From 5a0ba4d9d4f8cd03a1c32e20f6e63640daa532e1 Mon Sep 17 00:00:00 2001 From: Elastic Machine Date: Mon, 19 Sep 2022 05:09:03 -0400 Subject: [PATCH] Update kubernetes templates for elastic-agent [templates.d] (#1231) --- .../templates.d/activemq.yml | 90 +++++++++--------- .../templates.d/apache.yml | 30 +++--- .../templates.d/cassandra.yml | 54 +++++------ .../templates.d/cloud_security_posture.yml | 93 ------------------- .../templates.d/cockroachdb.yml | 42 ++++----- .../templates.d/cyberarkpas.yml | 46 ++++----- .../templates.d/fireeye.yml | 34 +++---- .../templates.d/haproxy.yml | 32 +++---- .../templates.d/infoblox_nios.yml | 12 +++ .../templates.d/kafka.yml | 56 +++++------ .../templates.d/mongodb.yml | 44 ++++----- .../templates.d/nginx.yml | 30 +++--- .../templates.d/osquery.yml | 23 ----- .../templates.d/osquery_manager.yml | 33 ------- .../templates.d/qnap_nas.yml | 38 ++++---- .../templates.d/sentinel_one.yml | 42 ++++----- .../templates.d/symantec_endpoint.yml | 38 ++++---- 17 files changed, 300 insertions(+), 437 deletions(-) delete mode 100644 deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml delete mode 100644 deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml delete mode 100644 deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml index 8177cd731d2..007060a5ac0 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml @@ -1,4 +1,49 @@ inputs: + - name: filestream-activemq + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.activemq.audit.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.activemq.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - activemq-audit + - condition: ${kubernetes.hints.activemq.log.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: '^\d{4}-\d{2}-\d{2} ' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.activemq.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - activemq-log + data_stream.namespace: default - name: activemq/metrics-activemq type: activemq/metrics use_output: default @@ -49,48 +94,3 @@ inputs: - activemq-topic username: ${kubernetes.hints.activemq.topic.username|'admin'} data_stream.namespace: default - - name: filestream-activemq - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.activemq.audit.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - data_stream: - dataset: activemq.audit - type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.activemq.audit.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: - - forwarded - - activemq-audit - - condition: ${kubernetes.hints.activemq.log.enabled} == true or ${kubernetes.hints.activemq.enabled} == true - data_stream: - dataset: activemq.log - type: logs - exclude_files: - - .gz$ - multiline: - match: after - negate: true - pattern: '^\d{4}-\d{2}-\d{2} ' - parsers: - - container: - format: auto - stream: ${kubernetes.hints.activemq.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: - - forwarded - - activemq-log - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml index bdf487d2d5c..a6e461a5363 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml @@ -1,19 +1,4 @@ inputs: - - name: apache/metrics-apache - type: apache/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true - data_stream: - dataset: apache.status - type: metrics - hosts: - - ${kubernetes.hints.apache.status.host|'http://127.0.0.1'} - metricsets: - - status - period: ${kubernetes.hints.apache.status.period|'30s'} - server_status_path: /server-status - data_stream.namespace: default - name: filestream-apache type: filestream use_output: default @@ -132,3 +117,18 @@ inputs: - forwarded - apache-error data_stream.namespace: default + - name: apache/metrics-apache + type: apache/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.status + type: metrics + hosts: + - ${kubernetes.hints.apache.status.host|'http://127.0.0.1'} + metricsets: + - status + period: ${kubernetes.hints.apache.status.period|'30s'} + server_status_path: /server-status + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml index 296b330c807..bce4edf635c 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml @@ -1,4 +1,31 @@ inputs: + - name: filestream-cassandra + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cassandra.log.enabled} == true or ${kubernetes.hints.cassandra.enabled} == true + data_stream: + dataset: cassandra.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^([A-Z]) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.cassandra.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - cassandra-systemlogs + data_stream.namespace: default - name: jolokia/metrics-cassandra type: jolokia/metrics use_output: default @@ -298,30 +325,3 @@ inputs: period: ${kubernetes.hints.cassandra.metrics.period|'10s'} username: ${kubernetes.hints.cassandra.metrics.username|'admin'} data_stream.namespace: default - - name: filestream-cassandra - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.cassandra.log.enabled} == true or ${kubernetes.hints.cassandra.enabled} == true - data_stream: - dataset: cassandra.log - type: logs - exclude_files: - - .gz$ - multiline: - match: after - negate: true - pattern: ^([A-Z]) - parsers: - - container: - format: auto - stream: ${kubernetes.hints.cassandra.