Filebeat Module - Change port for internal filebeat traffic

salt/filebeat/etc/filebeat.yml

@@ -80,7 +80,7 @@ output.logstash:
   enabled: true
 
   # The Logstash hosts
-  hosts: ["{{ MASTER }}:5044"]
+  hosts: ["{{ MASTER }}:5644"]
 
   # Number of workers per Logstash host.
   worker: 1

salt/logstash/files/dynamic/0006_input_hhbeats.conf

@@ -0,0 +1,40 @@
+input {
+  beats {
+    port => "5644"
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+  if [type] == "ids" or [type] =~ "bro" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "sensor_name" => "%{[beat][name]}" }
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+  }
+  if [type] =~ "ossec" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+   }
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}

salt/logstash/init.sls

@@ -163,6 +163,7 @@ so-logstash:
     - port_bindings:
       - 0.0.0.0:514:514
       - 0.0.0.0:5044:5044
+      - 0.0.0.0:5644:5644
       - 0.0.0.0:6050:6050
       - 0.0.0.0:6051:6051
       - 0.0.0.0:6052:6052