes.hints.elasticsearch.gc.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true - id: filestream-elasticsearch-gc-${kubernetes.hints.container_id} - data_stream: - dataset: elasticsearch.gc - type: logs - exclude_files: - - .gz$ - exclude_lines: - - '^(OpenJDK|Java HotSpot).* Server VM ' - - '^CommandLine flags: ' - - '^Memory: ' - - ^{ - file_identity: - fingerprint: null - multiline: - match: after - negate: true - pattern: ^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{) - parsers: - - container: - format: auto - stream: ${kubernetes.hints.elasticsearch.gc.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - - condition: ${kubernetes.hints.elasticsearch.server.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true - id: filestream-elasticsearch-server-${kubernetes.hints.container_id} - data_stream: - dataset: elasticsearch.server - type: logs - exclude_files: - - .gz$ - - _slowlog.log$ - - _access.log$ - - _deprecation.log$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.elasticsearch.server.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - - condition: ${kubernetes.hints.elasticsearch.slowlog.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true - id: filestream-elasticsearch-slowlog-${kubernetes.hints.container_id} - data_stream: - dataset: elasticsearch.slowlog - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.elasticsearch.slowlog.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - data_stream.namespace: default - name: elasticsearch/metrics-elasticsearch id: elasticsearch/metrics-elasticsearch-${kubernetes.hints.container_id} type: elasticsearch/metrics @@ -301,3 +151,153 @@ inputs: scope: node username: ${kubernetes.hints.elasticsearch.shard.username|kubernetes.hints.elasticsearch.username|''} data_stream.namespace: default + - name: filestream-elasticsearch + id: filestream-elasticsearch-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.elasticsearch.audit.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.audit + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-elasticsearch-elasticsearch-audit-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + - decode_json_fields: + fields: + - message + target: _json + - rename: + fields: + - from: _json.request.body + to: _request + ignore_missing: true + - drop_fields: + fields: + - _json + - detect_mime_type: + field: _request + target: http.request.mime_type + - drop_fields: + fields: + - _request + ignore_missing: true + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.deprecation.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.deprecation + type: logs + exclude_files: + - .gz$ + - _slowlog.log$ + - _access.log$ + file_identity: + fingerprint: null + id: filestream-elasticsearch-elasticsearch-deprecation-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.deprecation.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.gc.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.gc + type: logs + exclude_files: + - .gz$ + exclude_lines: + - '^(OpenJDK|Java HotSpot).* Server VM ' + - '^CommandLine flags: ' + - '^Memory: ' + - ^{ + file_identity: + fingerprint: null + id: filestream-elasticsearch-elasticsearch-gc-${kubernetes.hints.container_id} + multiline: + match: after + negate: true + pattern: ^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.gc.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.server.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.server + type: logs + exclude_files: + - .gz$ + - _slowlog.log$ + - _access.log$ + - _deprecation.log$ + file_identity: + fingerprint: null + id: filestream-elasticsearch-elasticsearch-server-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.server.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.slowlog.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.slowlog + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-elasticsearch-elasticsearch-slowlog-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.slowlog.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml index 23f5ae65dcb..6702bd35807 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml @@ -4,8 +4,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.endpoint.container_logs.enabled} == true - id: filestream-endpoint-logs-${kubernetes.hints.container_id} + - id: endpoint-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.endpoint.container_logs.enabled} == true data_stream: dataset: endpoint.container_logs type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml index 68084abfc7c..6a0cbc619fe 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true - id: filestream-fireeye-nx-${kubernetes.hints.container_id} data_stream: dataset: fireeye.nx type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-fireeye-fireeye-nx-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -29,9 +29,9 @@ inputs: tags: - fireeye-nx data_stream.namespace: default - - name: udp-fireeye - id: udp-fireeye-${kubernetes.hints.container_id} - type: udp + - name: tcp-fireeye + id: tcp-fireeye-${kubernetes.hints.container_id} + type: tcp use_output: default streams: - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true @@ -45,11 +45,11 @@ inputs: tags: - fireeye-nx - forwarded - udp: null + tcp: null data_stream.namespace: default - - name: tcp-fireeye - id: tcp-fireeye-${kubernetes.hints.container_id} - type: tcp + - name: udp-fireeye + id: udp-fireeye-${kubernetes.hints.container_id} + type: udp use_output: default streams: - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true @@ -63,5 +63,5 @@ inputs: tags: - fireeye-nx - forwarded - tcp: null + udp: null data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml index 07cee4332df..b661c494544 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true - id: filestream-haproxy-log-${kubernetes.hints.container_id} data_stream: dataset: haproxy.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-haproxy-haproxy-log-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -29,23 +29,6 @@ inputs: tags: - haproxy-log data_stream.namespace: default - - name: syslog-haproxy - id: syslog-haproxy-${kubernetes.hints.container_id} - type: syslog - use_output: default - streams: - - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true - data_stream: - dataset: haproxy.log - type: logs - processors: - - add_locale: null - protocol.udp: - host: localhost:9001 - tags: - - forwarded - - haproxy-log - data_stream.namespace: default - name: haproxy/metrics-haproxy id: haproxy/metrics-haproxy-${kubernetes.hints.container_id} type: haproxy/metrics @@ -74,3 +57,20 @@ inputs: period: ${kubernetes.hints.haproxy.stat.period|kubernetes.hints.haproxy.period|'10s'} username: ${kubernetes.hints.haproxy.stat.username|kubernetes.hints.haproxy.username|'admin'} data_stream.namespace: default + - name: syslog-haproxy + id: syslog-haproxy-${kubernetes.hints.container_id} + type: syslog + use_output: default + streams: + - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true + data_stream: + dataset: haproxy.log + type: logs + processors: + - add_locale: null + protocol.udp: + host: localhost:9001 + tags: + - forwarded + - haproxy-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml index 508250817fc..e0cd2bb2d5d 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.hashicorp_vault.audit.enabled} == true or ${kubernetes.hints.hashicorp_vault.enabled} == true - id: filestream-hashicorp_vault-audit-${kubernetes.hints.container_id} data_stream: dataset: hashicorp_vault.audit type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-hashicorp_vault-hashicorp_vault-audit-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -27,7 +27,6 @@ inputs: tags: - hashicorp-vault-audit - condition: ${kubernetes.hints.hashicorp_vault.log.enabled} == true or ${kubernetes.hints.hashicorp_vault.enabled} == true - id: filestream-hashicorp_vault-log-${kubernetes.hints.container_id} data_stream: dataset: hashicorp_vault.log type: logs @@ -35,6 +34,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-hashicorp_vault-hashicorp_vault-log-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -49,21 +49,6 @@ inputs: tags: - hashicorp-vault-log data_stream.namespace: default - - name: tcp-hashicorp_vault - id: tcp-hashicorp_vault-${kubernetes.hints.container_id} - type: tcp - use_output: default - streams: - - condition: ${kubernetes.hints.hashicorp_vault.audit.enabled} == true and ${kubernetes.hints.hashicorp_vault.enabled} == true - data_stream: - dataset: hashicorp_vault.audit - type: logs - host: localhost:9007 - max_message_size: 1 MiB - tags: - - hashicorp-vault-audit - - forwarded - data_stream.namespace: default - name: prometheus/metrics-hashicorp_vault id: prometheus/metrics-hashicorp_vault-${kubernetes.hints.container_id} type: prometheus/metrics @@ -84,3 +69,18 @@ inputs: rate_counters: true use_types: true data_stream.namespace: default + - name: tcp-hashicorp_vault + id: tcp-hashicorp_vault-${kubernetes.hints.container_id} + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.hashicorp_vault.audit.enabled} == true and ${kubernetes.hints.hashicorp_vault.enabled} == true + data_stream: + dataset: hashicorp_vault.audit + type: logs + host: localhost:9007 + max_message_size: 1 MiB + tags: + - hashicorp-vault-audit + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml index baa241dc5be..92907934bce 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.hid_bravura_monitor.log.enabled} == true or ${kubernetes.hints.hid_bravura_monitor.enabled} == true - id: filestream-hid_bravura_monitor-log-${kubernetes.hints.container_id} data_stream: dataset: hid_bravura_monitor.log type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml index 7e5998e836e..1a882759e2a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml @@ -1,38 +1,10 @@ inputs: - - name: iis/metrics-iis - id: iis/metrics-iis-${kubernetes.hints.container_id} - type: iis/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.iis.application_pool.enabled} == true or ${kubernetes.hints.iis.enabled} == true - data_stream: - dataset: iis.application_pool - type: metrics - metricsets: - - application_pool - period: ${kubernetes.hints.iis.application_pool.period|kubernetes.hints.iis.period|'10s'} - - condition: ${kubernetes.hints.iis.webserver.enabled} == true or ${kubernetes.hints.iis.enabled} == true - data_stream: - dataset: iis.webserver - type: metrics - metricsets: - - webserver - period: ${kubernetes.hints.iis.webserver.period|kubernetes.hints.iis.period|'10s'} - - condition: ${kubernetes.hints.iis.website.enabled} == true or ${kubernetes.hints.iis.enabled} == true - data_stream: - dataset: iis.website - type: metrics - metricsets: - - website - period: ${kubernetes.hints.iis.website.period|kubernetes.hints.iis.period|'10s'} - data_stream.namespace: default - name: filestream-iis id: filestream-iis-${kubernetes.hints.container_id} type: filestream use_output: default streams: - condition: ${kubernetes.hints.iis.access.enabled} == true or ${kubernetes.hints.iis.enabled} == true - id: filestream-iis-access-${kubernetes.hints.container_id} data_stream: dataset: iis.access type: logs @@ -42,6 +14,7 @@ inputs: - ^# file_identity: fingerprint: null + id: filestream-iis-iis-access-${kubernetes.hints.container_id} ignore_older: 72h parsers: - container: @@ -57,7 +30,6 @@ inputs: tags: - iis-access - condition: ${kubernetes.hints.iis.error.enabled} == true or ${kubernetes.hints.iis.enabled} == true - id: filestream-iis-error-${kubernetes.hints.container_id} data_stream: dataset: iis.error type: logs @@ -67,6 +39,7 @@ inputs: - ^# file_identity: fingerprint: null + id: filestream-iis-iis-error-${kubernetes.hints.container_id} ignore_older: 72h parsers: - container: @@ -82,3 +55,30 @@ inputs: tags: - iis-error data_stream.namespace: default + - name: iis/metrics-iis + id: iis/metrics-iis-${kubernetes.hints.container_id} + type: iis/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.iis.application_pool.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.application_pool + type: metrics + metricsets: + - application_pool + period: ${kubernetes.hints.iis.application_pool.period|kubernetes.hints.iis.period|'10s'} + - condition: ${kubernetes.hints.iis.webserver.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.webserver + type: metrics + metricsets: + - webserver + period: ${kubernetes.hints.iis.webserver.period|kubernetes.hints.iis.period|'10s'} + - condition: ${kubernetes.hints.iis.website.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.website + type: metrics + metricsets: + - website + period: ${kubernetes.hints.iis.website.period|kubernetes.hints.iis.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml index e1091058ced..2b80ca18c45 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.infoblox_nios.log.enabled} == true or ${kubernetes.hints.infoblox_nios.enabled} == true - id: filestream-infoblox_nios-log-${kubernetes.hints.container_id} data_stream: dataset: infoblox_nios.log type: logs @@ -17,6 +16,7 @@ inputs: fields_under_root: true file_identity: fingerprint: null + id: filestream-infoblox_nios-infoblox_nios-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml index bbc5d7f6079..e4be3291bbf 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml @@ -1,27 +1,10 @@ inputs: - - name: udp-iptables - id: udp-iptables-${kubernetes.hints.container_id} - type: udp - use_output: default - streams: - - condition: ${kubernetes.hints.iptables.log.enabled} == true or ${kubernetes.hints.iptables.enabled} == true - data_stream: - dataset: iptables.log - type: logs - host: localhost:9001 - processors: - - add_locale: null - tags: - - iptables-log - - forwarded - data_stream.namespace: default - name: filestream-iptables id: filestream-iptables-${kubernetes.hints.container_id} type: filestream use_output: default streams: - condition: ${kubernetes.hints.iptables.log.enabled} == true and ${kubernetes.hints.iptables.enabled} == true - id: filestream-iptables-log-${kubernetes.hints.container_id} data_stream: dataset: iptables.log type: logs @@ -29,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-iptables-iptables-log-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -62,3 +46,19 @@ inputs: tags: - iptables-log data_stream.namespace: default + - name: udp-iptables + id: udp-iptables-${kubernetes.hints.container_id} + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.iptables.log.enabled} == true or ${kubernetes.hints.iptables.enabled} == true + data_stream: + dataset: iptables.log + type: logs + host: localhost:9001 + processors: + - add_locale: null + tags: + - iptables-log + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml index 57ab4d3d522..c7e6a050dd7 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.kafka.log.enabled} == true or ${kubernetes.hints.kafka.enabled} == true - id: filestream-kafka-log-${kubernetes.hints.container_id} data_stream: dataset: kafka.