From 10e4248cfc344561f50376f0cbad9e85871fc778 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 19 Oct 2020 16:10:20 -0400
Subject: [PATCH] and node that gets filebeat state now can listen for syslog -
 https://github.com/Security-Onion-Solutions/securityonion/issues/1551

---
 salt/filebeat/etc/filebeat.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 0ba7720fc..3587b6ffd 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -74,7 +74,6 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.inputs:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
 - type: udp
   enabled: true
   host: "0.0.0.0:514"
@@ -100,6 +99,8 @@ filebeat.inputs:
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
   fields_under_root: true
+
+{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
     {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
 - type: log