{"filebeat-7.0.0":{"order":1,"index_patterns":["filebeat-7.0.0-*"],"settings":{"index":{"lifecycle":{"name":"filebeat-7.0.0","rollover_alias":"filebeat-7.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"refresh_interval":"5s","number_of_shards":"2","query":{"default_field":["message","tags","agent.ephemeral_id","agent.id","agent.name","agent.type","agent.version","client.address","client.domain","client.geo.city_name","client.geo.continent_name","client.geo.country_iso_code","client.geo.country_name","client.geo.name","client.geo.region_iso_code","client.geo.region_name","client.mac","client.user.email","client.user.full_name","client.user.group.id","client.user.group.name","client.user.hash","client.user.id","client.user.name","cloud.account.id","cloud.availability_zone","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.provider","cloud.region","container.id","container.image.name","container.image.tag","container.name","container.runtime","destination.address","destination.domain","destination.geo.city_name","destination.geo.continent_name","destination.geo.country_iso_code","destination.geo.country_name","destination.geo.name","destination.geo.region_iso_code","destination.geo.region_name","destination.mac","destination.user.email","destination.user.full_name","destination.user.group.id","destination.user.group.name","destination.user.hash","destination.user.id","destination.user.name","ecs.version","error.code","error.id","error.message","event.action","event.category","event.dataset","event.hash","event.id","event.kind","event.module","event.original","event.outcome","event.timezone","event.type","file.device","file.extension","file.gid","file.group","file.inode","file.mode","file.owner","file.path","file.target_path","file.type","file.uid","geo.city_name","geo.continent_name","geo.country_iso_code","geo.country_name","geo.name","geo.region_iso_code","geo.region_name","group.id","group.name","host.architecture","host.geo.city_name","host.geo.continent_name","host.geo.country_iso_code","host.geo.country_name","host.geo.name","host.geo.region_iso_code","host.geo.region_name","host.hostname","host.id","host.mac","host.name","host.os.family","host.os.full","host.os.kernel","host.os.name","host.os.platform","host.os.version","host.type","host.user.email","host.user.full_name","host.user.group.id","host.user.group.name","host.user.hash","host.user.id","host.user.name","http.request.body.content","http.request.method","http.request.referrer","http.response.body.content","http.version","log.level","log.original","network.application","network.community_id","network.direction","network.iana_number","network.name","network.protocol","network.transport","network.type","observer.geo.city_name","observer.geo.continent_name","observer.geo.country_iso_code","observer.geo.country_name","observer.geo.name","observer.geo.region_iso_code","observer.geo.region_name","observer.hostname","observer.mac","observer.os.family","observer.os.full","observer.os.kernel","observer.os.name","observer.os.platform","observer.os.version","observer.serial_number","observer.type","observer.vendor","observer.version","organization.id","organization.name","os.family","os.full","os.kernel","os.name","os.platform","os.version","process.args","process.executable","process.name","process.title","process.working_directory","server.address","server.domain","server.geo.city_name","server.geo.continent_name","server.geo.country_iso_code","server.geo.country_name","server.geo.name","server.geo.region_iso_code","server.geo.region_name","server.mac","server.user.email","server.user.full_name","server.user.group.id","server.user.group.name","server.user.hash","server.user.id","server.user.name","service.ephemeral_id","service.id","service.name","service.state","service.type","service.version","source.address","source.domain","source.geo.city_name","source.geo.continent_name","source.geo.country_iso_code","source.geo.country_name","source.geo.name","source.geo.region_iso_code","source.geo.region_name","source.mac","source.user.email","source.user.full_name","source.user.group.id","source.user.group.name","source.user.hash","source.user.id","source.user.name","url.domain","url.fragment","url.full","url.original","url.password","url.path","url.query","url.scheme","url.username","user.email","user.full_name","user.group.id","user.group.name","user.hash","user.id","user.name","user_agent.device.name","user_agent.name","user_agent.original","user_agent.os.family","user_agent.os.full","user_agent.os.kernel","user_agent.os.name","user_agent.os.platform","user_agent.os.version","user_agent.version","agent.hostname","error.type","cloud.project.id","host.os.build","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","log.file.path","log.source.address","stream","input.type","syslog.severity_label","syslog.facility_label","process.program","log.flags","user_agent.os.full_name","fileset.name","apache.access.ssl.protocol","apache.access.ssl.cipher","apache.error.module","user.terminal","user.audit.id","user.audit.name","user.audit.group.id","user.audit.group.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.owner.id","user.owner.name","user.owner.group.id","user.owner.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","auditd.log.old_auid","auditd.log.new_auid","auditd.log.old_ses","auditd.log.new_ses","auditd.log.items","auditd.log.item","auditd.log.tty","auditd.log.a0","elasticsearch.component","elasticsearch.cluster.uuid","elasticsearch.cluster.name","elasticsearch.node.id","elasticsearch.node.name","elasticsearch.index.name","elasticsearch.index.id","elasticsearch.shard.id","elasticsearch.audit.layer","elasticsearch.audit.event_type","elasticsearch.audit.origin.type","elasticsearch.audit.realm","elasticsearch.audit.user.realm","elasticsearch.audit.user.roles","elasticsearch.audit.action","elasticsearch.audit.url.params","elasticsearch.audit.indices","elasticsearch.audit.request.id","elasticsearch.audit.request.name","elasticsearch.gc.phase.name","elasticsearch.gc.tags","elasticsearch.slowlog.logger","elasticsearch.slowlog.took","elasticsearch.slowlog.types","elasticsearch.slowlog.stats","elasticsearch.slowlog.search_type","elasticsearch.slowlog.source_query","elasticsearch.slowlog.extra_source","elasticsearch.slowlog.total_hits","elasticsearch.slowlog.total_shards","elasticsearch.slowlog.routing","elasticsearch.slowlog.id","elasticsearch.slowlog.type","haproxy.frontend_name","haproxy.backend_name","haproxy.server_name","haproxy.bind_name","haproxy.error_message","haproxy.source","haproxy.termination_state","haproxy.mode","haproxy.http.response.captured_cookie","haproxy.http.response.captured_headers","haproxy.http.request.captured_cookie","haproxy.http.request.captured_headers","haproxy.http.request.raw_request_line","icinga.debug.facility","icinga.main.facility","icinga.startup.facility","iis.access.site_name","iis.access.server_name","iis.access.cookie","iis.error.reason_phrase","iis.error.queue_name","iptables.fragment_flags","iptables.input_device","iptables.output_device","iptables.tcp.flags","iptables.ubiquiti.input_zone","iptables.ubiquiti.output_zone","iptables.ubiquiti.rule_number","iptables.ubiquiti.rule_set","kafka.log.component","kafka.log.class","kafka.log.trace.class","kafka.log.trace.message","kibana.log.tags","kibana.log.state","logstash.log.module","text","logstash.log.thread","logstash.slowlog.module","text","logstash.slowlog.thread","text","logstash.slowlog.event","logstash.slowlog.plugin_name","logstash.slowlog.plugin_type","text","logstash.slowlog.plugin_params","mongodb.log.component","mongodb.log.context","mysql.slowlog.query","mysql.slowlog.schema","mysql.slowlog.current_user","mysql.slowlog.last_errno","mysql.slowlog.killed","mysql.slowlog.log_slow_rate_type","mysql.slowlog.log_slow_rate_limit","mysql.slowlog.innodb.trx_id","netflow.type","netflow.exporter.address","netflow.source_mac_address","netflow.post_destination_mac_address","netflow.destination_mac_address","netflow.post_source_mac_address","netflow.interface_name","netflow.interface_description","netflow.sampler_name","netflow.application_description","netflow.application_name","netflow.class_name","netflow.wlan_ssid","netflow.vr_fname","netflow.metro_evc_id","netflow.nat_pool_name","netflow.p2p_technology","netflow.tunnel_technology","netflow.encrypted_technology","netflow.observation_domain_name","netflow.selector_name","netflow.information_element_description","netflow.information_element_name","netflow.virtual_station_interface_name","netflow.virtual_station_name","netflow.sta_mac_address","netflow.wtp_mac_address","netflow.user_name","netflow.application_category_name","netflow.application_sub_category_name