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-kafka-kafka-log-${kubernetes.hints.container_id} multiline: match: after negate: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml index b0e434c6a71..b9b37780589 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.keycloak.log.enabled} == true or ${kubernetes.hints.keycloak.enabled} == true - id: filestream-keycloak-log-${kubernetes.hints.container_id} data_stream: dataset: keycloak.log type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml index a2c61085f76..2c1b5842d30 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.kibana.audit.enabled} == true or ${kubernetes.hints.kibana.enabled} == true - id: filestream-kibana-audit-${kubernetes.hints.container_id} data_stream: dataset: kibana.audit type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-kibana-kibana-audit-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -25,7 +25,6 @@ inputs: enabled: true symlinks: true - condition: ${kubernetes.hints.kibana.log.enabled} == true or ${kubernetes.hints.kibana.enabled} == true - id: filestream-kibana-log-${kubernetes.hints.container_id} data_stream: dataset: kibana.log type: logs @@ -33,6 +32,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-kibana-kibana-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml index 308a8ef5f66..4f5044e7235 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml @@ -4,8 +4,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.log.container_logs.enabled} == true - id: filestream-log-${kubernetes.hints.container_id} + - id: log-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.log.container_logs.enabled} == true data_stream: dataset: log.container_logs type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml index 71eb8daa365..333c5623ce7 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml @@ -1,94 +1,4 @@ inputs: - - name: filestream-logstash - id: filestream-logstash-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.logstash.log.enabled} == true or ${kubernetes.hints.logstash.enabled} == true - id: filestream-logstash-log-${kubernetes.hints.container_id} - data_stream: - dataset: logstash.log - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - multiline: - match: after - negate: true - pattern: ^((\[[0-9]{4}-[0-9]{2}-[0-9]{2}[^\]]+\])|({.+})) - parsers: - - container: - format: auto - stream: ${kubernetes.hints.logstash.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale.when.not.regexp.message: ^{ - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - - condition: ${kubernetes.hints.logstash.slowlog.enabled} == true or ${kubernetes.hints.logstash.enabled} == true - id: filestream-logstash-slowlog-${kubernetes.hints.container_id} - data_stream: - dataset: logstash.slowlog - type: logs - exclude_files: - - .gz$ - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.logstash.slowlog.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale.when.not.regexp.message: ^{ - - add_fields: - fields: - ecs.version: 1.10.0 - target: "" - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - data_stream.namespace: default - - name: logstash/metrics-logstash - id: logstash/metrics-logstash-${kubernetes.hints.container_id} - type: logstash/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.logstash.node.enabled} == true or ${kubernetes.hints.logstash.enabled} == true - data_stream: - dataset: logstash.stack_monitoring.node - type: metrics - hosts: - - ${kubernetes.hints.logstash.node.host|kubernetes.hints.logstash.host|'http://localhost:9600'} - metricsets: - - node - password: ${kubernetes.hints.logstash.node.password|kubernetes.hints.logstash.password|''} - period: ${kubernetes.hints.logstash.node.period|kubernetes.hints.logstash.period|'10s'} - username: ${kubernetes.hints.logstash.node.username|kubernetes.hints.logstash.username|''} - - condition: ${kubernetes.hints.logstash.node_stats.enabled} == true or ${kubernetes.hints.logstash.enabled} == true - data_stream: - dataset: logstash.stack_monitoring.node_stats - type: metrics - hosts: - - ${kubernetes.hints.logstash.node_stats.host|kubernetes.hints.logstash.host|'http://localhost:9600'} - metricsets: - - node_stats - password: ${kubernetes.hints.logstash.node_stats.password|kubernetes.hints.logstash.password|''} - period: ${kubernetes.hints.logstash.node_stats.period|kubernetes.hints.logstash.period|'10s'} - username: ${kubernetes.hints.logstash.node_stats.username|kubernetes.hints.logstash.username|''} - data_stream.namespace: default - name: cel-logstash id: cel-logstash-${kubernetes.hints.container_id} type: cel @@ -383,3 +293,93 @@ inputs: fields: null resource.url: http://localhost:9600/_node data_stream.namespace: default + - name: filestream-logstash + id: filestream-logstash-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.logstash.log.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.log + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-logstash-logstash-log-${kubernetes.hints.container_id} + multiline: + match: after + negate: true + pattern: ^((\[[0-9]{4}-[0-9]{2}-[0-9]{2}[^\]]+\])|({.+})) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.logstash.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + - condition: ${kubernetes.hints.logstash.slowlog.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.slowlog + type: logs + exclude_files: + - .gz$ + file_identity: + fingerprint: null + id: filestream-logstash-logstash-slowlog-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.logstash.slowlog.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + data_stream.namespace: default + - name: logstash/metrics-logstash + id: logstash/metrics-logstash-${kubernetes.hints.container_id} + type: logstash/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.logstash.node.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.stack_monitoring.node + type: metrics + hosts: + - ${kubernetes.hints.logstash.node.host|kubernetes.hints.logstash.host|'http://localhost:9600'} + metricsets: + - node + password: ${kubernetes.hints.logstash.node.password|kubernetes.hints.logstash.password|''} + period: ${kubernetes.hints.logstash.node.period|kubernetes.hints.logstash.period|'10s'} + username: ${kubernetes.hints.logstash.node.username|kubernetes.hints.logstash.username|''} + - condition: ${kubernetes.hints.logstash.node_stats.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.stack_monitoring.node_stats + type: metrics + hosts: + - ${kubernetes.hints.logstash.node_stats.host|kubernetes.hints.logstash.host|'http://localhost:9600'} + metricsets: + - node_stats + password: ${kubernetes.hints.logstash.node_stats.password|kubernetes.hints.logstash.password|''} + period: ${kubernetes.hints.logstash.node_stats.period|kubernetes.hints.logstash.period|'10s'} + username: ${kubernetes.hints.logstash.node_stats.username|kubernetes.hints.logstash.username|''} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml index 47c9deac4f7..e8f7f0e9f06 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.mattermost.audit.enabled} == true or ${kubernetes.hints.mattermost.enabled} == true - id: filestream-mattermost-audit-${kubernetes.hints.container_id} data_stream: dataset: mattermost.audit type: logs @@ -13,6 +12,7 @@ inputs: - \.gz$ file_identity: fingerprint: null + id: filestream-mattermost-mattermost-audit-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml index 533288fabf2..be9cf8c585a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml @@ -1,24 +1,10 @@ inputs: - - name: winlog-microsoft_sqlserver - id: winlog-microsoft_sqlserver-${kubernetes.hints.container_id} - type: winlog - use_output: default - streams: - - condition: ${kubernetes.hints.microsoft_sqlserver.audit.