curl -X GET "localhost:9200/filebeat-7.17.7/_settings?pretty"
{
"filebeat-7.17.7-2022.10.30-000001" : {
"settings" : {
"index" : {
"lifecycle" : {
"name" : "filebeat",
"rollover_alias" : "filebeat-7.17.7",
"indexing_complete" : "true"
},
"routing" : {
"allocation" : {
"include" : {
"_tier_preference" : "data_content"
}
}
},
"mapping" : {
"total_fields" : {
"limit" : "10000"
}
},
"refresh_interval" : "5s",
"number_of_shards" : "1",
"provided_name" : "<filebeat-7.17.7-{now/d}-000001>",
"max_docvalue_fields_search" : "200",
"query" : {
"default_field" : [
"message",
"tags",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"as.organization.name",
"client.address",
"client.as.organization.name",
"client.domain",
"client.geo.city_name",
"client.geo.continent_name",
"client.geo.country_iso_code",
"client.geo.country_name",
"client.geo.name",
"client.geo.region_iso_code",
"client.geo.region_name",
"client.mac",
"client.registered_domain",
"client.top_level_domain",
"client.user.domain",
"client.user.email",
"client.user.full_name",
"client.user.group.domain",
"client.user.group.id",
"client.user.group.name",
"client.user.hash",
"client.user.id",
"client.user.name",
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"container.id",
"container.image.name",
"container.image.tag",
"container.name",
"container.runtime",
"destination.address",
"destination.as.organization.name",
"destination.domain",
"destination.geo.city_name",
"destination.geo.continent_name",
"destination.geo.country_iso_code",
"destination.geo.country_name",
"destination.geo.name",
"destination.geo.region_iso_code",
"destination.geo.region_name",
"destination.mac",
"destination.registered_domain",
"destination.top_level_domain",
"destination.user.domain",
"destination.user.email",
"destination.user.full_name",
"destination.user.group.domain",
"destination.user.group.id",
"destination.user.group.name",
"destination.user.hash",
"destination.user.id",
"destination.user.name",
"dns.answers.class",
"dns.answers.data",
"dns.answers.name",
"dns.answers.type",
"dns.header_flags",
"dns.id",
"dns.op_code",
"dns.question.class",
"dns.question.name",
"dns.question.registered_domain",
"dns.question.subdomain",
"dns.question.top_level_domain",
"dns.question.type",
"dns.response_code",
"dns.type",
"ecs.version",
"error.code",
"error.id",
"error.message",
"error.stack_trace",
"error.type",
"event.action",
"event.category",
"event.code",
"event.dataset",
"event.hash",
"event.id",
"event.kind",
"event.module",
"event.outcome",
"event.provider",
"event.timezone",
"event.type",
"file.device",
"file.directory",
"file.extension",
"file.gid",
"file.group",
"file.hash.md5",
"file.hash.sha1",
"file.hash.sha256",
"file.hash.sha512",
"file.inode",
"file.mode",
"file.name",
"file.owner",
"file.path",
"file.target_path",
"file.type",
"file.uid",
... removed
"coredns.id",
"coredns.query.class",
"coredns.query.name",
"coredns.query.type",
"coredns.response.code",
"coredns.response.flags",
"cef.version",
"cef.device.vendor",
"cef.device.product",
"cef.device.version",
"cef.device.event_class_id",
"cef.severity",
"cef.name",
"source.service.name",
"destination.service.name",
"elasticsearch.component",
"elasticsearch.cluster.uuid",
"elasticsearch.cluster.name",
"elasticsearch.node.id",
"elasticsearch.node.name",
"elasticsearch.index.name",
"elasticsearch.index.id",
"elasticsearch.shard.id",
"elasticsearch.audit.layer",
"elasticsearch.audit.event_type",
"elasticsearch.audit.origin.type",
"elasticsearch.audit.realm",
"elasticsearch.audit.user.realm",
"elasticsearch.audit.user.roles",
"elasticsearch.audit.user.run_as.name",
"elasticsearch.audit.user.run_as.realm",
"elasticsearch.audit.component",
"elasticsearch.audit.action",
"elasticsearch.audit.url.params",