","netflow.application_group_name","netflow.dot1q_customer_source_mac_address","netflow.dot1q_customer_destination_mac_address","netflow.mib_context_name","netflow.mib_object_name","netflow.mib_object_description","netflow.mib_object_syntax","netflow.mib_module_name","netflow.mobile_imsi","netflow.mobile_msisdn","netflow.http_request_method","netflow.http_request_host","netflow.http_request_target","netflow.http_message_version","netflow.http_user_agent","netflow.http_content_type","netflow.http_reason_phrase","osquery.result.name","osquery.result.action","osquery.result.host_identifier","osquery.result.calendar_time","postgresql.log.timestamp","postgresql.log.database","postgresql.log.query","redis.log.role","redis.slowlog.cmd","redis.slowlog.key","redis.slowlog.args","santa.action","santa.decision","santa.reason","santa.mode","santa.disk.volume","santa.disk.bus","santa.disk.serial","santa.disk.bsdname","santa.disk.model","santa.disk.fs","santa.disk.mount","certificate.common_name","certificate.sha256","hash.sha256","suricata.eve.event_type","suricata.eve.app_proto_orig","suricata.eve.tcp.tcp_flags","suricata.eve.tcp.tcp_flags_tc","suricata.eve.tcp.state","suricata.eve.tcp.tcp_flags_ts","suricata.eve.fileinfo.sha1","suricata.eve.fileinfo.state","suricata.eve.fileinfo.sha256","suricata.eve.fileinfo.md5","suricata.eve.dns.type","suricata.eve.dns.rrtype","suricata.eve.dns.rrname","suricata.eve.dns.rdata","suricata.eve.dns.rcode","suricata.eve.flow_id","suricata.eve.email.status","suricata.eve.http.redirect","suricata.eve.http.protocol","suricata.eve.http.http_content_type","suricata.eve.in_iface","suricata.eve.alert.category","suricata.eve.alert.signature","suricata.eve.ssh.client.proto_version","suricata.eve.ssh.client.software_version","suricata.eve.ssh.server.proto_version","suricata.eve.ssh.server.software_version","suricata.eve.tls.issuerdn","suricata.eve.tls.sni","suricata.eve.tls.version","suricata.eve.tls.fingerprint","suricata.eve.tls.serial","suricata.eve.tls.subject","suricata.eve.app_proto_ts","suricata.eve.flow.state","suricata.eve.flow.reason","suricata.eve.app_proto_tc","suricata.eve.smtp.rcpt_to","suricata.eve.smtp.mail_from","suricata.eve.smtp.helo","suricata.eve.app_proto_expected","system.auth.ssh.method","system.auth.ssh.signature","system.auth.ssh.event","system.auth.sudo.error","system.auth.sudo.tty","system.auth.sudo.pwd","system.auth.sudo.user","system.auth.sudo.command","system.auth.useradd.home","system.auth.useradd.shell","traefik.access.user_identifier","traefik.access.frontend_name","traefik.access.backend_url","zeek.session_id","zeek.connection.state","zeek.connection.history","zeek.connection.orig_l2_addr","zeek.connection.resp_l2_addr","zeek.dns.trans_id","zeek.dns.query","zeek.dns.qclass_name","zeek.dns.qtype_name","zeek.dns.rcode_name","zeek.dns.answers","zeek.http.status_msg","zeek.http.info_msg","zeek.http.tags","zeek.http.password","zeek.http.proxied","zeek.http.client_header_names","zeek.http.server_header_names","zeek.http.orig_fuids","zeek.http.orig_mime_types","zeek.http.orig_filenames","zeek.http.resp_fuids","zeek.http.resp_mime_types","zeek.http.resp_filenames","zeek.files.fuid","zeek.files.session_ids","zeek.files.source","zeek.files.analyzers","zeek.files.mime_type","zeek.files.filename","zeek.files.parent_fuid","zeek.files.md5","zeek.files.sha1","zeek.files.sha256","zeek.files.extracted","zeek.ssl.version","zeek.ssl.cipher","zeek.ssl.curve","zeek.ssl.server_name","zeek.ssl.next_protocol","zeek.ssl.cert_chain","zeek.ssl.cert_chain_fuids","zeek.ssl.client_cert_chain","zeek.ssl.client_cert_chain_fuids","zeek.ssl.issuer","zeek.ssl.client_issuer","zeek.ssl.validation_status","zeek.ssl.validation_code","zeek.ssl.subject","zeek.ssl.client_subject","zeek.ssl.last_alert","zeek.notice.connection_id","zeek.notice.icmp_id","zeek.notice.file.id","zeek.notice.file.parent_id","zeek.notice.file.source","zeek.notice.file.mime_type","zeek.notice.fuid","zeek.notice.note","zeek.notice.msg","zeek.notice.sub","zeek.notice.peer_name","zeek.notice.peer_descr","zeek.notice.actions","zeek.notice.email_body_sections","zeek.notice.email_delay_tokens","zeek.notice.identifier","fields.*"]},"number_of_routing_shards":"30","number_of_replicas":"1"}},"mappings":{"_meta":{"beat":"filebeat","version":"7.0.0"},"dynamic_templates":[{"labels":{"path_match":"labels.*","mapping":{"type":"keyword"},"match_mapping_type":"string"}},{"container.labels":{"path_match":"container.labels.*","mapping":{"type":"keyword"},"match_mapping_type":"string"}},{"fields":{"path_match":"fields.*","mapping":{"type":"keyword"},"match_mapping_type":"string"}},{"docker.container.labels":{"path_match":"docker.container.labels.*","mapping":{"type":"keyword"},"match_mapping_type":"string"}},{"kibana.log.meta":{"path_match":"kibana.log.meta.*","mapping":{"type":"keyword"},"match_mapping_type":"string"}},{"strings_as_keyword":{"mapping":{"ignore_above":1024,"type":"keyword"},"match_mapping_type":"string"}}],"date_detection":false,"properties":{"container":{"properties":{"image":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"tag":{"ignore_above":1024,"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"runtime":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"labels":{"type":"object"}}},"kubernetes":{"properties":{"container":{"properties":{"image":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"}}},"node":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}},"pod":{"properties":{"uid":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"}}},"namespace":{"ignore_above":1024,"type":"keyword"},"annotations":{"type":"object"},"labels":{"type":"object"}}},"agent":{"properties":{"hostname":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"ephemeral_id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"icinga":{"properties":{"debug":{"properties":{"facility":{"ignore_above":1024,"type":"keyword"}}},"startup":{"properties":{"facility":{"ignore_above":1024,"type":"keyword"}}},"main":{"properties":{"facility":{"ignore_above":1024,"type":"keyword"}}}}},"source":{"properties":{"geo":{"properties":{"region_iso_code":{"ignore_above":1024,"type":"keyword"},"continent_name":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"region_name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"}}},"address":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"ip":{"type":"ip"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"packets":{"type":"long"},"mac":{"ignore_above":1024,"type":"keyword"}}},"redis":{"properties":{"log":{"properties":{"role":{"ignore_above":1024,"type":"keyword"}}},"slowlog":{"properties":{"duration":{"properties":{"us":{"type":"long"}}},"args":{"ignore_above":1024,"type":"keyword"},"cmd":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"},"key":{"ignore_above":1024,"type":"keyword"}}}}},"cloud":{"properties":{"availability_zone":{"ignore_above":1024,"type":"keyword"},"instance":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"provider":{"ignore_above":1024,"type":"keyword"},"machine":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},"project":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}},"region":{"ignore_above":1024,"type":"keyword"},"account":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}}}},"observer":{"properties":{"geo":{"properties":{"region_iso_code":{"ignore_above":1024,"type":"keyword"},"continent_name":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"hostname":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"type":"keyword"}}},"vendor":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"serial_number":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"mac":{"ignore_above":1024,"type":"keyword"}}},"logstash":{"properties":{"log":{"properties":{"module":{"ignore_above":1024,"type":"keyword"},"log_event":{"type":"object"},"thread":{"ignore_above":1024,"type":"keyword","fields":{"text":{"norms":false,"type":"text"}}}}},"slowlog":{"properties":{"took_in_millis":{"type":"long"},"plugin_params":{"ignore_above":1024,"type":"keyword","fields":{"text":{"norms":false,"type":"text"}}},"module":{"ignore_above":1024,"type":"keyword"},"plugin_type":{"ignore_above":1024,"type":"keyword"},"plugin_params_object":{"type":"object"},"thread":{"ignore_above":1024,"type":"keyword","fields":{"text":{"norms":false,"type":"text"}}},"event":{"ignore_above":1024,"type":"keyword","fields":{"text":{"norms":false,"type":"text"}}},"plugin_name":{"ignore_above":1024,"type":"keyword"}}}}},"netflow":{"properties":{"information_element_name":{"ignore_above":1024,"type":"keyword"},"next_header_ipv6":{"type":"short"},"class_id":{"type":"short"},"distinct_count_of_sourc_eipa_ddress":{"type":"long"},"min_flow_start_milliseconds":{"