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true - data_stream: - dataset: microsoft_sqlserver.audit - type: logs - event_id: 33205 - ignore_older: 72h - name: Security - data_stream.namespace: default - name: filestream-microsoft_sqlserver id: filestream-microsoft_sqlserver-${kubernetes.hints.container_id} type: filestream use_output: default streams: - condition: ${kubernetes.hints.microsoft_sqlserver.log.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true - id: filestream-microsoft_sqlserver-log-${kubernetes.hints.container_id} data_stream: dataset: microsoft_sqlserver.log type: logs @@ -26,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-microsoft_sqlserver-microsoft_sqlserver-log-${kubernetes.hints.container_id} multiline: match: after negate: true @@ -137,3 +124,16 @@ inputs: - query: USE [msdb]; SELECT @@servername AS server_name, @@servicename AS instance_name, name As 'database_name', l.database_id, l.total_log_size_in_bytes As total_log_size_bytes, l.used_log_space_in_bytes As used_log_space_bytes, l.used_log_space_in_percent As used_log_space_pct, l.log_space_in_bytes_since_last_backup from sys.dm_db_log_space_usage l INNER JOIN sys.databases s ON l.database_id = s.database_id WHERE s.database_id = DB_ID('msdb') ; response_format: table data_stream.namespace: default + - name: winlog-microsoft_sqlserver + id: winlog-microsoft_sqlserver-${kubernetes.hints.container_id} + type: winlog + use_output: default + streams: + - condition: ${kubernetes.hints.microsoft_sqlserver.audit.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true + data_stream: + dataset: microsoft_sqlserver.audit + type: logs + event_id: 33205 + ignore_older: 72h + name: Security + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml index cfac8191fcd..9ed108ffd6a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml @@ -1072,8 +1072,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.mimecast.container_logs.enabled} == true - id: filestream-mimecast-logs-${kubernetes.hints.container_id} + - id: mimecast-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.mimecast.container_logs.enabled} == true data_stream: dataset: mimecast.container_logs type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml index ea42ac05348..0af1b6699b4 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.modsecurity.auditlog.enabled} == true or ${kubernetes.hints.modsecurity.enabled} == true - id: filestream-modsecurity-auditlog-${kubernetes.hints.container_id} data_stream: dataset: modsecurity.auditlog type: logs @@ -17,6 +16,7 @@ inputs: fields_under_root: true file_identity: fingerprint: null + id: filestream-modsecurity-modsecurity-auditlog-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml index 81f765e08a5..3065bf3e42f 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.mongodb.log.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true - id: filestream-mongodb-log-${kubernetes.hints.container_id} data_stream: dataset: mongodb.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-mongodb-mongodb-log-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -43,7 +43,7 @@ inputs: password: ${kubernetes.hints.mongodb.collstats.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.collstats.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null username: ${kubernetes.hints.mongodb.collstats.username|kubernetes.hints.mongodb.username|''} @@ -58,7 +58,7 @@ inputs: password: ${kubernetes.hints.mongodb.dbstats.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.dbstats.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null username: ${kubernetes.hints.mongodb.dbstats.username|kubernetes.hints.mongodb.username|''} @@ -73,7 +73,7 @@ inputs: password: ${kubernetes.hints.mongodb.metrics.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.metrics.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: false + ssl.enabled: null ssl.key: null ssl.verification_mode: null username: ${kubernetes.hints.mongodb.metrics.username|kubernetes.hints.mongodb.username|''} @@ -88,7 +88,7 @@ inputs: password: ${kubernetes.hints.mongodb.replstatus.password|kubernetes.hints.mongodb.password|''} period: ${kubernetes.hints.mongodb.replstatus.period|kubernetes.hints.mongodb.period|'10s'} ssl.certificate: null - ssl.enabled: null + ssl.enabled: false ssl.key: null ssl.verification_mode: null username: ${kubernetes.hints.mongodb.replstatus.username|kubernetes.hints.mongodb.username|''} diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml index f4694996e70..6bcd2ca9c92 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.mysql.error.enabled} == true or ${kubernetes.hints.mysql.enabled} == true - id: filestream-mysql-error-${kubernetes.hints.container_id} data_stream: dataset: mysql.error type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-mysql-mysql-error-${kubernetes.hints.container_id} multiline: match: after negate: true @@ -31,7 +31,6 @@ inputs: enabled: true symlinks: true - condition: ${kubernetes.hints.mysql.slowlog.enabled} == true or ${kubernetes.hints.mysql.enabled} == true - id: filestream-mysql-slowlog-${kubernetes.hints.container_id} data_stream: dataset: mysql.slowlog type: logs @@ -42,6 +41,7 @@ inputs: - ^# Time:.* file_identity: fingerprint: null + id: filestream-mysql-mysql-slowlog-${kubernetes.hints.container_id} multiline: match: after negate: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml index 474a22d7551..e3aca3b5b7c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.mysql_enterprise.audit.enabled} == true or ${kubernetes.hints.mysql_enterprise.enabled} == true - id: filestream-mysql_enterprise-audit-${kubernetes.hints.container_id} data_stream: dataset: mysql_enterprise.audit type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml index fb5ed78e744..8f8b24e8f4c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.nats.log.enabled} == true or ${kubernetes.hints.nats.enabled} == true - id: filestream-nats-log-${kubernetes.hints.container_id} data_stream: dataset: nats.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-nats-nats-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml index e3b8d52c520..2c854967fdb 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-netflow + id: filestream-netflow-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: netflow-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.netflow.container_logs.enabled} == true + data_stream: + dataset: netflow.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: netflow-netflow id: netflow-netflow-${kubernetes.hints.container_id} type: netflow @@ -26,26 +49,3 @@ inputs: - forwarded timeout: ${kubernetes.hints.netflow.log.timeout|kubernetes.hints.netflow.timeout|'} data_stream.namespace: default - - name: filestream-netflow - id: filestream-netflow-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.netflow.container_logs.enabled} == true - id: filestream-netflow-logs-${kubernetes.hints.container_id} - data_stream: - dataset: netflow.