"elasticsearch.audit.indices",
"elasticsearch.audit.request.id",
"elasticsearch.audit.request.name",
"elasticsearch.audit.message",
"elasticsearch.gc.phase.name",
"elasticsearch.gc.tags",
"elasticsearch.slowlog.logger",
"elasticsearch.slowlog.took",
"elasticsearch.slowlog.types",
"elasticsearch.slowlog.stats",
"elasticsearch.slowlog.search_type",
"elasticsearch.slowlog.source_query",
"elasticsearch.slowlog.extra_source",
"elasticsearch.slowlog.total_hits",
"elasticsearch.slowlog.total_shards",
"elasticsearch.slowlog.routing",
"elasticsearch.slowlog.id",
"elasticsearch.slowlog.type",
"elasticsearch.slowlog.source",
"envoyproxy.log_type",
"envoyproxy.response_flags",
"envoyproxy.request_id",
"envoyproxy.authority",
"envoyproxy.proxy_type",
"fortinet.file.hash.crc32",
"gcp.destination.instance.project_id",
"gcp.destination.instance.region",
"gcp.destination.instance.zone",
"gcp.destination.vpc.project_id",
"gcp.destination.vpc.vpc_name",
"gcp.destination.vpc.subnetwork_name",
"gcp.source.instance.project_id",
"gcp.source.instance.region",
"gcp.source.instance.zone",
"gcp.source.vpc.project_id",
"gcp.source.vpc.vpc_name",
"gcp.source.vpc.subnetwork_name",
"gcp.audit.type",
"gcp.audit.authentication_info.principal_email",
"gcp.audit.authentication_info.authority_selector",
"gcp.audit.method_name",
"gcp.audit.request.proto_name",
"gcp.audit.request.filter",
"gcp.audit.request.name",
"gcp.audit.request.resource_name",
"gcp.audit.request_metadata.caller_supplied_user_agent",
"gcp.audit.response.proto_name",
"gcp.audit.response.details.group",
"gcp.audit.response.details.kind",
"gcp.audit.response.details.name",
"gcp.audit.response.details.uid",
"gcp.audit.response.status",
"gcp.audit.resource_name",
"gcp.audit.resource_location.current_locations",
"gcp.audit.service_name",
"gcp.audit.status.message",
"gcp.firewall.rule_details.action",
"gcp.firewall.rule_details.direction",
"gcp.firewall.rule_details.reference",
"gcp.firewall.rule_details.source_range",
"gcp.firewall.rule_details.destination_range",
"gcp.firewall.rule_details.source_tag",
"gcp.firewall.rule_details.target_tag",
"gcp.firewall.rule_details.source_service_account",
"gcp.firewall.rule_details.target_service_account",
"gcp.vpcflow.reporter",
"haproxy.frontend_name",
"haproxy.backend_name",
"haproxy.server_name",
"haproxy.bind_name",
"haproxy.error_message",
"haproxy.source",
"haproxy.termination_state",
"haproxy.mode",
"haproxy.http.response.captured_cookie",
"haproxy.http.response.captured_headers",
"haproxy.http.request.captured_cookie",
"haproxy.http.request.captured_headers",
"haproxy.http.request.raw_request_line",
"ibmmq.errorlog.installation",
"ibmmq.errorlog.qmgr",
"ibmmq.errorlog.arithinsert",
"ibmmq.errorlog.commentinsert",
"ibmmq.errorlog.errordescription",
"ibmmq.errorlog.explanation",
"ibmmq.errorlog.action",
"ibmmq.errorlog.code",
"icinga.debug.facility",
"icinga.main.facility",
"icinga.startup.facility",
"iis.access.site_name",
"iis.access.server_name",
"iis.access.cookie",
"iis.error.reason_phrase",
"iis.error.queue_name",
"iptables.fragment_flags",
"iptables.input_device",
"iptables.output_device",
"iptables.tcp.flags",
"iptables.ubiquiti.input_zone",
"iptables.ubiquiti.output_zone",
"iptables.ubiquiti.rule_number",
"iptables.ubiquiti.rule_set",
"kafka.log.component",
"kafka.log.class",
"kafka.log.thread",
"kafka.log.trace.class",
"kafka.log.trace.message",
"kibana.session_id",
"kibana.space_id",
"kibana.saved_object.type",
"kibana.saved_object.id",
"kibana.add_to_spaces",
"kibana.delete_from_spaces",
"kibana.authentication_provider",
"kibana.authentication_type",
"kibana.authentication_realm",
"kibana.lookup_realm",
"kibana.log.tags",
"kibana.log.state",
"logstash.log.module",
"logstash.log.thread.text",
"logstash.log.thread",