type":"date"},"application_name":{"ignore_above":1024,"type":"keyword"},"nat_event":{"type":"short"},"icmp_code_ipv6":{"type":"short"},"icmp_code_ipv4":{"type":"short"},"sampling_flow_spacing":{"type":"long"},"tcp_ack_total_count":{"type":"long"},"post_ip_diff_serv_code_point":{"type":"short"},"not_sent_packet_total_count":{"type":"long"},"mpls_label_stack_section10":{"type":"short"},"dropped_packet_total_count":{"type":"long"},"mpls_label_stack_section5":{"type":"short"},"post_octet_delta_count":{"type":"long"},"flow_start_sys_up_time":{"type":"long"},"mpls_label_stack_section4":{"type":"short"},"pseudo_wire_control_word":{"type":"long"},"octet_delta_count":{"type":"long"},"mpls_label_stack_section3":{"type":"short"},"dropped_octet_total_count":{"type":"long"},"mpls_label_stack_section2":{"type":"short"},"initiator_octets":{"type":"long"},"sampler_id":{"type":"short"},"mpls_label_stack_section9":{"type":"short"},"mpls_label_stack_section8":{"type":"short"},"mpls_label_stack_section7":{"type":"short"},"metering_process_id":{"type":"long"},"mpls_label_stack_section6":{"type":"short"},"address_pool_low_threshold":{"type":"long"},"source_ipv6_prefix":{"type":"ip"},"connection_sum_duration_seconds":{"type":"long"},"sta_ipv4_address":{"type":"ip"},"mib_module_name":{"ignore_above":1024,"type":"keyword"},"http_reason_phrase":{"ignore_above":1024,"type":"keyword"},"mobile_msisdn":{"ignore_above":1024,"type":"keyword"},"mib_object_name":{"ignore_above":1024,"type":"keyword"},"confidence_level":{"type":"double"},"ignored_packet_total_count":{"type":"long"},"min_flow_start_nanoseconds":{"type":"date"},"tcp_options":{"type":"long"},"http_user_agent":{"ignore_above":1024,"type":"keyword"},"virtual_station_interface_id":{"type":"short"},"post_ip_precedence":{"type":"short"},"sampling_size":{"type":"long"},"flow_sampling_time_spacing":{"type":"long"},"ip_version":{"type":"short"},"tcp_window_scale":{"type":"long"},"data_records_reliability":{"type":"boolean"},"ip_total_length":{"type":"long"},"post_mcast_octet_delta_count":{"type":"long"},"src_traffic_index":{"type":"long"},"ingress_physical_interface":{"type":"long"},"layer2_octet_total_sum_of_squares":{"type":"long"},"address_port_mapping_per_user_high_threshold":{"type":"long"},"sampling_time_interval":{"type":"long"},"ip_next_hop_ipv6_address":{"type":"ip"},"http_request_host":{"ignore_above":1024,"type":"keyword"},"sampling_interval":{"type":"long"},"session_scope":{"type":"short"},"vr_fname":{"ignore_above":1024,"type":"keyword"},"mpls_label_stack_depth":{"type":"long"},"sampling_flow_interval":{"type":"long"},"initiator_packets":{"type":"long"},"vpn_identifier":{"type":"short"},"destination_transport_port":{"type":"long"},"tcp_fin_total_count":{"type":"long"},"mib_object_valuei_pa_ddress":{"type":"ip"},"source_transport_ports_limit":{"type":"long"},"destination_ipv4_prefix":{"type":"ip"},"original_flows_completed":{"type":"long"},"nat_pool_name":{"ignore_above":1024,"type":"keyword"},"total_length_ipv4":{"type":"long"},"data_link_frame_type":{"type":"long"},"post_ip_class_of_service":{"type":"short"},"nat_instance_id":{"type":"long"},"sampling_time_space":{"type":"long"},"application_category_name":{"ignore_above":1024,"type":"keyword"},"ignored_layer2_frame_total_count":{"type":"long"},"port_range_step_size":{"type":"long"},"mib_capture_time_semantics":{"type":"short"},"sampling_packet_interval":{"type":"long"},"post_mcast_packet_delta_count":{"type":"long"},"selector_id":{"type":"long"},"dropped_layer2_octet_total_count":{"type":"long"},"ipv6_extension_headers":{"type":"long"},"not_sent_flow_total_count":{"type":"long"},"dot1q_customer_vlan_id":{"type":"long"},"tcp_urg_total_count":{"type":"long"},"mpls_top_label_type":{"type":"short"},"rtp_sequence_number":{"type":"long"},"section_exported_octets":{"type":"long"},"dst_traffic_index":{"type":"long"},"flow_duration_microseconds":{"type":"long"},"post_octet_total_count":{"type":"long"},"tcp_header_length":{"type":"short"},"mib_object_value_unsigned":{"type":"long"},"protocol_identifier":{"type":"short"},"metro_evc_type":{"type":"short"},"mpls_label_stack_section":{"type":"short"},"wlan_ssid":{"ignore_above":1024,"type":"keyword"},"udp_destination_port":{"type":"long"},"collector_ipv4_address":{"type":"ip"},"max_fragments_pending_reassembly":{"type":"long"},"internal_address_realm":{"type":"short"},"flow_start_delta_microseconds":{"type":"long"},"information_element_range_begin":{"type":"long"},"payload_length_ipv6":{"type":"long"},"information_element_units":{"type":"long"},"ingress_interface":{"type":"long"},"observation_domain_name":{"ignore_above":1024,"type":"keyword"},"mpls_top_label_ipv4_address":{"type":"ip"},"max_session_entries":{"type":"long"},"tcp_window_size":{"type":"long"},"biflow_direction":{"type":"short"},"information_element_id":{"type":"long"},"bgp_source_as_number":{"type":"long"},"exporter_certificate":{"type":"short"},"sampler_mode":{"type":"short"},"sta_mac_address":{"ignore_above":1024,"type":"keyword"},"flow_selected_octet_delta_count":{"type":"long"},"dropped_packet_delta_count":{"type":"long"},"mpls_top_label_stack_section":{"type":"short"},"nat_pool_id":{"type":"long"},"ethernet_type":{"type":"long"},"source_mac_address":{"ignore_above":1024,"type":"keyword"},"multicast_replication_factor":{"type":"long"},"anonymization_technique":{"type":"long"},"transport_packet_delta_count":{"type":"long"},"application_id":{"type":"short"},"destination_ipv6_prefix_length":{"type":"short"},"original_exporter_ipv6_address":{"type":"ip"},"destination_ipv4_address":{"type":"ip"},"observation_domain_id":{"type":"long"},"digest_hash_value":{"type":"long"},"mpls_label_stack_length":{"type":"long"},"port_id":{"type":"long"},"post_layer2_octet_delta_count":{"type":"long"},"exporter_ipv4_address":{"type":"ip"},"dot1q_vlan_id":{"type":"long"},"hash_flow_domain":{"type":"long"},"external_address_realm":{"type":"short"},"data_link_frame_section":{"type":"short"},"egress_vrfid":{"type":"long"},"hash_ipp_ayload_size":{"type":"long"},"ip_diff_serv_code_point":{"type":"short"},"exported_flow_record_total_count":{"type":"long"},"original_flows_present":{"type":"long"},"application_description":{"ignore_above":1024,"type":"keyword"},"opaque_octets":{"type":"short"},"selector_name":{"ignore_above":1024,"type":"keyword"},"information_element_semantics":{"type":"short"},"export_interface":{"type":"long"},"post_source_mac_address":{"ignore_above":1024,"type":"keyword"},"tcp_rst_total_count":{"type":"long"},"octet_total_sum_of_squares":{"type":"long"},"distinct_count_of_destination_ipv6_address":{"type":"long"},"classification_engine_id":{"type":"short"},"selector_id_total_pkts_observed":{"type":"long"},"information_element_description":{"ignore_above":1024,"type":"keyword"},"intermediate_process_id":{"type":"long"},"flow_end_delta_microseconds":{"type":"long"},"post_mcast_octet_total_count":{"type":"long"},"flow_selector_algorithm":{"type":"long"},"delta_flow_count":{"type":"long"},"ingress_vrfid":{"type":"long"},"original_flows_initiated":{"type":"long"},"virtual_station_uuid":{"type":"short"},"gre_key":{"type":"long"},"fragment_offset":{"type":"long"},"tcp_source_port":{"type":"long"},"flow_end_seconds":{"type":"date"},"ipv4_ihl":{"type":"short"},"dot1q_priority":{"type":"short"},"source_ipv6_prefix_length":{"type":"short"},"max_entries_per_user":{"type":"long"},"post_destination_mac_address":{"ignore_above":1024,"type":"keyword"},"value_distribution_method":{"type":"short"},"mib_object_value_oid":{"type":"short"},"observed_flow_total_count":{"type":"long"},"post_nadt_estination_ipv4_address":{"type":"ip"},"mib_object_identifier":{"type":"short"},"mib_object_value_gauge":{"type":"long"},"udp_source_port":{"type":"long"},"not_sent_layer2_octet_total_count":{"type":"long"},"hash_selected_range_max":{"type":"long"},"post_vlan_id":{"type":"long"},"packet_delta_count":{"type":"long"},"ipv4_router_sc":{"type":"ip"},"layer2_frame_total_count":{"type":"long"},"egress_interface_type":{"type":"long"},"bgp_next_hop_ipv4_address":{"type":"ip"},"sampler_random_interval":{"type":"long"},"layer2packet_section_offset":{"type":"long"},"dot1q_customer_dei":{"type":"boolean"},"post_packet_delta_count":{"type":"long"},"hash_ipp_ayload_offset":{"type":"long"},"destination_ipv4_prefix_length":{"type":"short"},"source_ipv4_prefix_length":{"type":"short"},"sampling_probability":{"type":"double"},"dot1q_service_instance_id":{"type":"long"},"egress_interface":{"type":"long"},"observation_point_id":{"type":"long"},"tcp_urgent_pointer":{"type":"long"},"source_ipv6_address":{"type":"ip"},"bgp_prev_adjacent_as_number":{"type":"long"},"max_flow_end_microseconds":{"type":"date"},"export_sctp_stream_id":{"