Creating an Index Template
HCP provides index templates for three sensors: Bro, Snort, and YAF. To create an index template for a different sensor it is easiest to use one of the existing templates as a boilerplate.
You can use several methods to communicate with the Index. The two most common methods are an API toolchain like Postman and a comand line tool for transferring data like cURL.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
You will need to update the Index template after you add or change enrichments for a data source. |
Ingest data from the sensor for which you are creating an index template.
Review the output from Elasticsearch and identify data that needs to be filtered differently.
Find one of the index templates provided by HCP:
GET /templates
Rename the index template to a name appropriate to the sensor to which it applies by changing the "template" name.
For example:
"template": "activedirectory_index*",
Begin making changes to the index template to produce some meaningful output.
Review the properties section field types.
This section of the index template contains information that many sensors use.
The following is an example of an index template for a new sensor called 'sensor1'.
The template applies to any indices that are named sensor1_index*.
The index has one document type that must be named sensor1_doc.
The index is expected to contain timestamps.
The properties section defines the types of each field. This example defines the five common fields that most sensors contain.
curl -XPOST $SEARCH_HOST:$SEARCH_PORT/_template/$DATASOURCE_index -d ' { "template": "sensor1_index*", "mappings": { "sensor1_doc": { "_timestamp": { "enabled": true }, "properties": { "timestamp": { "type": "date", "format": "epoch_millis" }, "ip_src_addr": { "type": "ip" }, "ip_src_port": { "type": "integer" }, "ip_dst_addr": { "type": "ip" }, "ip_dst_port": { "type": "integer" } } } } }Additional fields can be added following the five that are already defined.
Now move on to the status portion of the file.
By default, Elasticsearch will attempt to analyze all fields of type string. This means that Elasticsearch will tokenize the string and perform additional processing to enable free-form text search. In many cases, you want to treat each of the string fields as enumerations. This is why most fields in the index template are `not_analyzed`.
You can also use aliases. …...
Post the new index template to the Index with the following command:
PUT _template
An index template will only apply for indices that are created after the template is created. Delete the existing indices for the new data source so that new ones can be generated with the index template.
curl -XDELETE $SEARCH_HOST:9200/$DATSOURCE*
Wait for the new data source index to be re-created. This might take a minute or two based on how fast the new data source data is being consumed in your environment.
curl -XGET $SEARCH_HOST:9200/$DATASOURCE*