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml index 302b90fe4f2..454b951deaa 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.nginx.access.enabled} == true or ${kubernetes.hints.nginx.enabled} == true - id: filestream-nginx-access-${kubernetes.hints.container_id} data_stream: dataset: nginx.access type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-nginx-nginx-access-${kubernetes.hints.container_id} ignore_older: 72h parsers: - container: @@ -30,7 +30,6 @@ inputs: tags: - nginx-access - condition: ${kubernetes.hints.nginx.error.enabled} == true or ${kubernetes.hints.nginx.enabled} == true - id: filestream-nginx-error-${kubernetes.hints.container_id} data_stream: dataset: nginx.error type: logs @@ -38,6 +37,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-nginx-nginx-error-${kubernetes.hints.container_id} ignore_older: 72h multiline: match: after diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml index d09cb07c4be..f3f3941190c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.nginx_ingress_controller.access.enabled} == true or ${kubernetes.hints.nginx_ingress_controller.enabled} == true - id: filestream-nginx_ingress_controller-access-${kubernetes.hints.container_id} data_stream: dataset: nginx_ingress_controller.access type: logs @@ -23,7 +22,6 @@ inputs: tags: - nginx-ingress-controller-access - condition: ${kubernetes.hints.nginx_ingress_controller.error.enabled} == true or ${kubernetes.hints.nginx_ingress_controller.enabled} == true - id: filestream-nginx_ingress_controller-error-${kubernetes.hints.container_id} data_stream: dataset: nginx_ingress_controller.error type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml index f4f78a64c89..e5dac21fdf8 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.oracle.database_audit.enabled} == true or ${kubernetes.hints.oracle.enabled} == true - id: filestream-oracle-audit-${kubernetes.hints.container_id} data_stream: dataset: oracle.database_audit type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml index 9f7fab75039..eba49ba0bb8 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml @@ -1,4 +1,47 @@ inputs: + - name: filestream-panw + id: filestream-panw-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.panw.panos.enabled} == true or ${kubernetes.hints.panw.enabled} == true + data_stream: + dataset: panw.panos + type: logs + exclude_files: + - \.gz$ + fields: + _conf: + external_zones: + - untrust + internal_zones: + - trust + tz_offset: local + fields_under_root: true + file_identity: + fingerprint: null + id: filestream-panw-panw-panos-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.panw.panos.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + - copy_fields: + fields: + - from: '@timestamp' + to: event.created + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + tags: + - panw-panos + - forwarded + data_stream.namespace: default - name: tcp-panw id: tcp-panw-${kubernetes.hints.container_id} type: tcp @@ -72,46 +115,3 @@ inputs: - panw-panos - forwarded data_stream.namespace: default - - name: filestream-panw - id: filestream-panw-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.panw.panos.enabled} == true or ${kubernetes.hints.panw.enabled} == true - id: filestream-panw-panos-${kubernetes.hints.container_id} - data_stream: - dataset: panw.panos - type: logs - exclude_files: - - \.gz$ - fields: - _conf: - external_zones: - - untrust - internal_zones: - - trust - tz_offset: local - fields_under_root: true - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.panw.panos.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - - copy_fields: - fields: - - from: '@timestamp' - to: event.created - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - tags: - - panw-panos - - forwarded - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml index 5ef73bbc1c1..ab6dbff21f6 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-panw_cortex_xdr + id: filestream-panw_cortex_xdr-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: panw_cortex_xdr-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.panw_cortex_xdr.container_logs.enabled} == true + data_stream: + dataset: panw_cortex_xdr.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: httpjson-panw_cortex_xdr id: httpjson-panw_cortex_xdr-${kubernetes.hints.container_id} type: httpjson @@ -68,26 +91,3 @@ inputs: - forwarded - panw_cortex_xdr data_stream.namespace: default - - name: filestream-panw_cortex_xdr - id: filestream-panw_cortex_xdr-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.panw_cortex_xdr.container_logs.enabled} == true - id: filestream-panw_cortex_xdr-logs-${kubernetes.hints.container_id} - data_stream: - dataset: panw_cortex_xdr.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml index ff46d3658d3..7002308d9ca 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml @@ -4,8 +4,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.pfsense.container_logs.enabled} == true - id: filestream-pfsense-logs-${kubernetes.hints.container_id} + - id: pfsense-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.pfsense.container_logs.enabled} == true data_stream: dataset: pfsense.container_logs type: logs @@ -22,12 +22,12 @@ inputs: symlinks: true tags: [] data_stream.namespace: default - - name: udp-pfsense - id: udp-pfsense-${kubernetes.hints.container_id} - type: udp + - name: tcp-pfsense + id: tcp-pfsense-${kubernetes.hints.container_id} + type: tcp use_output: default streams: - - condition: ${kubernetes.hints.pfsense.log.enabled} == true or ${kubernetes.hints.pfsense.enabled} == true + - condition: ${kubernetes.hints.pfsense.log.enabled} == true and ${kubernetes.hints.pfsense.enabled} == true data_stream: dataset: pfsense.log type: logs @@ -36,20 +36,18 @@ inputs: - add_locale: null - add_fields: fields: - internal_networks: - - private tz_offset: local target: _tmp tags: - pfsense - forwarded data_stream.namespace: default - - name: tcp-pfsense - id: tcp-pfsense-${kubernetes.hints.container_id} - type: tcp + - name: udp-pfsense + id: udp-pfsense-${kubernetes.hints.container_id} + type: udp use_output: default streams: - - condition: ${kubernetes.hints.pfsense.log.enabled} == true and ${kubernetes.hints.pfsense.enabled} == true + - condition: ${kubernetes.hints.pfsense.log.enabled} == true or ${kubernetes.hints.pfsense.enabled} == true data_stream: dataset: pfsense.log type: logs @@ -58,6 +56,8 @@ inputs: - add_locale: null - add_fields: fields: + internal_networks: + - private tz_offset: local target: _tmp tags: diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml index 444a71aa78a..7daea0e609d 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.postgresql.log.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true - id: filestream-postgresql-log-${kubernetes.hints.container_id} data_stream: dataset: postgresql.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-postgresql-postgresql-log-${kubernetes.hints.container_id} multiline: match: after negate: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml index 8b146c45e88..ff09a0a0432 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-prometheus + id: filestream-prometheus-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: prometheus-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.prometheus.container_logs.enabled} == true + data_stream: + dataset: prometheus.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: prometheus/metrics-prometheus id: prometheus/metrics-prometheus-${kubernetes.hints.container_id} type: prometheus/metrics @@ -66,26 +89,3 @@ inputs: types_patterns.include: null use_types: true data_stream.namespace: default - - name: filestream-prometheus - id: filestream-prometheus-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.prometheus.container_logs.enabled} == true - id: filestream-prometheus-logs-${kubernetes.hints.container_id} - data_stream: - dataset: prometheus.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml index 26f6815ae98..906ab8d8deb 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-qnap_nas + id: filestream-qnap_nas-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: qnap_nas-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.qnap_nas.container_logs.enabled} == true + data_stream: + dataset: qnap_nas.