type":"long"},"selection_sequence_id":{"type":"long"},"tcp_acknowledgement_number":{"type":"long"},"encrypted_technology":{"ignore_above":1024,"type":"keyword"},"mpls_top_label_prefix_length":{"type":"short"},"max_flow_end_seconds":{"type":"date"},"sampler_name":{"ignore_above":1024,"type":"keyword"},"octet_delta_sum_of_squares":{"type":"long"},"post_napst_ource_transport_port":{"type":"long"},"sampling_population":{"type":"long"},"observation_time_seconds":{"type":"date"},"post_nast_ource_ipv4_address":{"type":"ip"},"tcp_sequence_number":{"type":"long"},"min_flow_start_seconds":{"type":"date"},"monitoring_interval_end_milli_seconds":{"type":"date"},"flow_start_milliseconds":{"type":"date"},"source_ipv4_prefix":{"type":"ip"},"minimum_ttl":{"type":"short"},"pseudo_wire_destination_ipv4_address":{"type":"ip"},"wlan_channel_id":{"type":"short"},"distinct_count_of_source_ipv6_address":{"type":"long"},"post_dot1q_customer_vlan_id":{"type":"long"},"global_address_mapping_high_threshold":{"type":"long"},"new_connection_delta_count":{"type":"long"},"flow_sampling_time_interval":{"type":"long"},"mib_object_value_time_ticks":{"type":"long"},"nat_threshold_event":{"type":"long"},"ingress_interface_type":{"type":"long"},"icmp_type_code_ipv4":{"type":"long"},"post_layer2_octet_total_count":{"type":"long"},"mib_object_value_integer":{"type":"long"},"icmp_type_code_ipv6":{"type":"long"},"bgp_destination_as_number":{"type":"long"},"http_request_target":{"ignore_above":1024,"type":"keyword"},"mib_context_name":{"ignore_above":1024,"type":"keyword"},"information_element_index":{"type":"long"},"bgp_next_hop_ipv6_address":{"type":"ip"},"forwarding_status":{"type":"short"},"mpls_top_label_ipv6_address":{"type":"ip"},"fragment_identification":{"type":"long"},"user_name":{"ignore_above":1024,"type":"keyword"},"port_range_num_ports":{"type":"long"},"hash_selected_range_min":{"type":"long"},"exporter":{"properties":{"uptime_millis":{"type":"long"},"address":{"ignore_above":1024,"type":"keyword"},"source_id":{"type":"long"},"version":{"type":"long"},"timestamp":{"type":"date"}}},"hash_output_range_min":{"type":"long"},"http_content_type":{"ignore_above":1024,"type":"keyword"},"selector_algorithm":{"type":"long"},"address_port_mapping_high_threshold":{"type":"long"},"flow_start_seconds":{"type":"date"},"mobile_imsi":{"ignore_above":1024,"type":"keyword"},"nat_originating_address_realm":{"type":"short"},"tcp_destination_port":{"type":"long"},"application_sub_category_name":{"ignore_above":1024,"type":"keyword"},"class_name":{"ignore_above":1024,"type":"keyword"},"responder_octets":{"type":"long"},"not_sent_octet_total_count":{"type":"long"},"layer2_octet_delta_count":{"type":"long"},"information_element_data_type":{"type":"short"},"flow_start_nanoseconds":{"type":"date"},"hash_initialiser_value":{"type":"long"},"bgp_validity_state":{"type":"short"},"engine_type":{"type":"short"},"flow_direction":{"type":"short"},"dot1q_customer_source_mac_address":{"ignore_above":1024,"type":"keyword"},"wtp_mac_address":{"ignore_above":1024,"type":"keyword"},"mpls_payload_length":{"type":"long"},"template_id":{"type":"long"},"pseudo_wire_type":{"type":"long"},"dot1q_customer_destination_mac_address":{"ignore_above":1024,"type":"keyword"},"interface_description":{"ignore_above":1024,"type":"keyword"},"pseudo_wire_id":{"type":"long"},"vlan_id":{"type":"long"},"responder_packets":{"type":"long"},"hash_digest_output":{"type":"boolean"},"ethernet_payload_length":{"type":"long"},"collector_certificate":{"type":"short"},"tcp_control_bits":{"type":"long"},"mpls_payload_packet_section":{"type":"short"},"anonymization_flags":{"type":"long"},"ingress_unicast_packet_total_count":{"type":"long"},"lower_cli_imit":{"type":"double"},"address_pool_high_threshold":{"type":"long"},"information_element_range_end":{"type":"long"},"observation_point_type":{"type":"short"},"ip_payload_packet_section":{"type":"short"},"http_status_code":{"type":"long"},"bgp_next_adjacent_as_number":{"type":"long"},"dropped_layer2_octet_delta_count":{"type":"long"},"common_properties_id":{"type":"long"},"destination_ipv6_prefix":{"type":"ip"},"maximum_ip_total_length":{"type":"long"},"exporter_ipv6_address":{"type":"ip"},"ip_class_of_service":{"type":"short"},"rfc3550_jitter_nanoseconds":{"type":"long"},"http_request_method":{"ignore_above":1024,"type":"keyword"},"original_observation_domain_id":{"type":"long"},"is_multicast":{"type":"short"},"mib_object_value_counter":{"type":"long"},"mib_object_value_bits":{"type":"short"},"ip_header_packet_section":{"type":"short"},"post_mcast_layer2_octet_delta_count":{"type":"long"},"tunnel_technology":{"ignore_above":1024,"type":"keyword"},"ingress_multicast_packet_total_count":{"type":"long"},"flow_idle_timeout":{"type":"long"},"max_export_seconds":{"type":"date"},"exported_message_total_count":{"type":"long"},"minimum_ip_total_length":{"type":"long"},"selector_itd_otal_flows_selected":{"type":"long"},"flow_end_nanoseconds":{"type":"date"},"layer2_segment_id":{"type":"long"},"ip_next_hop_ipv4_address":{"type":"ip"},"post_mcast_layer2_octet_total_count":{"type":"long"},"egress_physical_interface":{"type":"long"},"tcp_psh_total_count":{"type":"long"},"mib_index_indicator":{"type":"long"},"nat_type":{"type":"short"},"udp_message_length":{"type":"long"},"selector_itd_otal_flows_observed":{"type":"long"},"monitoring_interval_start_milli_seconds":{"type":"date"},"layer2packet_section_size":{"type":"long"},"port_range_start":{"type":"long"},"exported_octet_total_count":{"type":"long"},"type":{"ignore_above":1024,"type":"keyword"},"source_ipv4_address":{"type":"ip"},"collector_transport_port":{"type":"long"},"post_dot1q_vlan_id":{"type":"long"},"observation_time_nanoseconds":{"type":"date"},"firewall_event":{"type":"short"},"octet_total_count":{"type":"long"},"dropped_octet_delta_count":{"type":"long"},"post_nadt_estination_ipv6_address":{"type":"ip"},"http_message_version":{"ignore_above":1024,"type":"keyword"},"flow_selected_packet_delta_count":{"type":"long"},"flow_active_timeout":{"type":"long"},"post_mcast_packet_total_count":{"type":"long"},"maximum_ttl":{"type":"short"},"dot1q_customer_priority":{"type":"short"},"igmp_type":{"type":"short"},"metro_evc_id":{"ignore_above":1024,"type":"keyword"},"destination_mac_address":{"ignore_above":1024,"type":"keyword"},"flow_end_sys_up_time":{"type":"long"},"source_transport_port":{"type":"long"},"relative_error":{"type":"double"},"mib_object_value_octet_string":{"type":"short"},"export_protocol_version":{"type":"short"},"exporting_process_id":{"type":"long"},"hash_output_range_max":{"type":"long"},"max_subscribers":{"type":"long"},"dot1q_service_instance_priority":{"type":"short"},"ip_header_length":{"type":"short"},"sampling_algorithm":{"type":"short"},"ingress_broadcast_packet_total_count":{"type":"long"},"mib_object_syntax":{"ignore_above":1024,"type":"keyword"},"min_flow_start_microseconds":{"type":"date"},"ip_ttl":{"type":"short"},"data_link_frame_size":{"type":"long"},"layer2_octet_total_count":{"type":"long"},"private_enterprise_number":{"type":"long"},"ignored_layer2_octet_total_count":{"type":"long"},"flow_start_microseconds":{"type":"date"},"max_bieb_ntries":{"type":"long"},"address_port_mapping_low_threshold":{"type":"long"},"collector_ipv6_address":{"type":"ip"},"distinct_count_of_destinatio_nipa_ddress":{"type":"long"},"max_flow_end_milliseconds":{"type":"date"},"absolute_error":{"type":"double"},"observation_time_microseconds":{"type":"date"},"minimum_layer2_total_length":{"type":"long"},"ethernet_total_length":{"type":"long"},"padding_octets":{"type":"short"},"flow_end_microseconds":{"type":"date"},"layer2_octet_delta_sum_of_squares":{"type":"long"},"application_group_name":{"ignore_above":1024,"type":"keyword"},"upper_cli_imit":{"type":"double"},"dot1q_dei":{"type":"boolean"},"mpls_top_label_exp":{"type":"short"},"ipv4_options":{"type":"long"},"virtual_station_interface_name":{"ignore_above":1024,"type":"keyword"},"fragment_flags":{"type":"short"},"system_init_time_milliseconds":{"type":"date"},"destination_ipv6_address":{"type":"ip"},"message_scope":{"type":"short"},"connection_transaction_id":{"type":"long"},"ip_payload_length":{"type":"long"},"dot1q_service_instance_tag":{"type":"short"},"flow_end_reason":{"type":"short"},"flow_duration_milliseconds":{"type":"long"},"selector_id_total_pkts_selected":{"type":"long"},"original_exporter_ipv4_address":{"type":"ip"},"virtual_station_name":{"ignore_above":1024,"type":"keyword"},"port_range_end":{"type":"long"},"flow_id":{"type":"long"},"post_nast_ource_ipv6_address":{"type":"ip"},"post_mpls_top_label_exp":{"type":"short"},"flow_selected_flow_delta_count":{"type":"long"},"ignored_data_record_total_count":