"logstash.log.log_event.action",
"logstash.log.pipeline_id",
"logstash.slowlog.module",
"logstash.slowlog.thread.text",
"logstash.slowlog.thread",
"logstash.slowlog.event.text",
"logstash.slowlog.event",
"logstash.slowlog.plugin_name",
"logstash.slowlog.plugin_type",
"logstash.slowlog.plugin_params.text",
"logstash.slowlog.plugin_params",
"misp.attack_pattern.id",
"misp.attack_pattern.name",
"misp.attack_pattern.description",
"misp.attack_pattern.kill_chain_phases",
"misp.campaign.id",
"misp.campaign.name",
"misp.campaign.description",
"misp.campaign.aliases",
"misp.campaign.objective",
"misp.course_of_action.id",
"misp.course_of_action.name",
"misp.course_of_action.description",
"misp.identity.id",
"misp.identity.name",
"misp.identity.description",
"misp.identity.identity_class",
"misp.identity.labels",
"misp.identity.sectors",
"misp.identity.contact_information",
"misp.intrusion_set.id",
"misp.intrusion_set.name",
"misp.intrusion_set.description",
"misp.intrusion_set.aliases",
"misp.intrusion_set.goals",
"misp.intrusion_set.resource_level",
"misp.intrusion_set.primary_motivation",
"misp.intrusion_set.secondary_motivations",
"misp.malware.id",
"misp.malware.name",
"misp.malware.description",
"misp.malware.labels",
"misp.malware.kill_chain_phases",
"misp.note.id",
"misp.note.summary",
"misp.note.description",
"misp.note.authors",
"misp.note.object_refs",
"misp.threat_indicator.labels",
"misp.threat_indicator.id",
"misp.threat_indicator.version",
"misp.threat_indicator.type",
"misp.threat_indicator.description",
"misp.threat_indicator.feed",
"misp.threat_indicator.severity",
"misp.threat_indicator.confidence",
"misp.threat_indicator.kill_chain_phases",
"misp.threat_indicator.mitre_tactic",
"misp.threat_indicator.mitre_technique",
"misp.threat_indicator.attack_pattern",
"misp.threat_indicator.attack_pattern_kql",
"misp.threat_indicator.intrusion_set",
"misp.threat_indicator.campaign",
"misp.threat_indicator.threat_actor",
"misp.observed_data.id",
"misp.observed_data.objects",
"misp.report.id",
"misp.report.labels",
"misp.report.name",
"misp.report.description",
"misp.report.object_refs",
"misp.threat_actor.id",
"misp.threat_actor.labels",
"misp.threat_actor.name",
"misp.threat_actor.description",
"misp.threat_actor.aliases",
"misp.threat_actor.roles",
"misp.threat_actor.goals",
"misp.threat_actor.sophistication",
"misp.threat_actor.resource_level",
"misp.threat_actor.primary_motivation",
"misp.threat_actor.secondary_motivations",
"misp.threat_actor.personal_motivations",
"misp.tool.id",
"misp.tool.labels",
"misp.tool.name",
"misp.tool.description",
"misp.tool.tool_version",
"misp.tool.kill_chain_phases",
"misp.vulnerability.id",
"misp.vulnerability.name",
"misp.vulnerability.description",
"mongodb.log.component",
"mongodb.log.context",
"mssql.log.origin",
"mysql.slowlog.query",
"mysql.slowlog.schema",
"mysql.slowlog.current_user",
"mysql.slowlog.last_errno",
"mysql.slowlog.killed",
"mysql.slowlog.log_slow_rate_type",
"mysql.slowlog.log_slow_rate_limit",
"mysql.slowlog.innodb.trx_id",
"nats.log.msg.type",
"nats.log.msg.subject",
"nats.log.msg.reply_to",
"nats.log.msg.error.message",
"nats.log.msg.queue_group",
"netflow.type",
"netflow.exporter.address",
"netflow.source_mac_address",
"netflow.post_destination_mac_address",
"netflow.destination_mac_address",
"netflow.post_source_mac_address",
"netflow.interface_name",
"netflow.interface_description",
"netflow.sampler_name",
"netflow.application_description",
"netflow.application_name",
"netflow.class_name",
"netflow.wlan_ssid",
"netflow.vr_fname",
"netflow.metro_evc_id",
"netflow.nat_pool_name",
"netflow.p2p_technology",
"netflow.tunnel_technology",
"netflow.encrypted_technology",
"netflow.observation_domain_name",
"netflow.selector_name",
"netflow.information_element_description",
