diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 31a5b3503..67fd596c5 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -80,7 +80,7 @@ output.logstash: enabled: true # The Logstash hosts - hosts: ["{{ MASTER }}:5044"] + hosts: ["{{ MASTER }}:5644"] # Number of workers per Logstash host. worker: 1 diff --git a/salt/logstash/files/dynamic/0006_input_hhbeats.conf b/salt/logstash/files/dynamic/0006_input_hhbeats.conf new file mode 100644 index 000000000..6b7667f5c --- /dev/null +++ b/salt/logstash/files/dynamic/0006_input_hhbeats.conf @@ -0,0 +1,40 @@ +input { + beats { + port => "5644" + ssl => true + ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] + ssl_certificate => "/usr/share/logstash/filebeat.crt" + ssl_key => "/usr/share/logstash/filebeat.key" + tags => [ "beat" ] + } +} +filter { + if [type] == "ids" or [type] =~ "bro" { + mutate { + rename => { "host" => "beat_host" } + remove_tag => ["beat"] + add_field => { "sensor_name" => "%{[beat][name]}" } + add_field => { "syslog-host_from" => "%{[beat][name]}" } + remove_field => [ "beat", "prospector", "input", "offset" ] + } + } + if [type] =~ "ossec" { + mutate { + rename => { "host" => "beat_host" } + remove_tag => ["beat"] + add_field => { "syslog-host_from" => "%{[beat][name]}" } + remove_field => [ "beat", "prospector", "input", "offset" ] + } + } + if [type] == "osquery" { + mutate { + rename => { "host" => "beat_host" } + remove_tag => ["beat"] + add_tag => ["osquery"] + } + json { + source => "message" + target => "osquery" + } + } +} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index eff920150..4e7e441a8 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -163,6 +163,7 @@ so-logstash: - port_bindings: - 0.0.0.0:514:514 - 0.0.0.0:5044:5044 + - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 - 0.0.0.0:6051:6051 - 0.0.0.0:6052:6052