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: tcp-qnap_nas id: tcp-qnap_nas-${kubernetes.hints.container_id} type: tcp @@ -39,26 +62,3 @@ inputs: - qnap-nas - forwarded data_stream.namespace: default - - name: filestream-qnap_nas - id: filestream-qnap_nas-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.qnap_nas.container_logs.enabled} == true - id: filestream-qnap_nas-logs-${kubernetes.hints.container_id} - data_stream: - dataset: qnap_nas.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml index 57781776de2..a4364ecc157 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.rabbitmq.log.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true - id: filestream-rabbitmq-log-${kubernetes.hints.container_id} data_stream: dataset: rabbitmq.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-rabbitmq-rabbitmq-log-${kubernetes.hints.container_id} multiline: match: after negate: true diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml index be47c78ebd6..409b00d8bae 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml @@ -1,4 +1,34 @@ inputs: + - name: filestream-redis + id: filestream-redis-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.redis.log.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.log + type: logs + exclude_files: + - .gz$ + exclude_lines: + - ^\s+[\-`('.|_] + file_identity: + fingerprint: null + id: filestream-redis-redis-log-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.redis.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true + tags: + - redis-log + data_stream.namespace: default - name: redis-redis id: redis-redis-${kubernetes.hints.container_id} type: redis @@ -60,33 +90,3 @@ inputs: password: ${kubernetes.hints.redis.keyspace.password|kubernetes.hints.redis.password|''} period: ${kubernetes.hints.redis.keyspace.period|kubernetes.hints.redis.period|'10s'} data_stream.namespace: default - - name: filestream-redis - id: filestream-redis-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.redis.log.enabled} == true or ${kubernetes.hints.redis.enabled} == true - id: filestream-redis-log-${kubernetes.hints.container_id} - data_stream: - dataset: redis.log - type: logs - exclude_files: - - .gz$ - exclude_lines: - - ^\s+[\-`('.|_] - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.redis.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true - tags: - - redis-log - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml index 50073bc9d0b..902f0d9f4a2 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.santa.log.enabled} == true or ${kubernetes.hints.santa.enabled} == true - id: filestream-santa-log-${kubernetes.hints.container_id} data_stream: dataset: santa.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-santa-santa-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml index d7093d67945..ae85858bdb9 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml @@ -4,8 +4,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.security_detection_engine.container_logs.enabled} == true - id: filestream-security_detection_engine-logs-${kubernetes.hints.container_id} + - id: security_detection_engine-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.security_detection_engine.container_logs.enabled} == true data_stream: dataset: security_detection_engine.container_logs type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml index 665f98dfada..fa4160efd16 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml @@ -4,8 +4,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.sentinel_one.container_logs.enabled} == true - id: filestream-sentinel_one-logs-${kubernetes.hints.container_id} + - id: sentinel_one-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.sentinel_one.container_logs.enabled} == true data_stream: dataset: sentinel_one.container_logs type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml index a0356ad68a0..dcefc95c878 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.snort.log.enabled} == true or ${kubernetes.hints.snort.enabled} == true - id: filestream-snort-log-${kubernetes.hints.container_id} data_stream: dataset: snort.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-snort-snort-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml index 6b177c3f010..dd07be52ca2 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-snyk + id: filestream-snyk-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: snyk-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.snyk.container_logs.enabled} == true + data_stream: + dataset: snyk.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: httpjson-snyk id: httpjson-snyk-${kubernetes.hints.container_id} type: httpjson @@ -117,26 +140,3 @@ inputs: - forwarded - snyk-vulnerabilities data_stream.namespace: default - - name: filestream-snyk - id: filestream-snyk-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.snyk.container_logs.enabled} == true - id: filestream-snyk-logs-${kubernetes.hints.container_id} - data_stream: - dataset: snyk.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml index 73d7d36a088..80ff89fde08 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.stan.log.enabled} == true or ${kubernetes.hints.stan.enabled} == true - id: filestream-stan-log-${kubernetes.hints.container_id} data_stream: dataset: stan.log type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-stan-stan-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml index 7aa83d832f2..b10cbee0923 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.suricata.eve.enabled} == true or ${kubernetes.hints.suricata.enabled} == true - id: filestream-suricata-eve-${kubernetes.hints.container_id} data_stream: dataset: suricata.eve type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-suricata-suricata-eve-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml index e63c9dd5a23..88ee6ee6e05 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true and ${kubernetes.hints.symantec_endpoint.enabled} == true - id: filestream-symantec_endpoint-log-${kubernetes.hints.container_id} data_stream: dataset: symantec_endpoint.log type: logs @@ -18,6 +17,7 @@ inputs: fields_under_root: true file_identity: fingerprint: null + id: filestream-symantec_endpoint-symantec_endpoint-log-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml index a55075a4b96..2df9ca96dfe 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml @@ -1,4 +1,65 @@ inputs: + - name: filestream-synthetics + id: filestream-synthetics-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: synthetics-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.synthetics.container_logs.enabled} == true + data_stream: + dataset: synthetics.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default + - name: synthetics/browser-synthetics + id: synthetics/browser-synthetics-${kubernetes.hints.container_id} + type: synthetics/browser + use_output: default + streams: + - __ui: null + condition: ${kubernetes.hints.synthetics.browser.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: browser + type: synthetics + enabled: true + max_attempts: 2 + name: null + run_from.geo.name: Fleet managed + run_from.id: fleet_managed + schedule: '@every 3m' + throttling: null + timeout: ${kubernetes.hints.synthetics.browser.timeout|kubernetes.hints.synthetics.timeout|''} + type: browser + - condition: ${kubernetes.hints.synthetics.browser_network.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: browser.network + type: synthetics + processors: + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + - condition: ${kubernetes.hints.synthetics.browser_screenshot.