"netflow.information_element_name",
"netflow.virtual_station_interface_name",
"netflow.virtual_station_name",
"netflow.sta_mac_address",
"netflow.wtp_mac_address",
"netflow.user_name",
"netflow.application_category_name",
"netflow.application_sub_category_name",
"netflow.application_group_name",
"netflow.dot1q_customer_source_mac_address",
"netflow.dot1q_customer_destination_mac_address",
"netflow.mib_context_name",
"netflow.mib_object_name",
"netflow.mib_object_description",
"netflow.mib_object_syntax",
"netflow.mib_module_name",
"netflow.mobile_imsi",
"netflow.mobile_msisdn",
"netflow.http_request_method",
"netflow.http_request_host",
"netflow.http_request_target",
"netflow.http_message_version",
"netflow.http_user_agent",
"netflow.http_content_type",
"netflow.http_reason_phrase",
"nginx.ingress_controller.upstream_address_list",
"nginx.ingress_controller.upstream.response.length_list",
"nginx.ingress_controller.upstream.response.time_list",
"nginx.ingress_controller.upstream.response.status_code_list",
"nginx.ingress_controller.upstream.name",
"nginx.ingress_controller.upstream.alternative_name",
"nginx.ingress_controller.http.request.id",
"oracle.database_audit.status",
"oracle.database_audit.session_id",
"oracle.database_audit.client.terminal",
"oracle.database_audit.client.address",
"oracle.database_audit.client.user",
"oracle.database_audit.database.user",
"oracle.database_audit.privilege",
"oracle.database_audit.entry.id",
"oracle.database_audit.database.host",
"oracle.database_audit.action",
"oracle.database_audit.action_number",
"oracle.database_audit.database.id",
"osquery.result.name",
"osquery.result.action",
"osquery.result.host_identifier",
"osquery.result.calendar_time",
"panw.panos.ruleset",
"panw.panos.source.zone",
"panw.panos.source.interface",
"panw.panos.destination.zone",
"panw.panos.destination.interface",
"panw.panos.endreason",
"panw.panos.network.pcap_id",
"panw.panos.network.nat.community_id",
"panw.panos.file.hash",
"panw.panos.url.category",
"panw.panos.flow_id",
"panw.panos.threat.resource",
"panw.panos.threat.id",
"panw.panos.threat.name",
"panw.panos.action",
"panw.panos.type",
"panw.panos.sub_type",
"postgresql.log.timestamp",
"postgresql.log.client_addr",
"postgresql.log.client_port",
"postgresql.log.session_id",
"postgresql.log.database",
"postgresql.log.query",
"postgresql.log.query_step",
"postgresql.log.query_name",
"postgresql.log.command_tag",
"postgresql.log.virtual_transaction_id",
"postgresql.log.sql_state_code",
"postgresql.log.detail",
"postgresql.log.hint",
"postgresql.log.internal_query",
"postgresql.log.context",
"postgresql.log.location",
"postgresql.log.application_name",
"postgresql.log.backend_type",
"rabbitmq.log.pid",
"redis.log.role",
"redis.slowlog.cmd",
"redis.slowlog.key",
"redis.slowlog.args",
"santa.action",
"santa.decision",
"santa.reason",
"santa.mode",
"santa.disk.volume",
"santa.disk.bus",
"santa.disk.serial",
"santa.disk.bsdname",
"santa.disk.model",
"santa.disk.fs",
"santa.disk.mount",
"santa.certificate.common_name",
"santa.certificate.sha256",
"snyk.related.projects",
"snyk.audit.org_id",
"snyk.audit.project_id",
"snyk.vulnerabilities.cvss3",
"snyk.vulnerabilities.exploit_maturity",
"snyk.vulnerabilities.id",
"snyk.vulnerabilities.language",
"snyk.vulnerabilities.package",
"snyk.vulnerabilities.package_manager",
"snyk.vulnerabilities.jira_issue_url",
"snyk.vulnerabilities.reachability",
"snyk.vulnerabilities.title",
"snyk.vulnerabilities.type",
"snyk.vulnerabilities.unique_severities_list",
"snyk.vulnerabilities.version",
"snyk.vulnerabilities.credit",
"snyk.vulnerabilities.identifiers.alternative",
"snyk.vulnerabilities.identifiers.cwe",
"suricata.eve.event_type",
"suricata.eve.app_proto_orig",
"suricata.eve.tcp.tcp_flags",