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: - - forwarded - - cassandra-systemlogs - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml deleted file mode 100644 index bbc867294c7..00000000000 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml +++ /dev/null @@ -1,93 +0,0 @@ -inputs: - - name: cloudbeat/cis_k8s-cloud_security_posture - type: cloudbeat/cis_k8s - use_output: default - streams: - - condition: ${kubernetes.hints.cloud_security_posture.findings.enabled} == true or ${kubernetes.hints.cloud_security_posture.enabled} == true - data_stream: - dataset: cloud_security_posture.findings - type: logs - evaluator: - decision_logs: false - fetchers: - - name: kube-api - - directory: /hostfs - name: process - processes: - etcd: null - kube-apiserver: null - kube-controller: null - kube-scheduler: null - kubelet: - config-file-arguments: - - config - - name: file-system - patterns: - - /hostfs/etc/kubernetes/scheduler.conf - - /hostfs/etc/kubernetes/controller-manager.conf - - /hostfs/etc/kubernetes/admin.conf - - /hostfs/etc/kubernetes/kubelet.conf - - /hostfs/etc/kubernetes/manifests/etcd.yaml - - /hostfs/etc/kubernetes/manifests/kube-apiserver.yaml - - /hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml - - /hostfs/etc/kubernetes/manifests/kube-scheduler.yaml - - /hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf - - /hostfs/etc/kubernetes/pki/* - - /hostfs/var/lib/kubelet/config.yaml - - /hostfs/var/lib/etcd - - /hostfs/etc/kubernetes/pki - name: Findings - period: 4h - processors: - - add_cluster_id: null - data_stream.namespace: default - - name: cloudbeat/cis_eks-cloud_security_posture - type: cloudbeat/cis_eks - use_output: default - streams: - - condition: ${kubernetes.hints.cloud_security_posture.findings.enabled} == true and ${kubernetes.hints.cloud_security_posture.enabled} == true - data_stream: - dataset: cloud_security_posture.findings - type: logs - evaluator: - decision_logs: false - fetchers: - - name: kube-api - - directory: /hostfs - name: process - processes: - kubelet: - config-file-arguments: - - config - - name: aws-ecr - - name: aws-elb - - name: file-system - patterns: - - /hostfs/etc/kubernetes/kubelet/kubelet-config.json - - /hostfs/var/lib/kubelet/kubeconfig - name: Findings - period: 4h - processors: - - add_cluster_id: null - data_stream.namespace: default - - name: filestream-cloud_security_posture - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.cloud_security_posture.container_logs.enabled} == true - data_stream: - dataset: kubernetes.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml index 531706b7345..3e55b02794d 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml @@ -1,25 +1,4 @@ inputs: - - name: filestream-cockroachdb - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.cockroachdb.container_logs.enabled} == true - data_stream: - dataset: kubernetes.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default - name: prometheus/metrics-cockroachdb type: prometheus/metrics use_output: default @@ -42,3 +21,24 @@ inputs: use_types: true username: null data_stream.namespace: default + - name: filestream-cockroachdb + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cockroachdb.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml index 4dc9361aa41..fc8f72c6206 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml @@ -1,30 +1,22 @@ inputs: - - name: filestream-cyberarkpas - type: filestream + - name: tcp-cyberarkpas + type: tcp use_output: default streams: - - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true and ${kubernetes.hints.cyberarkpas.enabled} == true + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true data_stream: dataset: cyberarkpas.audit type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.cyberarkpas.audit.stream|'all'} - paths: null + host: localhost:9301 processors: - add_locale: null - prospector: - scanner: - symlinks: true tags: - - forwarded - cyberarkpas-audit + - forwarded + tcp: null data_stream.namespace: default - - name: tcp-cyberarkpas - type: tcp + - name: udp-cyberarkpas + type: udp use_output: default streams: - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true @@ -37,21 +29,29 @@ inputs: tags: - cyberarkpas-audit - forwarded - tcp: null + udp: null data_stream.namespace: default - - name: udp-cyberarkpas - type: udp + - name: filestream-cyberarkpas + type: filestream use_output: default streams: - - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true and ${kubernetes.hints.cyberarkpas.enabled} == true data_stream: dataset: cyberarkpas.audit type: logs - host: localhost:9301 + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.cyberarkpas.audit.stream|'all'} + paths: null processors: - add_locale: null + prospector: + scanner: + symlinks: true tags: - - cyberarkpas-audit - forwarded - udp: null + - cyberarkpas-audit data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml index 8e226e0d925..44b8074cb5a 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml @@ -1,21 +1,4 @@ inputs: - - name: tcp-fireeye - type: tcp - use_output: default - streams: - - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true - data_stream: - dataset: fireeye.nx - type: logs - fields_under_root: true - host: localhost:9523 - processors: - - add_locale: null - tags: - - fireeye-nx - - forwarded - tcp: null - data_stream.namespace: default - name: filestream-fireeye type: filestream use_output: default @@ -57,3 +40,20 @@ inputs: - forwarded udp: null data_stream.namespace: default + - name: tcp-fireeye + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true + data_stream: + dataset: fireeye.nx + type: logs + fields_under_root: true + host: localhost:9523 + processors: + - add_locale: null + tags: + - fireeye-nx + - forwarded + tcp: null + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml index 0f1debdee34..cff5d5821aa 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml @@ -1,4 +1,20 @@ inputs: + - name: syslog-haproxy + type: syslog + use_output: default + streams: + - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true + data_stream: + dataset: haproxy.log + type: logs + processors: + - add_locale: null + protocol.udp: + host: localhost:9001 + tags: + - forwarded + - haproxy-log + data_stream.namespace: default - name: haproxy/metrics-haproxy type: haproxy/metrics use_output: default @@ -50,19 +66,3 @@ inputs: tags: - haproxy-log data_stream.namespace: default - - name: syslog-haproxy - type: syslog - use_output: default - streams: - - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true - data_stream: - dataset: haproxy.log - type: logs - processors: - - add_locale: null - protocol.udp: - host: localhost:9001 - tags: - - forwarded - - haproxy-log - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml index ad76a72b86b..d260fead6a6 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml @@ -9,6 +9,10 @@ inputs: type: logs exclude_files: - .gz$ + fields: + _conf: + tz_offset: local + fields_under_root: true parsers: - container: format: auto @@ -31,6 +35,10 @@ inputs: data_stream: dataset: infoblox_nios.log type: logs + fields: + _conf: + tz_offset: local + fields_under_root: true host: localhost:9027 tags: - forwarded @@ -44,6 +52,10 @@ inputs: data_stream: dataset: infoblox_nios.log type: logs + fields: + _conf: + tz_offset: local + fields_under_root: true host: localhost:9028 tags: - forwarded diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml index c35cff8619d..b79eebbcfb0 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml @@ -1,4 +1,32 @@ inputs: + - name: filestream-kafka + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.kafka.log.enabled} == true or ${kubernetes.hints.kafka.enabled} == true + data_stream: + dataset: kafka.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^\[ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kafka.log.stream|'all'} + paths: + - /opt/kafka*/var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - kafka-log + data_stream.namespace: default - name: kafka/metrics-kafka type: kafka/metrics use_output: default @@ -31,31 +59,3 @@ inputs: - partition period: ${kubernetes.hints.kafka.partition.period|'10s'} data_stream.namespace: default - - name: filestream-kafka - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.kafka.log.enabled} == true or ${kubernetes.hints.kafka.enabled} == true - data_stream: - dataset: kafka.log - type: logs - exclude_files: - - .gz$ - multiline: - match: after - negate: true - pattern: ^\[ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.kafka.log.stream|'all'} - paths: - - /opt/kafka*/var/log/containers/*${kubernetes.hints.container_id}.log - processors: - - add_locale: null - prospector: - scanner: - symlinks: true - tags: - - kafka-log - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml index bf47b9628da..ece2d4439eb 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml @@ -1,4 +1,26 @@ inputs: + - name: filestream-mongodb + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.mongodb.log.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.mongodb.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - mongodb-logs + data_stream.namespace: default - name: mongodb/metrics-mongodb type: mongodb/metrics use_output: default @@ -49,25 +71,3 @@ inputs: - status period: ${kubernetes.hints.mongodb.status.period|'10s'} data_stream.namespace: default - - name: filestream-mongodb - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.mongodb.log.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true - data_stream: - dataset: mongodb.log - type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.mongodb.log.