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: browser.screenshot + type: synthetics + processors: + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + data_stream.namespace: default - name: synthetics/http-synthetics id: synthetics/http-synthetics-${kubernetes.hints.container_id} type: synthetics/http @@ -27,29 +88,6 @@ inputs: urls: null username: ${kubernetes.hints.synthetics.http.username|kubernetes.hints.synthetics.username|''} data_stream.namespace: default - - name: synthetics/tcp-synthetics - id: synthetics/tcp-synthetics-${kubernetes.hints.container_id} - type: synthetics/tcp - use_output: default - streams: - - __ui: null - condition: ${kubernetes.hints.synthetics.tcp.enabled} == true and ${kubernetes.hints.synthetics.enabled} == true - data_stream: - dataset: tcp - type: synthetics - enabled: true - hosts: ${kubernetes.hints.synthetics.tcp.host|kubernetes.hints.synthetics.host|''} - ipv4: true - ipv6: true - max_attempts: 2 - name: null - proxy_use_local_resolver: false - run_from.geo.name: Fleet managed - run_from.id: fleet_managed - schedule: '@every 3m' - timeout: ${kubernetes.hints.synthetics.tcp.timeout|kubernetes.hints.synthetics.timeout|''} - type: tcp - data_stream.namespace: default - name: synthetics/icmp-synthetics id: synthetics/icmp-synthetics-${kubernetes.hints.container_id} type: synthetics/icmp @@ -73,64 +111,26 @@ inputs: type: icmp wait: 1s data_stream.namespace: default - - name: synthetics/browser-synthetics - id: synthetics/browser-synthetics-${kubernetes.hints.container_id} - type: synthetics/browser + - name: synthetics/tcp-synthetics + id: synthetics/tcp-synthetics-${kubernetes.hints.container_id} + type: synthetics/tcp use_output: default streams: - __ui: null - condition: ${kubernetes.hints.synthetics.browser.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + condition: ${kubernetes.hints.synthetics.tcp.enabled} == true and ${kubernetes.hints.synthetics.enabled} == true data_stream: - dataset: browser + dataset: tcp type: synthetics enabled: true + hosts: ${kubernetes.hints.synthetics.tcp.host|kubernetes.hints.synthetics.host|''} + ipv4: true + ipv6: true max_attempts: 2 name: null + proxy_use_local_resolver: false run_from.geo.name: Fleet managed run_from.id: fleet_managed schedule: '@every 3m' - throttling: null - timeout: ${kubernetes.hints.synthetics.browser.timeout|kubernetes.hints.synthetics.timeout|''} - type: browser - - condition: ${kubernetes.hints.synthetics.browser_network.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true - data_stream: - dataset: browser.network - type: synthetics - processors: - - add_fields: - fields: - monitor.fleet_managed: true - target: "" - - condition: ${kubernetes.hints.synthetics.browser_screenshot.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true - data_stream: - dataset: browser.screenshot - type: synthetics - processors: - - add_fields: - fields: - monitor.fleet_managed: true - target: "" - data_stream.namespace: default - - name: filestream-synthetics - id: filestream-synthetics-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.synthetics.container_logs.enabled} == true - id: filestream-synthetics-logs-${kubernetes.hints.container_id} - data_stream: - dataset: synthetics.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] + timeout: ${kubernetes.hints.synthetics.tcp.timeout|kubernetes.hints.synthetics.timeout|''} + type: tcp data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml index 17cfec417ae..15aa9359dbf 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml @@ -1,23 +1,11 @@ inputs: - - name: tcp-tcp - id: tcp-tcp-${kubernetes.hints.container_id} - type: tcp - use_output: default - streams: - - condition: ${kubernetes.hints.tcp.generic.enabled} == true or ${kubernetes.hints.tcp.enabled} == true - data_stream: - dataset: tcp.generic - type: logs - host: localhost:8080 - timeout: ${kubernetes.hints.tcp.generic.timeout|kubernetes.hints.tcp.timeout|''} - data_stream.namespace: default - name: filestream-tcp id: filestream-tcp-${kubernetes.hints.container_id} type: filestream use_output: default streams: - - condition: ${kubernetes.hints.tcp.container_logs.enabled} == true - id: filestream-tcp-${kubernetes.hints.container_id} + - id: tcp-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.tcp.container_logs.enabled} == true data_stream: dataset: tcp.container_logs type: logs @@ -34,3 +22,15 @@ inputs: symlinks: true tags: [] data_stream.namespace: default + - name: tcp-tcp + id: tcp-tcp-${kubernetes.hints.container_id} + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.tcp.generic.enabled} == true or ${kubernetes.hints.tcp.enabled} == true + data_stream: + dataset: tcp.generic + type: logs + host: localhost:8080 + timeout: ${kubernetes.hints.tcp.generic.timeout|kubernetes.hints.tcp.timeout|''} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml index bff621cec9c..a48f3fa9387 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml @@ -1,20 +1,30 @@ inputs: - - name: udp-tomcat - id: udp-tomcat-${kubernetes.hints.container_id} - type: udp + - name: filestream-tomcat + id: filestream-tomcat-${kubernetes.hints.container_id} + type: filestream use_output: default streams: - - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true + - condition: ${kubernetes.hints.tomcat.log.enabled} == true and ${kubernetes.hints.tomcat.enabled} == true data_stream: dataset: tomcat.log type: logs + exclude_files: + - .gz$ fields: observer: product: TomCat type: Web vendor: Apache fields_under_root: true - host: localhost:9523 + file_identity: + fingerprint: null + id: filestream-tomcat-tomcat-log-${kubernetes.hints.container_id} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.tomcat.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log processors: - script: lang: javascript @@ -2757,10 +2767,14 @@ inputs: target_field: url.registered_domain target_subdomain_field: url.subdomain - add_locale: null + prospector: + scanner: + fingerprint: + enabled: true + symlinks: true tags: - tomcat-log - forwarded - udp: null data_stream.namespace: default - name: tcp-tomcat id: tcp-tomcat-${kubernetes.hints.container_id} @@ -5525,32 +5539,22 @@ inputs: - forwarded tcp: null data_stream.namespace: default - - name: filestream-tomcat - id: filestream-tomcat-${kubernetes.hints.container_id} - type: filestream + - name: udp-tomcat + id: udp-tomcat-${kubernetes.hints.container_id} + type: udp use_output: default streams: - - condition: ${kubernetes.hints.tomcat.log.enabled} == true and ${kubernetes.hints.tomcat.enabled} == true - id: filestream-tomcat-log-${kubernetes.hints.container_id} + - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true data_stream: dataset: tomcat.log type: logs - exclude_files: - - .gz$ fields: observer: product: TomCat type: Web vendor: Apache fields_under_root: true - file_identity: - fingerprint: null - parsers: - - container: - format: auto - stream: ${kubernetes.hints.tomcat.