{"type":"long"},"tcp_syn_total_count":{"type":"long"},"export_transport_protocol":{"type":"short"},"ip_sec_spi":{"type":"long"},"rfc3550_jitter_milliseconds":{"type":"long"},"maximum_layer2_total_length":{"type":"long"},"layer2packet_section_data":{"type":"short"},"egress_broadcast_packet_total_count":{"type":"long"},"transport_octet_delta_count":{"type":"long"},"rfc3550_jitter_microseconds":{"type":"long"},"layer2_frame_delta_count":{"type":"long"},"line_card_id":{"type":"long"},"ethernet_header_length":{"type":"short"},"flow_key_indicator":{"type":"long"},"interface_name":{"ignore_above":1024,"type":"keyword"},"mpls_vpn_route_distinguisher":{"type":"short"},"post_napdt_estination_transport_port":{"type":"long"},"icmp_type_ipv4":{"type":"short"},"flags_and_sampler_id":{"type":"long"},"message_md5_checksum":{"type":"short"},"icmp_type_ipv6":{"type":"short"},"distinct_count_of_source_ipv4_address":{"type":"long"},"packet_total_count":{"type":"long"},"mib_context_engine_id":{"type":"short"},"mib_sub_identifier":{"type":"long"},"post_packet_total_count":{"type":"long"},"sampling_packet_space":{"type":"long"},"p2p_technology":{"ignore_above":1024,"type":"keyword"},"egress_unicast_packet_total_count":{"type":"long"},"min_export_seconds":{"type":"date"},"exporter_transport_port":{"type":"long"},"distinct_count_of_destination_ipv4_address":{"type":"long"},"flow_label_ipv6":{"type":"long"},"ignored_octet_total_count":{"type":"long"},"observation_time_milliseconds":{"type":"date"},"nat_quota_exceeded_event":{"type":"long"},"max_flow_end_nanoseconds":{"type":"date"},"mib_object_description":{"ignore_above":1024,"type":"keyword"},"mpls_top_label_ttl":{"type":"short"},"engine_id":{"type":"short"},"section_offset":{"type":"long"},"ip_precedence":{"type":"short"},"flow_end_milliseconds":{"type":"date"},"collection_time_milliseconds":{"type":"date"}}},"apache":{"properties":{"access":{"properties":{"ssl":{"properties":{"cipher":{"ignore_above":1024,"type":"keyword"},"protocol":{"ignore_above":1024,"type":"keyword"}}}}},"error":{"properties":{"module":{"ignore_above":1024,"type":"keyword"}}}}},"elasticsearch":{"properties":{"server":{"properties":{"stacktrace":{"ignore_above":1024,"index":false,"type":"keyword"},"gc":{"properties":{"overhead_seq":{"type":"long"},"young":{"properties":{"one":{"type":"long"},"two":{"type":"long"}}},"observation_duration":{"properties":{"ms":{"type":"float"}}},"collection_duration":{"properties":{"ms":{"type":"float"}}}}}}},"cluster":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"uuid":{"ignore_above":1024,"type":"keyword"}}},"node":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"component":{"ignore_above":1024,"type":"keyword"},"audit":{"properties":{"request":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"indices":{"ignore_above":1024,"type":"keyword"},"event_type":{"ignore_above":1024,"type":"keyword"},"origin":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},"action":{"ignore_above":1024,"type":"keyword"},"realm":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"roles":{"ignore_above":1024,"type":"keyword"},"realm":{"ignore_above":1024,"type":"keyword"}}},"url":{"properties":{"params":{"ignore_above":1024,"type":"keyword"}}},"layer":{"ignore_above":1024,"type":"keyword"}}},"slowlog":{"properties":{"took":{"ignore_above":1024,"type":"keyword"},"total_shards":{"ignore_above":1024,"type":"keyword"},"routing":{"ignore_above":1024,"type":"keyword"},"source_query":{"ignore_above":1024,"type":"keyword"},"types":{"ignore_above":1024,"type":"keyword"},"total_hits":{"ignore_above":1024,"type":"keyword"},"stats":{"ignore_above":1024,"type":"keyword"},"logger":{"ignore_above":1024,"type":"keyword"},"extra_source":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"search_type":{"ignore_above":1024,"type":"keyword"}}},"index":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"shard":{"properties":{"id":{"ignore_above":1024,"type":"keyword"}}},"deprecation":{"properties":{}},"gc":{"properties":{"phase":{"properties":{"cpu_time":{"properties":{"real_sec":{"type":"float"},"sys_sec":{"type":"float"},"user_sec":{"type":"float"}}},"scrub_symbol_table_time_sec":{"type":"float"},"scrub_string_table_time_sec":{"type":"float"},"weak_refs_processing_time_sec":{"type":"float"},"name":{"ignore_above":1024,"type":"keyword"},"parallel_rescan_time_sec":{"type":"float"},"class_unload_time_sec":{"type":"float"},"duration_sec":{"type":"float"}}},"jvm_runtime_sec":{"type":"float"},"stopping_threads_time_sec":{"type":"float"},"old_gen":{"properties":{"size_kb":{"type":"long"},"used_kb":{"type":"long"}}},"young_gen":{"properties":{"size_kb":{"type":"long"},"used_kb":{"type":"long"}}},"threads_total_stop_time_sec":{"type":"float"},"heap":{"properties":{"size_kb":{"type":"long"},"used_kb":{"type":"long"}}},"tags":{"ignore_above":1024,"type":"keyword"}}}}},"ecs":{"properties":{"version":{"ignore_above":1024,"type":"keyword"}}},"host":{"properties":{"geo":{"properties":{"region_iso_code":{"ignore_above":1024,"type":"keyword"},"continent_name":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"hostname":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"build":{"ignore_above":1024,"type":"keyword"},"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"type":"keyword"}}},"containerized":{"type":"boolean"},"ip":{"type":"ip"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"mac":{"ignore_above":1024,"type":"keyword"},"architecture":{"ignore_above":1024,"type":"keyword"}}},"mysql":{"properties":{"thread_id":{"type":"long"},"slowlog":{"properties":{"schema":{"ignore_above":1024,"type":"keyword"},"tmp_table_sizes":{"type":"long"},"rows_examined":{"type":"long"},"innodb":{"properties":{"trx_id":{"ignore_above":1024,"type":"keyword"},"io_r_ops":{"type":"long"},"io_r_wait":{"properties":{"sec":{"type":"long"}}},"io_r_bytes":{"type":"long"},"rec_lock_wait":{"properties":{"sec":{"type":"long"}}},"queue_wait":{"properties":{"sec":{"type":"long"}}},"pages_distinct":{"type":"long"}}},"tmp_disk_tables":{"type":"long"},"filesort_on_disk":{"type":"boolean"},"tmp_tables":{"type":"long"},"full_join":{"type":"boolean"},"current_user":{"ignore_above":1024,"type":"keyword"},"log_slow_rate_limit":{"ignore_above":1024,"type":"keyword"},"log_slow_rate_type":{"ignore_above":1024,"type":"keyword"},"priority_queue":{"type":"boolean"},"full_scan":{"type":"boolean"},"query":{"ignore_above":1024,"type":"keyword"},"merge_passes":{"type":"long"},"filesort":{"type":"boolean"},"killed":{"ignore_above":1024,"type":"keyword"},"bytes_sent":{"type":"long"},"tmp_table":{"type":"boolean"},"lock_time":{"properties":{"sec":{"type":"float"}}},"rows_sent":{"type":"long"},"rows_affected":{"type":"long"},"last_errno":{"ignore_above":1024,"type":"keyword"},"query_cache_hit":{"type":"boolean"},"tmp_table_on_disk":{"type":"boolean"}}},"error":{"properties":{}}}},"kibana":{"properties":{"log":{"properties":{"meta":{"type":"object"},"state":{"ignore_above":1024,"type":"keyword"},"tags":{"ignore_above":1024,"type":"keyword"}}}}},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"nginx":{"properties":{"access":{"properties":{"geoip":{"properties":{}},"user_agent":{"properties":{}}}},"error":{"properties":{"connection_id":{"type":"long"}}}}},"zeek":{"properties":{"dns":{"properties":{"TTLs":{"type":"double"},"AA":{"type":"boolean"},"qclass_name":{"ignore_above":1024,"type":"keyword"},"qtype_name":{"ignore_above":1024,"type":"keyword"},"qtype":{"type":"long"},"rejected":{"type":"boolean"},"query":{"ignore_above":1024,"type":"keyword"},"answers":{"ignore_above":1024,"type":"keyword"},"total_replies":{"type":"long"},"rcode":{"type":"long"},"trans_id":{"ignore_above":1024,"type":"keyword"},"rcode_name":{"ignore_above":1024,"type":"keyword"},"RA":{"type":"boolean"},"TC":{"type":"boolean"},"saw_query":{"type":"boolean"},"RD":{"type":"boolean"},"saw_reply":{"type":"boolean"},"rtt":{"type":"double"},"total_answers":{"type":"long"},"qclass":{"type":"long"}}},"http":{"properties":{"orig_mime_depth":{"type":"long"},"server_header_names":{"ignore_above":1024,"type":"keyword"},"resp_mime_depth":{"type":"long"},"proxied":{"ignore_above":1024,"type":"keyword"},"orig_mime_types":{"ignore_above":1024,"type":"keyword"},"tags":{"ignore_above":1024,"type":"keyword"},"info_msg":{"ignore_above":1024,"type":"keyword"},"resp_mime_types":{"ignore_above":1024,"type":"keyword"},"trans_depth":{"type":"long"},"client_header_names":{"ignore_above":1024,"type":"keyword"},"password":{"ignore_above":1024,"type":"keyword"},"orig_filenames":{"ignore_above":1024,"type":"keyword"},"orig_fuids":{"ignore_above":1024,"type":"keyword"},"range_request":{"type":"boolean"},"captured_password":{"type":"boolean"},"status_msg":{"ignore