{ "name": "cisco_nexus", "title": "Cisco Nexus", "version": "1.6.1", "release": "ga", "description": "Collect logs from Cisco Nexus with Elastic Agent.", "type": "integration", "download": "/epr/cisco_nexus/cisco_nexus-1.6.1.zip", "path": "/package/cisco_nexus/1.6.1", "icons": [ { "src": "/img/cisco.svg", "path": "/package/cisco_nexus/1.6.1/img/cisco.svg", "title": "cisco", "size": "216x216", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.11.0 || ^9.0.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/integration-experience" }, "categories": [ "network", "security" ], "signature_path": "/epr/cisco_nexus/cisco_nexus-1.6.1.zip.sig", "format_version": "3.0.3", "readme": "/package/cisco_nexus/1.6.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/cisco-nexus-overview-dashboard.png", "path": "/package/cisco_nexus/1.6.1/img/cisco-nexus-overview-dashboard.png", "title": "Cisco Nexus Overview Dashboard Screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/cisco_nexus/1.6.1/LICENSE.txt", "/package/cisco_nexus/1.6.1/changelog.yml", "/package/cisco_nexus/1.6.1/manifest.yml", "/package/cisco_nexus/1.6.1/validation.yml", "/package/cisco_nexus/1.6.1/docs/README.md", "/package/cisco_nexus/1.6.1/img/cisco-nexus-overview-dashboard.png", "/package/cisco_nexus/1.6.1/img/cisco.svg", "/package/cisco_nexus/1.6.1/kibana/tags.yml", "/package/cisco_nexus/1.6.1/data_stream/log/manifest.yml", "/package/cisco_nexus/1.6.1/data_stream/log/sample_event.json", "/package/cisco_nexus/1.6.1/docs/knowledge_base/service_info.md", "/package/cisco_nexus/1.6.1/kibana/dashboard/cisco_nexus-cf3deb30-f56f-11ed-8e0a-bfd488deb0b8.json", "/package/cisco_nexus/1.6.1/kibana/search/cisco_nexus-22482030-f57e-11ed-8e0a-bfd488deb0b8.json", "/package/cisco_nexus/1.6.1/data_stream/log/fields/base-fields.yml", "/package/cisco_nexus/1.6.1/data_stream/log/fields/beats.yml", "/package/cisco_nexus/1.6.1/data_stream/log/fields/fields.yml", "/package/cisco_nexus/1.6.1/data_stream/log/agent/stream/filestream.yml.hbs", "/package/cisco_nexus/1.6.1/data_stream/log/agent/stream/tcp.yml.hbs", "/package/cisco_nexus/1.6.1/data_stream/log/agent/stream/udp.yml.hbs", "/package/cisco_nexus/1.6.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml", "/package/cisco_nexus/1.6.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml" ], "policy_templates": [ { "name": "cisco_nexus", "title": "Cisco Nexus logs", "description": "Collect logs from Cisco Nexus instances.", "inputs": [ { "type": "tcp", "title": "Collect logs from Cisco Nexus via TCP", "description": "Collecting logs from Cisco Nexus via TCP." }, { "type": "udp", "title": "Collect logs from Cisco Nexus via UDP", "description": "Collecting logs from Cisco Nexus via UDP." }, { "type": "filestream", "title": "Collect logs from Cisco Nexus via Filestream", "description": "Collecting logs from Cisco Nexus via file." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "cisco_nexus.log", "title": "Collect logs from Cisco Nexus", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "tcp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The TCP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9506 }, { "name": "tz_map", "type": "yaml", "title": "Timezone Map", "description": "A collectiom of timezones found in Cisco Nexus logs (as defined in each `tz_short`), and the replacement value (as defined in each `tz_long`) which should be the full proper IANA Timezone format (for example, Australia/Sydney or +10:00). This is used to override vendor provided timezone formats that is not supported by Elasticsearch [Date Processors](https://www.elastic.co/docs/reference/enrich-processor/date-processor#date-processor-timezones)", "multi": false, "required": false, "show_user": true, "default": "#- tz_short: AEST\n# tz_long: Australia/Sydney\n#- tz_short: MST\n# tz_long: America/Phoenix\n" }, { "name": "tz_offset", "type": "text", "title": "Timezone Offset", "description": "When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as \"Europe/Amsterdam\") and an HH:mm differential (such as \"-05:00\") are acceptable timezone formats.", "multi": false, "required": false, "show_user": true }, { "name": "tcp_options", "type": "yaml", "title": "Custom TCP Options", "description": "Specify custom configuration options for the TCP input.", "multi": false, "required": false, "show_user": false, "default": "#framing: delimiter\n#max_message_size: 50KiB\n#max_connections: 1\n#line_delimiter: \"\\n\"\n" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "cisco_nexus-log" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve cisco_nexus.log fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "tcp.yml.hbs", "title": "Cisco Nexus logs", "description": "Collect Cisco Nexus logs via TCP input.", "enabled": false, "ingestion_method": "Network Protocol" }, { "input": "udp", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The UDP port number to listen on.", "multi": false, "required": true, "show_user": true, "default": 9506 }, { "name": "tz_map", "type": "yaml", "title": "Timezone Map", "description": "A collectiom of timezones found in Cisco Nexus logs (as defined in each `tz_short`), and the replacement value (as defined in each `tz_long`) which should be the full proper IANA Timezone format (for example, Australia/Sydney or +10:00). This is used to override vendor provided timezone formats that is not supported by Elasticsearch [Date Processors](https://www.elastic.co/docs/reference/enrich-processor/date-processor#date-processor-timezones)", "multi": false, "required": false, "show_user": true, "default": "#- tz_short: AEST\n# tz_long: Australia/Sydney\n#- tz_short: MST\n# tz_long: America/Phoenix\n" }, { "name": "tz_offset", "type": "text", "title": "Timezone Offset", "description": "When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as \"Europe/Amsterdam\") and an HH:mm differential (such as \"-05:00\") are acceptable timezone formats.", "multi": false, "required": false, "show_user": true }, { "name": "udp_options", "type": "yaml", "title": "Custom UDP Options", "description": "Specify custom configuration options for the UDP input.", "multi": false, "required": false, "show_user": false, "default": "#max_message_size: 50KiB\n#timeout: 300s\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "cisco_nexus-log" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve cisco_nexus.log fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "udp.yml.hbs", "title": "Cisco Nexus logs", "description": "Collect Cisco Nexus logs via UDP input.", "enabled": false, "ingestion_method": "Network Protocol" }, { "input": "filestream", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "description": "A list of glob-based paths that will be crawled and fetched.", "multi": true, "required": true, "show_user": true }, { "name": "tz_map", "type": "yaml", "title": "Timezone Map", "description": "A collectiom of timezones found in Cisco Nexus logs (as defined in each `tz_short`), and the replacement value (as defined in each `tz_long`) which should be the full proper IANA Timezone format (for example, Australia/Sydney or +10:00). This is used to override vendor provided timezone formats that is not supported by Elasticsearch [Date Processors](https://www.elastic.co/docs/reference/enrich-processor/date-processor#date-processor-timezones)", "multi": false, "required": false, "show_user": true, "default": "#- tz_short: AEST\n# tz_long: Australia/Sydney\n#- tz_short: MST\n# tz_long: America/Phoenix\n" }, { "name": "tz_offset", "type": "text", "title": "Timezone