I see.
Some comments. I can see from Metron – Elasticsearch in Metron that:
Project Metron has retired.
The last version, this project is supporting is 5.6 if I read that correctly.
Here you are trying to use it with a 7.x version. It might work with some luck but I'm almost sure it won't work anymore in the future as types are going away. See Removal of mapping types | Elasticsearch Guide [7.12] | Elastic
Your "template" API call is the new way to create index templates. It does not support the include_type_name option. So you would need to call the legacy template.
This will work:
DELETE logstash_index_test
DELETE _template/logstash
PUT _template/logstash?include_type_name=true
{
"index_patterns": [
"logstash_index_*"
],
"mappings": {
"logstash_doc": {
"dynamic_templates": [
{
"timestamps_ts": {
"mapping": {
"format": "epoch_millis",
"type": "date"
},
"match": "*ts",
"match_mapping_type": "*"
}
},
{
"timestamps_milliseconds": {
"mapping": {
"format": "epoch_millis",
"type": "date"
},
"match": "*_milliseconds",
"match_mapping_type": "*"
}
},
{
"timestamps_seconds": {
"mapping": {
"format": "epoch_second",
"type": "date"
},
"match": "*_seconds",
"match_mapping_type": "*"
}
}
],
"properties": {
"source": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"timestamp": {
"type": "long"
}
}
}
},
"settings": {
"index": {
"refresh_interval": "15s",
"number_of_shards": "1"
}
}
}
POST _bulk
{ "index": { "_index": "logstash_index_test", "_type": "logstash_doc" }}
{ "parallelenricher.splitter.end.ts": "1619587111219", "destination": { "port": 123,"ip": "100.100.100.100"}, "source": { "port": 123, "ip": "101.101.101.101"}, "message": "<132>Apr 27 2021 20:21:44: %ASA-4-106023: Deny udp src Ingress_Interface:100.100.100.100/123 dst Egress_Interface:101.101.101.101/123 by access-group \"Rule_Name\" [0x0, 0x0]\n", "parallelenricher.enrich.begin.ts": "1619587111219", "metron.metadata.topic": "asa_after_logstash", "source.type": "asa_logstash", "parallelenricher.splitter.begin.ts": "1619587111219", "observer": { "ingress": { "interface": { "name": "Ingress_Interface" } },"egress": {"interface": {"name": "Egress_Interface"}}},"@timestamp": "2021-04-28T05:18:02.726Z", "original_string": "{\"observer\":{\"ingress\":{\"interface\":{\"name\":\"Ingress_Interface\"}},\"egress\":{\"interface\":{\"name\":\"Egress_Interface\"}}},\"@timestamp\":\"2021-04-28T05:18:02.726Z\",\"organization\":{\"id\":\"0\"},\"destination\":{\"ip\":\"101.101.101.101\",\"port\":123},\"@version\":\"1\",\"source\":{\"ip\":\"100.100.100.100\",\"port\":123},\"message\":\"<132>Apr 27 2021 20:21:44: %ASA-4-106023: Deny udp src Ingress_Interface:100.100.100.100\\/123 dst Egress_Interface:101.101.101.101\\/123 by access-group \\\"Ingress_Interface_access_in_1\\\" [0x0, 0x0]\\n\",\"cisco\":{\"asa\":{\"Egress_Interface\":\"Ingress_Interface_access_in_1\",\"outcome\":\"Deny\",\"network\":{\"transport\":\"udp\"}}}}", "parallelenricher.enrich.end.ts": "1619587111219", "organization": { "id": "0"}, "@version": "1", "guid": "da35ff9a-195f-4e48-9a74-ff07ff9ff087", "cisco": { "asa": { "Egress_Interface": "Rule_Name", "outcome": "Deny", "network": { "transport": "udp"}}},"timestamp": 1619587083600}
But again, this is not going to work in the future.