_above":1024,"type":"keyword"},"resp_filenames":{"ignore_above":1024,"type":"keyword"},"resp_fuids":{"ignore_above":1024,"type":"keyword"},"info_code":{"type":"long"}}},"files":{"properties":{"timedout":{"type":"boolean"},"sha256":{"ignore_above":1024,"type":"keyword"},"tx_host":{"type":"ip"},"source":{"ignore_above":1024,"type":"keyword"},"extracted":{"ignore_above":1024,"type":"keyword"},"duration":{"type":"double"},"entropy":{"type":"double"},"analyzers":{"ignore_above":1024,"type":"keyword"},"total_bytes":{"type":"long"},"fuid":{"ignore_above":1024,"type":"keyword"},"seen_bytes":{"type":"long"},"missing_bytes":{"type":"long"},"session_ids":{"ignore_above":1024,"type":"keyword"},"parent_fuid":{"ignore_above":1024,"type":"keyword"},"local_orig":{"type":"boolean"},"is_orig":{"type":"boolean"},"extracted_cutoff":{"type":"boolean"},"overflow_bytes":{"type":"long"},"sha1":{"ignore_above":1024,"type":"keyword"},"depth":{"type":"long"},"filename":{"ignore_above":1024,"type":"keyword"},"mime_type":{"ignore_above":1024,"type":"keyword"},"rx_host":{"type":"ip"},"md5":{"ignore_above":1024,"type":"keyword"},"extracted_size":{"type":"long"}}},"session_id":{"ignore_above":1024,"type":"keyword"},"connection":{"properties":{"local_resp":{"type":"boolean"},"resp_l2_addr":{"ignore_above":1024,"type":"keyword"},"inner_vlan":{"type":"long"},"vlan":{"type":"long"},"local_orig":{"type":"boolean"},"state":{"ignore_above":1024,"type":"keyword"},"history":{"ignore_above":1024,"type":"keyword"},"missed_bytes":{"type":"long"},"orig_l2_addr":{"ignore_above":1024,"type":"keyword"}}},"ssl":{"properties":{"established":{"type":"boolean"},"cipher":{"ignore_above":1024,"type":"keyword"},"server_name":{"ignore_above":1024,"type":"keyword"},"client_cert_chain_fuids":{"ignore_above":1024,"type":"keyword"},"curve":{"ignore_above":1024,"type":"keyword"},"subject":{"ignore_above":1024,"type":"keyword"},"cert_chain_fuids":{"ignore_above":1024,"type":"keyword"},"next_protocol":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"issuer":{"ignore_above":1024,"type":"keyword"},"client_subject":{"ignore_above":1024,"type":"keyword"},"client_issuer":{"ignore_above":1024,"type":"keyword"},"client_cert_chain":{"ignore_above":1024,"type":"keyword"},"cert_chain":{"ignore_above":1024,"type":"keyword"},"last_alert":{"ignore_above":1024,"type":"keyword"},"validation_code":{"ignore_above":1024,"type":"keyword"},"validation_status":{"ignore_above":1024,"type":"keyword"},"resumed":{"type":"boolean"}}},"fnotice":{"properties":{"file":{"properties":{"total_bytes":{"type":"long"}}}}},"notice":{"properties":{"msg":{"ignore_above":1024,"type":"keyword"},"suppress_for":{"type":"double"},"note":{"ignore_above":1024,"type":"keyword"},"sub":{"ignore_above":1024,"type":"keyword"},"identifier":{"ignore_above":1024,"type":"keyword"},"email_delay_tokens":{"ignore_above":1024,"type":"keyword"},"dropped":{"type":"boolean"},"email_body_sections":{"norms":false,"type":"text"},"n":{"type":"long"},"icmp_id":{"ignore_above":1024,"type":"keyword"},"peer_descr":{"norms":false,"type":"text"},"file":{"properties":{"mime_type":{"ignore_above":1024,"type":"keyword"},"parent_id":{"ignore_above":1024,"type":"keyword"},"source":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"is_orig":{"type":"boolean"},"seen_bytes":{"type":"long"},"missing_bytes":{"type":"long"},"overflow_bytes":{"type":"long"}}},"connection_id":{"ignore_above":1024,"type":"keyword"},"fuid":{"ignore_above":1024,"type":"keyword"},"peer_name":{"ignore_above":1024,"type":"keyword"},"actions":{"ignore_above":1024,"type":"keyword"}}}}},"labels":{"type":"object"},"tags":{"ignore_above":1024,"type":"keyword"},"input":{"properties":{"type":{"ignore_above":1024,"type":"keyword"}}},"system":{"properties":{"auth":{"properties":{"ssh":{"properties":{"geoip":{"properties":{}},"dropped_ip":{"type":"ip"},"method":{"ignore_above":1024,"type":"keyword"},"signature":{"ignore_above":1024,"type":"keyword"},"event":{"ignore_above":1024,"type":"keyword"}}},"sudo":{"properties":{"tty":{"ignore_above":1024,"type":"keyword"},"error":{"ignore_above":1024,"type":"keyword"},"pwd":{"ignore_above":1024,"type":"keyword"},"user":{"ignore_above":1024,"type":"keyword"},"command":{"ignore_above":1024,"type":"keyword"}}},"useradd":{"properties":{"shell":{"ignore_above":1024,"type":"keyword"},"home":{"ignore_above":1024,"type":"keyword"}}},"groupadd":{"properties":{}}}},"syslog":{"properties":{}}}},"kafka":{"properties":{"log":{"properties":{"component":{"ignore_above":1024,"type":"keyword"},"trace":{"properties":{"message":{"norms":false,"type":"text"},"class":{"ignore_above":1024,"type":"keyword"}}},"class":{"ignore_above":1024,"type":"keyword"}}}}},"http":{"properties":{"request":{"properties":{"referrer":{"ignore_above":1024,"type":"keyword"},"method":{"ignore_above":1024,"type":"keyword"},"bytes":{"type":"long"},"body":{"properties":{"bytes":{"type":"long"},"content":{"ignore_above":1024,"type":"keyword"}}}}},"response":{"properties":{"status_code":{"type":"long"},"bytes":{"type":"long"},"body":{"properties":{"bytes":{"type":"long"},"content":{"ignore_above":1024,"type":"keyword"}}}}},"version":{"ignore_above":1024,"type":"keyword"}}},"suricata":{"properties":{"eve":{"properties":{"icmp_type":{"type":"long"},"flags":{"properties":{}},"ssh":{"properties":{"server":{"properties":{"proto_version":{"ignore_above":1024,"type":"keyword"},"software_version":{"ignore_above":1024,"type":"keyword"}}},"client":{"properties":{"proto_version":{"ignore_above":1024,"type":"keyword"},"software_version":{"ignore_above":1024,"type":"keyword"}}}}},"app_proto_orig":{"ignore_above":1024,"type":"keyword"},"src_ip":{"path":"source.ip","type":"alias"},"event_type":{"ignore_above":1024,"type":"keyword"},"stats":{"properties":{"defrag":{"properties":{"max_frag_hits":{"type":"long"},"ipv4":{"properties":{"reassembled":{"type":"long"},"timeouts":{"type":"long"},"fragments":{"type":"long"}}},"ipv6":{"properties":{"reassembled":{"type":"long"},"timeouts":{"type":"long"},"fragments":{"type":"long"}}}}},"tcp":{"properties":{"insert_data_overlap_fail":{"type":"long"},"invalid_checksum":{"type":"long"},"ssn_memcap_drop":{"type":"long"},"sessions":{"type":"long"},"overlap_diff_data":{"type":"long"},"syn":{"type":"long"},"stream_depth_reached":{"type":"long"},"no_flow":{"type":"long"},"segment_memcap_drop":{"type":"long"},"memuse":{"type":"long"},"pseudo_failed":{"type":"long"},"reassembly_gap":{"type":"long"},"rst":{"type":"long"},"overlap":{"type":"long"},"insert_list_fail":{"type":"long"},"synack":{"type":"long"},"pseudo":{"type":"long"},"reassembly_memuse":{"type":"long"},"insert_data_normal_fail":{"type":"long"}}},"app_layer":{"properties":{"tx":{"properties":{"dcerpc_udp":{"type":"long"},"dcerpc_tcp":{"type":"long"},"ftp":{"type":"long"},"smtp":{"type":"long"},"ssh":{"type":"long"},"smb":{"type":"long"},"http":{"type":"long"},"tls":{"type":"long"},"dns_tcp":{"type":"long"},"dns_udp":{"type":"long"}}},"flow":{"properties":{"dcerpc_tcp":{"type":"long"},"imap":{"type":"long"},"dcerpc_udp":{"type":"long"},"smtp":{"type":"long"},"ftp":{"type":"long"},"msn":{"type":"long"},"smb":{"type":"long"},"ssh":{"type":"long"},"failed_udp":{"type":"long"},"failed_tcp":{"type":"long"},"dns_tcp":{"type":"long"},"dns_udp":{"type":"long"},"http":{"type":"long"},"tls":{"type":"long"}}}}},"dns":{"properties":{"memuse":{"type":"long"},"memcap_state":{"type":"long"},"memcap_global":{"type":"long"}}},"capture":{"properties":{"kernel_drops":{"type":"long"},"kernel_ifdrops":{"type":"long"},"kernel_packets":{"type":"long"}}},"detect":{"properties":{"alert":{"type":"long"}}},"http":{"properties":{"memuse":{"type":"long"},"memcap":{"type":"long"}}},"decoder":{"properties":{"udp":{"type":"long"},"dce":{"properties":{"pkt_too_small":{"type":"long"}}},"ieee8021ah":{"type":"long"},"pkts":{"type":"long"},"ipv4":{"type":"long"},"vlan":{"type":"long"},"ipv6":{"type":"long"},"pppoe":{"type":"long"},"teredo":{"type":"long"},"mpls":{"type":"long"},"gre":{"type":"long"},"vlan_qinq":{"type":"long"},"max_pkt_size":{"type":"long"},"ipraw":{"properties":{"invalid_ip_version":{"type":"long"}}},"tcp":{"type":"long"},"erspan":{"type":"long"},"icmpv4":{"type":"long"},"raw":{"type":"long"},"ipv4_in_ipv6":{"type":"long"},"ltnull":{"properties":{"unsupported_type":{"type":"long"},"pkt_too_small":{"type":"long"}}},"icmpv6":{"type":"long"},"ethernet":{"type":"long"},"ppp":{"type":"long"},"sll":{"type":"long"},"null":{"type":"long"},"bytes":{"type":"long"},"invalid":{"type":"long"},"avg_pkt_size":{"type":"long"},"sctp":{"type":"long"},"ipv6_in_ipv6":{"type":"long"}}},"flow_mgr":{"properties":{"bypassed_pruned":{"type":"long"},"closed_pruned":{"type":"long"},"rows_empty":{"type":"