From 09022ad7523d88bdad548962a8b679134c27c1a6 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 1 Apr 2020 19:11:10 +0000
Subject: [PATCH] Update Zeek and Strelka

---
 .../pipelines/config/so/9100_output_osquery.conf.jinja       | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
index ca9c90215..d09aae10b 100644
--- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
@@ -9,11 +9,12 @@
 
 
 output {
-  if "osquery" in [tags] {
+  if [module] =~ "osquery" {
     elasticsearch {
+      pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"
       index => "so-osquery-%{+YYYY.MM.dd}"
       template => "/so-common-template.json"
     }
   }
-}
\ No newline at end of file
+}