Created
March 4, 2016 23:10
-
-
Save aaronfay/9c902716dd735e5b41e2 to your computer and use it in GitHub Desktop.
Elasticsearch index mapping for CloudTrail logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"mappings": { | |
"logs": { | |
"properties": { | |
"eventVersion": { | |
"type": "string" | |
}, | |
"userIdentity": { | |
"properties": { | |
"type": { | |
"type": "string" | |
}, | |
"principalId": { | |
"type": "string", | |
"index": "not_analyzed" | |
}, | |
"arn": { | |
"type": "string", | |
"index": "not_analyzed" | |
}, | |
"accountId": { | |
"type": "string" | |
}, | |
"accessKeyId": { | |
"type": "string" | |
}, | |
"sessionContext": { | |
"properties": { | |
"attributes": { | |
"properties": { | |
"mfaAuthenticated": { | |
"type": "boolean" | |
}, | |
"creationDate": { | |
"type": "date" | |
} | |
} | |
} | |
} | |
}, | |
"sessionIssuer": { | |
"properties": { | |
"type": { | |
"type": "string" | |
}, | |
"principalId": { | |
"type": "string" | |
}, | |
"arn": { | |
"type": "string", | |
"index": "not_analyzed" | |
}, | |
"accountId": { | |
"type": "string" | |
}, | |
"username": { | |
"type": "string", | |
"index": "not_analyzed" | |
} | |
} | |
} | |
} | |
}, | |
"eventTime": { | |
"type": "date" | |
}, | |
"eventSource": { | |
"type": "string" | |
}, | |
"eventName": { | |
"type": "string" | |
}, | |
"awsRegion": { | |
"type": "string", | |
"index": "not_analyzed" | |
}, | |
"sourceIPAddress": { | |
"type": "string" | |
}, | |
"userAgent": { | |
"type": "string", | |
"index": "not_analyzed" | |
}, | |
"requestParameters":{ | |
"dynamic": true | |
}, | |
"eventType": { | |
"type": "string" | |
}, | |
"recipientAccountId": { | |
"type": "string" | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey Aaron,
I was wondering how this has worked out for you, or if you've got it in production at all.
We had an index blow over 1000 fields today (allegedly, but unconfirmed, since everything seems to be fine now, and it's the same index...), but I was thinking about maybe making some fields dynamic, as you have done using requestParameters.
requestParameters seems to add a lot of noise into the selection of terms in Kibana, but I'm not sure how essential these may be in order to support the kind of dashboarding we'd like to do, e.g. requestParameters.bucketName.keyword.
I can't find anything else online even close as relevant as this to a model solution for what I'm trying to achieve.
Cheers,