long"},"flows_notimeout":{"type":"long"},"flows_timeout_inuse":{"type":"long"},"rows_maxlen":{"type":"long"},"flows_checked":{"type":"long"},"flows_removed":{"type":"long"},"rows_checked":{"type":"long"},"flows_timeout":{"type":"long"},"rows_busy":{"type":"long"},"est_pruned":{"type":"long"},"new_pruned":{"type":"long"},"rows_skipped":{"type":"long"}}},"file_store":{"properties":{"open_files":{"type":"long"}}},"flow":{"properties":{"memuse":{"type":"long"},"udp":{"type":"long"},"emerg_mode_entered":{"type":"long"},"tcp":{"type":"long"},"tcp_reuse":{"type":"long"},"icmpv4":{"type":"long"},"emerg_mode_over":{"type":"long"},"icmpv6":{"type":"long"},"spare":{"type":"long"},"memcap":{"type":"long"}}},"uptime":{"type":"long"}}},"alert":{"properties":{"severity":{"path":"event.severity","type":"alias"},"signature_id":{"type":"long"},"rev":{"type":"long"},"gid":{"type":"long"},"signature":{"ignore_above":1024,"type":"keyword"},"action":{"path":"event.outcome","type":"alias"},"category":{"ignore_above":1024,"type":"keyword"}}},"flow_id":{"ignore_above":1024,"type":"keyword"},"fileinfo":{"properties":{"sha1":{"ignore_above":1024,"type":"keyword"},"filename":{"path":"file.path","type":"alias"},"sha256":{"ignore_above":1024,"type":"keyword"},"size":{"path":"file.size","type":"alias"},"stored":{"type":"boolean"},"state":{"ignore_above":1024,"type":"keyword"},"tx_id":{"type":"long"},"gaps":{"type":"boolean"},"md5":{"ignore_above":1024,"type":"keyword"}}},"icmp_code":{"type":"long"},"dest_port":{"path":"destination.port","type":"alias"},"email":{"properties":{"status":{"ignore_above":1024,"type":"keyword"}}},"flow":{"properties":{"reason":{"ignore_above":1024,"type":"keyword"},"pkts_toserver":{"path":"source.packets","type":"alias"},"alerted":{"type":"boolean"},"start":{"path":"event.start","type":"alias"},"end":{"type":"date"},"bytes_toclient":{"path":"destination.bytes","type":"alias"},"state":{"ignore_above":1024,"type":"keyword"},"bytes_toserver":{"path":"source.bytes","type":"alias"},"age":{"type":"long"},"pkts_toclient":{"path":"destination.packets","type":"alias"}}},"timestamp":{"path":"@timestamp","type":"alias"},"tcp":{"properties":{"rst":{"type":"boolean"},"tcp_flags_tc":{"ignore_above":1024,"type":"keyword"},"tcp_flags_ts":{"ignore_above":1024,"type":"keyword"},"psh":{"type":"boolean"},"tcp_flags":{"ignore_above":1024,"type":"keyword"},"ack":{"type":"boolean"},"syn":{"type":"boolean"},"fin":{"type":"boolean"},"state":{"ignore_above":1024,"type":"keyword"}}},"smtp":{"properties":{"helo":{"ignore_above":1024,"type":"keyword"},"rcpt_to":{"ignore_above":1024,"type":"keyword"},"mail_from":{"ignore_above":1024,"type":"keyword"}}},"pcap_cnt":{"type":"long"},"dns":{"properties":{"rrname":{"ignore_above":1024,"type":"keyword"},"rdata":{"ignore_above":1024,"type":"keyword"},"rcode":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"},"tx_id":{"type":"long"},"type":{"ignore_above":1024,"type":"keyword"},"ttl":{"type":"long"},"rrtype":{"ignore_above":1024,"type":"keyword"}}},"app_proto_tc":{"ignore_above":1024,"type":"keyword"},"tx_id":{"type":"long"},"app_proto":{"path":"network.protocol","type":"alias"},"in_iface":{"ignore_above":1024,"type":"keyword"},"src_port":{"path":"source.port","type":"alias"},"proto":{"path":"network.transport","type":"alias"},"dest_ip":{"path":"destination.ip","type":"alias"},"app_proto_expected":{"ignore_above":1024,"type":"keyword"},"http":{"properties":{"redirect":{"ignore_above":1024,"type":"keyword"},"protocol":{"ignore_above":1024,"type":"keyword"},"hostname":{"path":"url.domain","type":"alias"},"http_method":{"path":"http.request.method","type":"alias"},"http_content_type":{"ignore_above":1024,"type":"keyword"},"http_refer":{"path":"http.request.referrer","type":"alias"},"length":{"path":"http.response.body.bytes","type":"alias"},"url":{"path":"url.original","type":"alias"},"status":{"path":"http.response.status_code","type":"alias"},"http_user_agent":{"path":"user_agent.original","type":"alias"}}},"tls":{"properties":{"notbefore":{"type":"date"},"serial":{"ignore_above":1024,"type":"keyword"},"issuerdn":{"ignore_above":1024,"type":"keyword"},"subject":{"ignore_above":1024,"type":"keyword"},"notafter":{"type":"date"},"fingerprint":{"ignore_above":1024,"type":"keyword"},"session_resumed":{"type":"boolean"},"version":{"ignore_above":1024,"type":"keyword"},"sni":{"ignore_above":1024,"type":"keyword"}}},"app_proto_ts":{"ignore_above":1024,"type":"keyword"}}}}},"fields":{"type":"object"},"hash":{"properties":{"sha256":{"ignore_above":1024,"type":"keyword"}}},"iptables":{"properties":{"udp":{"properties":{"length":{"type":"long"}}},"tcp":{"properties":{"reserved_bits":{"type":"short"},"flags":{"ignore_above":1024,"type":"keyword"},"ack":{"type":"long"},"window":{"type":"long"},"seq":{"type":"long"}}},"fragment_offset":{"type":"long"},"flow_label":{"type":"long"},"precedence_bits":{"type":"short"},"input_device":{"ignore_above":1024,"type":"keyword"},"length":{"type":"long"},"fragment_flags":{"ignore_above":1024,"type":"keyword"},"icmp":{"properties":{"redirect":{"type":"ip"},"code":{"type":"long"},"parameter":{"type":"long"},"id":{"type":"long"},"type":{"type":"long"},"seq":{"type":"long"}}},"ttl":{"type":"long"},"ether_type":{"type":"long"},"ubiquiti":{"properties":{"output_zone":{"ignore_above":1024,"type":"keyword"},"input_zone":{"ignore_above":1024,"type":"keyword"},"rule_set":{"ignore_above":1024,"type":"keyword"},"rule_number":{"ignore_above":1024,"type":"keyword"}}},"tos":{"type":"long"},"output_device":{"ignore_above":1024,"type":"keyword"},"id":{"type":"long"},"incomplete_bytes":{"type":"long"}}},"server":{"properties":{"geo":{"properties":{"continent_name":{"ignore_above":1024,"type":"keyword"},"region_iso_code":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"address":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"user":{"properties":{"full_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"}}},"apache2":{"properties":{"access":{"properties":{"geoip":{"properties":{}},"user_agent":{"properties":{}}}},"error":{"properties":{}}}},"log":{"properties":{"original":{"ignore_above":1024,"type":"keyword"},"file":{"properties":{"path":{"ignore_above":1024,"type":"keyword"}}},"offset":{"type":"long"},"level":{"ignore_above":1024,"type":"keyword"},"flags":{"ignore_above":1024,"type":"keyword"},"source":{"properties":{"address":{"ignore_above":1024,"type":"keyword"}}}}},"traefik":{"properties":{"access":{"properties":{"user_identifier":{"ignore_above":1024,"type":"keyword"},"geoip":{"properties":{"region_iso_code":{"path":"source.geo.region_iso_code","type":"alias"},"continent_name":{"path":"source.geo.continent_name","type":"alias"},"city_name":{"path":"source.geo.city_name","type":"alias"},"country_iso_code":{"path":"source.geo.country_iso_code","type":"alias"},"location":{"path":"source.geo.location","type":"alias"},"region_name":{"path":"source.geo.region_name","type":"alias"}}},"frontend_name":{"ignore_above":1024,"type":"keyword"},"backend_url":{"ignore_above":1024,"type":"keyword"},"user_agent":{"properties":{"original":{"path":"user_agent.original","type":"alias"},"os":{"path":"user_agent.os.full_name","type":"alias"},"name":{"path":"user_agent.name","type":"alias"},"os_name":{"path":"user_agent.os.name","type":"alias"},"device":{"path":"user_agent.device.name","type":"alias"}}},"request_count":{"type":"long"}}}}},"destination":{"properties":{"geo":{"properties":{"region_iso_code":{"ignore_above":1024,"type":"keyword"},"continent_name":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"address":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"ip":{"type":"ip"},"user":{"properties":{"full_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"}}},"certificate":{"properties":{"sha256":{"ignore_above":1024,"type":"keyword"},"common_name":{"ignore_above":1024,"type":"keyword"}}},"syslog":{"properties":{"priority":{"type":"long"},"facility":{"type":"long"},"severity_label":{"ignore_above":1024,"type":"keyword"},"facility_label":{"ignore_above":1024,"type":"keyword"}}},"error":{"properties":{"code":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"message":{"norms":false,"type":"text"}}},"auditd":{"properties":{"log":{"properties":{"new_auid":{"ignore_above":1024,"type":"keyword"},"new_ses":{"ignore_above":1024,"type":"keyword"},"laddr":{"type":"ip"},"item":{"ignore_above":1024,"type":"keyword"},"geoip":{"properties":{}},"old_ses":{"ignore_above":1024,"type":"keyword"},"rport":{"type":"long"},"lport":{"type":"long"},"a0":{"ignore_above":1024,"type":"keyword"},"sequence":{"type":"long"},"old_auid":{"ignore_above":1024,"type":"keyword"},"tty":{"ignore_above":1024,"type":"keyword"},"addr":{"type":"ip"},"items":{"ignore_above