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log + host: localhost:9523 processors: - script: lang: javascript @@ -8293,12 +8297,8 @@ inputs: target_field: url.registered_domain target_subdomain_field: url.subdomain - add_locale: null - prospector: - scanner: - fingerprint: - enabled: true - symlinks: true tags: - tomcat-log - forwarded + udp: null data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml index 9095672680a..67de4781e27 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.traefik.access.enabled} == true or ${kubernetes.hints.traefik.enabled} == true - id: filestream-traefik-access-${kubernetes.hints.container_id} data_stream: dataset: traefik.access type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-traefik-traefik-access-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml index 453d0c3a48c..f593f20ec7a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml @@ -4,8 +4,8 @@ inputs: type: filestream use_output: default streams: - - condition: ${kubernetes.hints.udp.container_logs.enabled} == true - id: filestream-udp-logs-${kubernetes.hints.container_id} + - id: udp-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.udp.container_logs.enabled} == true data_stream: dataset: udp.container_logs type: logs diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml index cc75cc08e5e..eb544b4431a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml @@ -5,7 +5,6 @@ inputs: use_output: default streams: - condition: ${kubernetes.hints.zeek.capture_loss.enabled} == true or ${kubernetes.hints.zeek.enabled} == true - id: filestream-zeek-loss-${kubernetes.hints.container_id} data_stream: dataset: zeek.capture_loss type: logs @@ -13,6 +12,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-capture_loss-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -37,6 +37,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-connection-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -61,6 +62,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-dce_rpc-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -85,6 +87,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-dhcp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -109,6 +112,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-dnp3-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -132,6 +136,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-dns-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -156,6 +161,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-dpd-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -179,6 +185,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-files-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -202,6 +209,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-ftp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -226,6 +234,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-http-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -250,6 +259,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-intel-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -274,6 +284,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-irc-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -298,6 +309,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-kerberos-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -322,6 +334,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-known_certs-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -346,6 +359,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-known_hosts-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -370,6 +384,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-known_services-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -394,6 +409,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-modbus-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -418,6 +434,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-mysql-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -442,6 +459,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-notice-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -466,6 +484,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-ntlm-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -490,6 +509,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-ntp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -514,6 +534,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-ocsp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -538,6 +559,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-pe-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -562,6 +584,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-radius-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -586,6 +609,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-rdp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -610,6 +634,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-rfb-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -634,6 +659,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-signature-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -658,6 +684,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-sip-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -682,6 +709,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-smb_cmd-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -706,6 +734,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-smb_files-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -730,6 +759,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-smb_mapping-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -754,6 +784,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-smtp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -778,6 +809,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-snmp-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -802,6 +834,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-socks-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -826,6 +859,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-software-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -850,6 +884,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-ssh-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -874,6 +909,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-ssl-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -898,6 +934,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-stats-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -922,6 +959,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-syslog-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -946,6 +984,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-traceroute-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -970,6 +1009,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-tunnel-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -994,6 +1034,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-weird-${kubernetes.hints.container_id} parsers: - container: format: auto @@ -1018,6 +1059,7 @@ inputs: - .gz$ file_identity: fingerprint: null + id: filestream-zeek-zeek-x509-${kubernetes.hints.container_id} parsers: - container: format: auto diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml index dfe324275cc..78eb2239011 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml @@ -1,4 +1,27 @@ inputs: + - name: filestream-zookeeper + id: filestream-zookeeper-${kubernetes.hints.container_id} + type: filestream + use_output: default + streams: + - id: zookeeper-container-logs-${kubernetes.hints.container_id} + condition: ${kubernetes.hints.zookeeper.container_logs.enabled} == true + data_stream: + dataset: zookeeper.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default - name: zookeeper/metrics-zookeeper id: zookeeper/metrics-zookeeper-${kubernetes.hints.container_id} type: zookeeper/metrics @@ -32,26 +55,3 @@ inputs: - server period: ${kubernetes.hints.zookeeper.server.period|kubernetes.hints.zookeeper.period|'10s'} data_stream.namespace: default - - name: filestream-zookeeper - id: filestream-zookeeper-${kubernetes.hints.container_id} - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.zookeeper.container_logs.enabled} == true - id: filestream-zookeeper-logs-${kubernetes.hints.container_id} - data_stream: - dataset: zookeeper.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default