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: - - mongodb-logs - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml index f0c166bbfbb..a9b6693e372 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml @@ -1,4 +1,19 @@ inputs: + - name: nginx/metrics-nginx + type: nginx/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.nginx.stubstatus.enabled} == true or ${kubernetes.hints.nginx.enabled} == true + data_stream: + dataset: nginx.stubstatus + type: metrics + hosts: + - ${kubernetes.hints.nginx.stubstatus.host|'http://127.0.0.1:80'} + metricsets: + - stubstatus + period: ${kubernetes.hints.nginx.stubstatus.period|'10s'} + server_status_path: /nginx_status + data_stream.namespace: default - name: filestream-nginx type: filestream use_output: default @@ -125,18 +140,3 @@ inputs: - forwarded - nginx-error data_stream.namespace: default - - name: nginx/metrics-nginx - type: nginx/metrics - use_output: default - streams: - - condition: ${kubernetes.hints.nginx.stubstatus.enabled} == true or ${kubernetes.hints.nginx.enabled} == true - data_stream: - dataset: nginx.stubstatus - type: metrics - hosts: - - ${kubernetes.hints.nginx.stubstatus.host|'http://127.0.0.1:80'} - metricsets: - - stubstatus - period: ${kubernetes.hints.nginx.stubstatus.period|'10s'} - server_status_path: /nginx_status - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml deleted file mode 100644 index 6ebd2f12c46..00000000000 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml +++ /dev/null @@ -1,23 +0,0 @@ -inputs: - - name: filestream-osquery - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.osquery.result.enabled} == true or ${kubernetes.hints.osquery.enabled} == true - data_stream: - dataset: osquery.result - type: logs - exclude_files: - - .gz$ - parsers: - - container: - format: auto - stream: ${kubernetes.hints.osquery.result.stream|'all'} - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: - - osquery - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml deleted file mode 100644 index 6620de9c7de..00000000000 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml +++ /dev/null @@ -1,33 +0,0 @@ -inputs: - - name: osquery-osquery_manager - type: osquery - use_output: default - streams: - - condition: ${kubernetes.hints.osquery_manager.result.enabled} == true or ${kubernetes.hints.osquery_manager.enabled} == true - data_stream: - dataset: osquery_manager.result - type: logs - id: null - query: null - data_stream.namespace: default - - name: filestream-osquery_manager - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.osquery_manager.container_logs.enabled} == true - data_stream: - dataset: kubernetes.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml index a7358abd781..546faa79901 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml @@ -1,4 +1,23 @@ inputs: + - name: udp-qnap_nas + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.qnap_nas.log.enabled} == true and ${kubernetes.hints.qnap_nas.enabled} == true + data_stream: + dataset: qnap_nas.log + type: logs + host: localhost:9301 + processors: + - add_locale: null + - add_fields: + fields: + tz_offset: local + target: _tmp + tags: + - qnap-nas + - forwarded + data_stream.namespace: default - name: filestream-qnap_nas type: filestream use_output: default @@ -39,22 +58,3 @@ inputs: - qnap-nas - forwarded data_stream.namespace: default - - name: udp-qnap_nas - type: udp - use_output: default - streams: - - condition: ${kubernetes.hints.qnap_nas.log.enabled} == true and ${kubernetes.hints.qnap_nas.enabled} == true - data_stream: - dataset: qnap_nas.log - type: logs - host: localhost:9301 - processors: - - add_locale: null - - add_fields: - fields: - tz_offset: local - target: _tmp - tags: - - qnap-nas - - forwarded - data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml index dcd117dc994..7c06b222d78 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml @@ -1,25 +1,4 @@ inputs: - - name: filestream-sentinel_one - type: filestream - use_output: default - streams: - - condition: ${kubernetes.hints.sentinel_one.container_logs.enabled} == true - data_stream: - dataset: kubernetes.container_logs - type: logs - exclude_files: [] - exclude_lines: [] - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.hints.container_id}.log - prospector: - scanner: - symlinks: true - tags: [] - data_stream.namespace: default - name: httpjson-sentinel_one type: httpjson use_output: default @@ -215,3 +194,24 @@ inputs: - forwarded - sentinel_one-threat data_stream.namespace: default + - name: filestream-sentinel_one + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.sentinel_one.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml index fac3f6cbd93..8e3ca7ce297 100644 --- a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml @@ -1,4 +1,23 @@ inputs: + - name: udp-symantec_endpoint + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true or ${kubernetes.hints.symantec_endpoint.enabled} == true + data_stream: + dataset: symantec_endpoint.log + type: logs + fields: + _conf: + remove_mapped_fields: false + tz_offset: UTC + fields_under_root: true + host: localhost:9008 + max_message_size: 1 MiB + tags: + - symantec-endpoint-log + - forwarded + data_stream.namespace: default - name: filestream-symantec_endpoint type: filestream use_output: default @@ -46,22 +65,3 @@ inputs: - symantec-endpoint-log - forwarded data_stream.namespace: default - - name: udp-symantec_endpoint - type: udp - use_output: default - streams: - - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true or ${kubernetes.hints.symantec_endpoint.enabled} == true - data_stream: - dataset: symantec_endpoint.log - type: logs - fields: - _conf: - remove_mapped_fields: false - tz_offset: UTC - fields_under_root: true - host: localhost:9008 - max_message_size: 1 MiB - tags: - - symantec-endpoint-log - - forwarded - data_stream.namespace: default