":1024,"type":"keyword"}}}}},"docker":{"properties":{"container":{"properties":{"labels":{"type":"object"}}}}},"network":{"properties":{"protocol":{"ignore_above":1024,"type":"keyword"},"community_id":{"ignore_above":1024,"type":"keyword"},"forwarded_ip":{"type":"ip"},"application":{"ignore_above":1024,"type":"keyword"},"bytes":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"},"transport":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"},"iana_number":{"ignore_above":1024,"type":"keyword"},"direction":{"ignore_above":1024,"type":"keyword"}}},"santa":{"properties":{"mode":{"ignore_above":1024,"type":"keyword"},"reason":{"ignore_above":1024,"type":"keyword"},"disk":{"properties":{"volume":{"ignore_above":1024,"type":"keyword"},"bus":{"ignore_above":1024,"type":"keyword"},"serial":{"ignore_above":1024,"type":"keyword"},"bsdname":{"ignore_above":1024,"type":"keyword"},"model":{"ignore_above":1024,"type":"keyword"},"fs":{"ignore_above":1024,"type":"keyword"},"mount":{"ignore_above":1024,"type":"keyword"}}},"decision":{"ignore_above":1024,"type":"keyword"},"action":{"ignore_above":1024,"type":"keyword"}}},"geo":{"properties":{"region_iso_code":{"ignore_above":1024,"type":"keyword"},"continent_name":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"iis":{"properties":{"access":{"properties":{"site_name":{"ignore_above":1024,"type":"keyword"},"server_name":{"ignore_above":1024,"type":"keyword"},"geoip":{"properties":{}},"sub_status":{"type":"long"},"cookie":{"ignore_above":1024,"type":"keyword"},"win32_status":{"type":"long"},"user_agent":{"properties":{}}}},"error":{"properties":{"queue_name":{"ignore_above":1024,"type":"keyword"},"geoip":{"properties":{}},"reason_phrase":{"ignore_above":1024,"type":"keyword"}}}}},"file":{"properties":{"owner":{"ignore_above":1024,"type":"keyword"},"extension":{"ignore_above":1024,"type":"keyword"},"gid":{"ignore_above":1024,"type":"keyword"},"mtime":{"type":"date"},"type":{"ignore_above":1024,"type":"keyword"},"target_path":{"ignore_above":1024,"type":"keyword"},"inode":{"ignore_above":1024,"type":"keyword"},"mode":{"ignore_above":1024,"type":"keyword"},"path":{"ignore_above":1024,"type":"keyword"},"uid":{"ignore_above":1024,"type":"keyword"},"size":{"type":"long"},"ctime":{"type":"date"},"device":{"ignore_above":1024,"type":"keyword"},"group":{"ignore_above":1024,"type":"keyword"}}},"related":{"properties":{"ip":{"type":"ip"}}},"postgresql":{"properties":{"log":{"properties":{"database":{"ignore_above":1024,"type":"keyword"},"core_id":{"type":"long"},"query":{"ignore_above":1024,"type":"keyword"},"timestamp":{"ignore_above":1024,"type":"keyword"}}}}},"stream":{"ignore_above":1024,"type":"keyword"},"client":{"properties":{"geo":{"properties":{"region_iso_code":{"ignore_above":1024,"type":"keyword"},"continent_name":{"ignore_above":1024,"type":"keyword"},"city_name":{"ignore_above":1024,"type":"keyword"},"country_iso_code":{"ignore_above":1024,"type":"keyword"},"country_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"location":{"type":"geo_point"},"region_name":{"ignore_above":1024,"type":"keyword"}}},"address":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"bytes":{"type":"long"},"ip":{"type":"ip"},"domain":{"ignore_above":1024,"type":"keyword"},"user":{"properties":{"full_name":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"email":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"mac":{"ignore_above":1024,"type":"keyword"},"packets":{"type":"long"}}},"event":{"properties":{"severity":{"type":"long"},"original":{"ignore_above":1024,"type":"keyword"},"risk_score":{"type":"float"},"timezone":{"ignore_above":1024,"type":"keyword"},"created":{"type":"date"},"kind":{"ignore_above":1024,"type":"keyword"},"module":{"ignore_above":1024,"type":"keyword"},"start":{"type":"date"},"type":{"ignore_above":1024,"type":"keyword"},"duration":{"type":"long"},"risk_score_norm":{"type":"float"},"action":{"ignore_above":1024,"type":"keyword"},"end":{"type":"date"},"id":{"ignore_above":1024,"type":"keyword"},"category":{"ignore_above":1024,"type":"keyword"},"dataset":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"outcome":{"ignore_above":1024,"type":"keyword"}}},"mongodb":{"properties":{"log":{"properties":{"component":{"ignore_above":1024,"type":"keyword"},"context":{"ignore_above":1024,"type":"keyword"}}}}},"user_agent":{"properties":{"original":{"ignore_above":1024,"type":"keyword"},"os":{"properties":{"full_name":{"ignore_above":1024,"type":"keyword"},"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"type":"keyword"}}},"name":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"device":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}}}},"process":{"properties":{"args":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"start":{"type":"date"},"working_directory":{"ignore_above":1024,"type":"keyword"},"pid":{"type":"long"},"thread":{"properties":{"id":{"type":"long"}}},"program":{"ignore_above":1024,"type":"keyword"},"title":{"ignore_above":1024,"type":"keyword"},"executable":{"ignore_above":1024,"type":"keyword"},"ppid":{"type":"long"}}},"os":{"properties":{"kernel":{"ignore_above":1024,"type":"keyword"},"name":{"ignore_above":1024,"type":"keyword"},"family":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"},"platform":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"type":"keyword"}}},"osquery":{"properties":{"result":{"properties":{"unix_time":{"type":"long"},"name":{"ignore_above":1024,"type":"keyword"},"action":{"ignore_above":1024,"type":"keyword"},"calendar_time":{"ignore_above":1024,"type":"keyword"},"host_identifier":{"ignore_above":1024,"type":"keyword"}}}}},"message":{"norms":false,"type":"text"},"fileset":{"properties":{"name":{"ignore_above":1024,"type":"keyword"}}},"url":{"properties":{"path":{"ignore_above":1024,"type":"keyword"},"fragment":{"ignore_above":1024,"type":"keyword"},"password":{"ignore_above":1024,"type":"keyword"},"original":{"ignore_above":1024,"type":"keyword"},"scheme":{"ignore_above":1024,"type":"keyword"},"port":{"type":"long"},"domain":{"ignore_above":1024,"type":"keyword"},"query":{"ignore_above":1024,"type":"keyword"},"full":{"ignore_above":1024,"type":"keyword"},"username":{"ignore_above":1024,"type":"keyword"}}},"@timestamp":{"type":"date"},"service":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"state":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"type":{"ignore_above":1024,"type":"keyword"},"ephemeral_id":{"ignore_above":1024,"type":"keyword"},"version":{"ignore_above":1024,"type":"keyword"}}},"organization":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}},"haproxy":{"properties":{"tcp":{"properties":{"connection_waiting_time_ms":{"type":"long"}}},"error_message":{"norms":false,"type":"text"},"server_name":{"ignore_above":1024,"type":"keyword"},"bind_name":{"ignore_above":1024,"type":"keyword"},"total_waiting_time_ms":{"type":"long"},"geoip":{"properties":{}},"termination_state":{"ignore_above":1024,"type":"keyword"},"time_queue":{"type":"long"},"connection_wait_time_ms":{"type":"long"},"destination":{"properties":{}},"bytes_read":{"type":"long"},"source":{"ignore_above":1024,"type":"keyword"},"mode":{"ignore_above":1024,"type":"keyword"},"backend_queue":{"type":"long"},"backend_name":{"ignore_above":1024,"type":"keyword"},"http":{"properties":{"request":{"properties":{"captured_cookie":{"ignore_above":1024,"type":"keyword"},"raw_request_line":{"ignore_above":1024,"type":"keyword"},"captured_headers":{"ignore_above":1024,"type":"keyword"},"time_wait_ms":{"type":"long"},"time_wait_without_data_ms":{"type":"long"}}},"response":{"properties":{"captured_cookie":{"ignore_above":1024,"type":"keyword"},"captured_headers":{"ignore_above":1024,"type":"keyword"}}}}},"client":{"properties":{}},"frontend_name":{"ignore_above":1024,"type":"keyword"},"server_queue":{"type":"long"},"time_backend_connect":{"type":"long"},"connections":{"properties":{"server":{"type":"long"},"retries":{"type":"long"},"active":{"type":"long"},"backend":{"type":"long"},"frontend":{"type":"long"}}}}},"user":{"properties":{"owner":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"effective":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"full_name":{"ignore_above":1024,"type":"keyword"},"saved":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"audit":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"terminal":{"ignore_above":1024,"type":"keyword"},"hash":{"ignore_above":1024,"type":"keyword"},"filesystem":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}},"email":{"ignore_above":1024,"type":"keyword"},"group":{"properties":{"name":{"ignore_above":1024,"type":"keyword"},"id":{"ignore_above":1024,"type":"keyword"}}}}}}},"aliases":{}}}