"suricata.eve.tcp.tcp_flags_tc",
"suricata.eve.tcp.state",
"suricata.eve.tcp.tcp_flags_ts",
"suricata.eve.fileinfo.sha1",
"suricata.eve.fileinfo.state",
"suricata.eve.fileinfo.sha256",
"suricata.eve.fileinfo.md5",
"suricata.eve.dns.type",
"suricata.eve.dns.rrtype",
"suricata.eve.dns.rrname",
"suricata.eve.dns.rdata",
"suricata.eve.dns.rcode",
"suricata.eve.flow_id",
"suricata.eve.email.status",
"suricata.eve.http.redirect",
"suricata.eve.http.protocol",
"suricata.eve.http.http_content_type",
"suricata.eve.in_iface",
"suricata.eve.alert.category",
"suricata.eve.alert.signature",
"suricata.eve.alert.protocols",
"suricata.eve.alert.attack_target",
"suricata.eve.alert.capec_id",
"suricata.eve.alert.cwe_id",
"suricata.eve.alert.malware",
"suricata.eve.alert.cve",
"suricata.eve.alert.cvss_v2_base",
"suricata.eve.alert.cvss_v2_temporal",
"suricata.eve.alert.cvss_v3_base",
"suricata.eve.alert.cvss_v3_temporal",
"suricata.eve.alert.priority",
"suricata.eve.alert.hostile",
"suricata.eve.alert.infected",
"suricata.eve.alert.classtype",
"suricata.eve.alert.rule_source",
"suricata.eve.alert.sid",
"suricata.eve.alert.affected_product",
"suricata.eve.alert.deployment",
"suricata.eve.alert.former_category",
"suricata.eve.alert.mitre_tool_id",
"suricata.eve.alert.performance_impact",
"suricata.eve.alert.signature_severity",
"suricata.eve.alert.tag",
"suricata.eve.ssh.client.proto_version",
"suricata.eve.ssh.client.software_version",
"suricata.eve.ssh.server.proto_version",
"suricata.eve.ssh.server.software_version",
"suricata.eve.tls.issuerdn",
"suricata.eve.tls.sni",
"suricata.eve.tls.version",
"suricata.eve.tls.fingerprint",
"suricata.eve.tls.serial",
"suricata.eve.tls.subject",
"suricata.eve.app_proto_ts",
"suricata.eve.flow.state",
"suricata.eve.flow.reason",
"suricata.eve.app_proto_tc",
"suricata.eve.smtp.rcpt_to",
"suricata.eve.smtp.mail_from",
"suricata.eve.smtp.helo",
"suricata.eve.app_proto_expected",
"system.auth.ssh.method",
"system.auth.ssh.signature",
"system.auth.ssh.event",
"system.auth.sudo.error",
"system.auth.sudo.tty",
"system.auth.sudo.pwd",
"system.auth.sudo.user",
"system.auth.sudo.command",
"system.auth.useradd.home",
"system.auth.useradd.shell",
"traefik.access.user_identifier",
"traefik.access.frontend_name",
"traefik.access.backend_url",
"zeek.session_id",
"zeek.capture_loss.peer",
"zeek.dns.trans_id",
"zeek.dns.query",
"zeek.dns.qclass_name",
"zeek.dns.qtype_name",
"zeek.dns.rcode_name",
"zeek.dns.answers",
"zeek.files.fuid",
"zeek.files.session_ids",
"zeek.files.source",
"zeek.files.analyzers",
"zeek.files.mime_type",
"zeek.files.filename",
"zeek.files.parent_fuid",
"zeek.files.md5",
"zeek.files.sha1",
"zeek.files.sha256",
"zeek.files.extracted",
"zeek.http.status_msg",
"zeek.http.info_msg",
"zeek.http.tags",
"zeek.http.password",
"zeek.http.proxied",
"zeek.http.client_header_names",
"zeek.http.server_header_names",
"zeek.http.orig_fuids",
"zeek.http.orig_mime_types",
"zeek.http.orig_filenames",
"zeek.http.resp_fuids",
"zeek.http.resp_mime_types",
"zeek.http.resp_filenames",
"zeek.notice.connection_id",
"zeek.notice.icmp_id",
"zeek.notice.file.id",
"zeek.notice.file.parent_id",
"zeek.notice.file.source",
"zeek.notice.file.mime_type",
"zeek.notice.fuid",
"zeek.notice.note",
"zeek.notice.msg",
"zeek.notice.sub",
"zeek.notice.peer_name",
"zeek.notice.peer_descr",
"zeek.notice.actions",
"zeek.notice.email_body_sections",
"zeek.notice.email_delay_tokens",
"zeek.notice.identifier",
"zookeeper.audit.session",
"zookeeper.audit.znode",
"zookeeper.audit.znode_type",
"zookeeper.audit.acl",
"zookeeper.audit.result",
"zookeeper.audit.user",
"fields.*"
]
},
"creation_date" : "1667129243291",
"number_of_replicas" : "0",
"uuid" : "Wt88CKPHT0St6Z5ya8KXnQ",
"version" : {
"created" : "7170799"
}
}
}
},