Offset", "description": "When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as \"Europe/Amsterdam\") and an HH:mm differential (such as \"-05:00\") are acceptable timezone formats.", "multi": false, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "cisco_nexus-log" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve cisco_nexus.log fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "filestream.yml.hbs", "title": "Cisco Nexus logs", "description": "Collect Cisco Nexus logs via Filestream input.", "enabled": false, "ingestion_method": "File" } ], "package": "cisco_nexus", "elasticsearch": { "index_template.mappings": { "dynamic_templates": [ { "_embedded_ecs-ecs_timestamp": { "mapping": { "ignore_malformed": false, "type": "date" }, "path_match": "@timestamp" } }, { "_embedded_ecs-data_stream_to_constant": { "mapping": { "type": "constant_keyword" }, "path_match": "data_stream.*" } }, { "_embedded_ecs-resolved_ip_to_ip": { "mapping": { "type": "ip" }, "match": "resolved_ip" } }, { "_embedded_ecs-forwarded_ip_to_ip": { "mapping": { "type": "ip" }, "match": "forwarded_ip", "match_mapping_type": "string" } }, { "_embedded_ecs-ip_to_ip": { "mapping": { "type": "ip" }, "match": "ip", "match_mapping_type": "string" } }, { "_embedded_ecs-x509_public_key_exponent_non_indexed_long": { "mapping": { "doc_values": false, "index": false, "type": "long" }, "path_match": "*.x509.public_key_exponent" } }, { "_embedded_ecs-port_to_long": { "mapping": { "type": "long" }, "match": "port" } }, { "_embedded_ecs-thread_id_to_long": { "mapping": { "type": "long" }, "path_match": "*.thread.id" } }, { "_embedded_ecs-status_code_to_long": { "mapping": { "type": "long" }, "match": "status_code" } }, { "_embedded_ecs-line_to_long": { "mapping": { "type": "long" }, "path_match": "*.file.line" } }, { "_embedded_ecs-priority_to_long": { "mapping": { "type": "long" }, "path_match": "log.syslog.priority" } }, { "_embedded_ecs-code_to_long": { "mapping": { "type": "long" }, "path_match": "*.facility.code" } }, { "_embedded_ecs-code_to_long": { "mapping": { "type": "long" }, "path_match": "*.severity.code" } }, { "_embedded_ecs-bytes_to_long": { "mapping": { "type": "long" }, "match": "bytes", "path_unmatch": "*.data.bytes" } }, { "_embedded_ecs-packets_to_long": { "mapping": { "type": "long" }, "match": "packets" } }, { "_embedded_ecs-public_key_exponent_to_long": { "mapping": { "type": "long" }, "match": "public_key_exponent" } }, { "_embedded_ecs-severity_to_long": { "mapping": { "type": "long" }, "path_match": "event.severity" } }, { "_embedded_ecs-duration_to_long": { "mapping": { "type": "long" }, "path_match": "event.duration" } }, { "_embedded_ecs-pid_to_long": { "mapping": { "type": "long" }, "match": "pid" } }, { "_embedded_ecs-uptime_to_long": { "mapping": { "type": "long" }, "match": "uptime" } }, { "_embedded_ecs-sequence_to_long": { "mapping": { "type": "long" }, "match": "sequence" } }, { "_embedded_ecs-entropy_to_long": { "mapping": { "type": "long" }, "match": "*entropy" } }, { "_embedded_ecs-size_to_long": { "mapping": { "type": "long" }, "match": "*size" } }, { "_embedded_ecs-entrypoint_to_long": { "mapping": { "type": "long" }, "match": "entrypoint" } }, { "_embedded_ecs-ttl_to_long": { "mapping": { "type": "long" }, "match": "ttl" } }, { "_embedded_ecs-major_to_long": { "mapping": { "type": "long" }, "match": "major" } }, { "_embedded_ecs-minor_to_long": { "mapping": { "type": "long" }, "match": "minor" } }, { "_embedded_ecs-as_number_to_long": { "mapping": { "type": "long" }, "path_match": "*.as.number" } }, { "_embedded_ecs-pgid_to_long": { "mapping": { "type": "long" }, "match": "pgid" } }, { "_embedded_ecs-exit_code_to_long": { "mapping": { "type": "long" }, "match": "exit_code" } }, { "_embedded_ecs-chi_to_long": { "mapping": { "type": "long" }, "match": "chi2" } }, { "_embedded_ecs-args_count_to_long": { "mapping": { "type": "long" }, "match": "args_count" } }, { "_embedded_ecs-virtual_address_to_long": { "mapping": { "type": "long" }, "match": "virtual_address" } }, { "_embedded_ecs-io_text_to_wildcard": { "mapping": { "type": "wildcard" }, "path_match": "*.io.text" } }, { "_embedded_ecs-strings_to_wildcard": { "mapping": { "type": "wildcard" }, "path_match": "registry.data.strings" } }, { "_embedded_ecs-path_to_wildcard": { "mapping": { "type": "wildcard" }, "path_match": "*url.path" } }, { "_embedded_ecs-message_id_to_wildcard": { "mapping": { "type": "wildcard" }, "match": "message_id" } }, { "_embedded_ecs-command_line_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "match": "command_line" } }, { "_embedded_ecs-error_stack_trace_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "match": "stack_trace" } }, { "_embedded_ecs-http_content_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "*.body.content" } }, { "_embedded_ecs-url_full_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "*url.full" } }, { "_embedded_ecs-url_original_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "*url.original" } }, { "_embedded_ecs-user_agent_original_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "wildcard" }, "path_match": "user_agent.original" } }, { "_embedded_ecs-error_message_to_match_only": { "mapping": { "type": "match_only_text" }, "path_match": "error.message" } }, { "_embedded_ecs-message_match_only_text": { "mapping": { "type": "match_only_text" }, "path_match": "message" } }, { "_embedded_ecs-event_original_non_indexed_keyword": { "mapping": { "doc_values": false, "index": false, "type": "keyword" }, "path_match": "event.original" } }, { "_embedded_ecs-agent_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "agent.name" } }, { "_embedded_ecs-service_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.service.name" } }, { "_embedded_ecs-sections_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.sections.name" } }, { "_embedded_ecs-resource_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.resource.name" } }, { "_embedded_ecs-observer_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "observer.name" } }, { "_embedded_ecs-question_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.question.name" } }, { "_embedded_ecs-group_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.group.name" } }, { "_embedded_ecs-geo_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.geo.name" } }, { "_embedded_ecs-host_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "host.name" } }, { "_embedded_ecs-severity_name_to_keyword": { "mapping": { "type": "keyword" }, "path_match": "*.severity.name" } }, { "_embedded_ecs-title_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "title" } }, { "_embedded_ecs-executable_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "executable" } }, { "_embedded_ecs-file_path_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "path_match": "*.file.path" } }, { "_embedded_ecs-file_target_path_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "path_match": "*.file.target_path" } }, { "_embedded_ecs-name_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "name" } }, { "_embedded_ecs-full_name_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "full_name" } }, { "_embedded_ecs-os_full_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "path_match": "*.os.full" } }, { "_embedded_ecs-working_directory_to_multifield": { "mapping": { "fields": { "text": { "type": "match_only_text" } }, "type": "keyword" }, "match": "working_directory" } }, { "_embedded_ecs-timestamp_to_date": { "mapping": { "type": "date" }, "match": "timestamp" } }, { "_embedded_ecs-delivery_timestamp_to_date": { "mapping": { "type": "date" }, "match": "delivery_timestamp" } }, { "_embedded_ecs-not_after_to_date": { "mapping": { "type": "date" }, "match": "not_after" } }, { "_embedded_ecs-not_before_to_date": { "mapping": { "type": "date" }, "match": "not_before" } }, { "_embedded_ecs-accessed_to_date": { "mapping": { "type": "date" }, "match": "accessed" } }, { "_embedded_ecs-origination_timestamp_to_date": { "mapping": { "type": "date" }, "match": "origination_timestamp" } }, { "_embedded_ecs-created_to_date": { "mapping": { "type": "date" }, "match": "created" } }, { "_embedded_ecs-installed_to_date": { "mapping": { "type": "date" }, "match": "installed" } }, { "_embedded_ecs-creation_date_to_date": { "mapping": { "type": "date" }, "match": "creation_date" } }, { "_embedded_ecs-ctime_to_date": { "mapping": { "type": "date" }, "match": "ctime" } }, { "_embedded_ecs-mtime_to_date": { "mapping": { "type": "date" }, "match": "mtime" } }, { "_embedded_ecs-ingested_to_date": { "mapping": { "type": "date" }, "match": "ingested" } }, { "_embedded_ecs-start_to_date": { "mapping": { "type": "date" }, "match": "start" } }, { "_embedded_ecs-end_to_date": { "mapping": { "type": "date" }, "match": "end" } }, { "_embedded_ecs-score_base_to_float": { "mapping": { "type": "float" }, "path_match": "*.score.base" } }, { "_embedded_ecs-score_temporal_to_float": { "mapping": { "type": "float" }, "path_match": "*.score.temporal" } }, { "_embedded_ecs-score_to_float": { "mapping": { "type": "float" }, "match": "*_score" } }, { "_embedded_ecs-score_norm_to_float": { "mapping": { "type": "float" }, "match": "*_score_norm" } }, { "_embedded_ecs-usage_to_float": { "mapping": { "scaling_factor": 1000, "type": "scaled_float" }, "match": "usage" } }, { "_embedded_ecs-location_to_geo_point": { "mapping": { "type": "geo_point" }, "match": "location" } }, { "_embedded_ecs-same_as_process_to_boolean": { "mapping": { "type": "boolean" }, "match": "same_as_process" } }, { "_embedded_ecs-established_to_boolean": { "mapping": { "type": "boolean" }, "match": "established" } }, { "_embedded_ecs-resumed_to_boolean": { "mapping": { "type": "boolean" }, "match": "resumed" } }, { "_embedded_ecs-max_bytes_per_process_exceeded_to_boolean": { "mapping": { "type": "boolean" }, "match": "max_bytes_per_process_exceeded" } }, { "_embedded_ecs-interactive_to_boolean": { "mapping": { "type": "boolean" }, "match": "interactive" } }, { "_embedded_ecs-exists_to_boolean": { "mapping": { "type": "boolean" }, "match": "exists" } }, { "_embedded_ecs-trusted_to_boolean": { "mapping": { "type": "boolean" }, "match": "trusted" } }, { "_embedded_ecs-valid_to_boolean": { "mapping": { "type": "boolean" }, "match": "valid" } }, { "_embedded_ecs-go_stripped_to_boolean": { "mapping": { "type": "boolean" }, "match": "go_stripped" } }, { "_embedded_ecs-coldstart_to_boolean": { "mapping": { "type": "boolean" }, "match": "coldstart" } }, { "_embedded_ecs-exports_to_flattened": { "mapping": { "type": "flattened" }, "match": "exports" } }, { "_embedded_ecs-structured_data_to_flattened": { "mapping": { "type": "flattened" }, "match": "structured_data" } }, { "_embedded_ecs-imports_to_flattened": { "mapping": { "type": "flattened" }, "match": "*imports" } }, { "_embedded_ecs-attachments_to_nested": { "mapping": { "type": "nested" }, "match": "attachments" } }, { "_embedded_ecs-segments_to_nested": { "mapping": { "type": "nested" }, "match": "segments" } }, { "_embedded_ecs-elf_sections_to_nested": { "mapping": { "type": "nested" }, "path_match": "*.elf.sections" } }, { "_embedded_ecs-pe_sections_to_nested": { "mapping": { "type": "nested" }, "path_match": "*.pe.sections" } }, { "_embedded_ecs-macho_sections_to_nested": { "mapping": { "type": "nested" }, "path_match": "*.macho.sections" } } ] }, "ingest_pipeline.name": "default" }, "path": "log" } ] }