From 12d4d4a4f757bef7b6287958bba4c0847eb25dd2 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 10 Jun 2021 09:19:15 -0400
Subject: [PATCH] Dynamix Pipelines take 2

---
 .../templates/so/so-common-template.json          |  2 +-
 salt/filebeat/securityoniondefaults.yaml          | 15 ++++++++++-----
 .../pipelines/config/so/0009_input_beats.conf     |  2 +-
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json
index 54e786cdc..3e47fd780 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -1,5 +1,5 @@
 {
-  "index_patterns": ["so-grid-*","so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"],
+  "index_patterns": ["so-*"],
   "version":50001,
   "order":10,
   "settings":{
diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml
index cd215e242..be4f81bd1 100644
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -2,25 +2,30 @@
 {% set ZEEKLOGLOOKUP = {
     'conn': 'connection',
 } %}
-
 securityonion_filebeat:
   modules:
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']   %}
     elasticsearch:
       server:
         enabled: true
         var.paths: ["/logs/elasticsearch/*.log"]
-    kibana:
-      log:
-        enabled: true
-        var.paths: ["/logs/kibana/kibana.log"]
     logstash:
       log:
         enabled: true
         var.paths: ["/logs/logstash.log"]
+  {%- endif %}
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
+    kibana:
+      log:
+        enabled: true
+        var.paths: ["/logs/kibana/kibana.log"]
+  {%- endif %}
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode'] %}
     redis:
       log:
         enabled: true
         var.paths: ["/logs/redis.log"]
       slowlog:
         enabled: false
+  {%- endif %}
         
\ No newline at end of file
diff --git a/salt/logstash/pipelines/config/so/0009_input_beats.conf b/salt/logstash/pipelines/config/so/0009_input_beats.conf
index 31ba798c9..9ca55b184 100644
--- a/salt/logstash/pipelines/config/so/0009_input_beats.conf
+++ b/salt/logstash/pipelines/config/so/0009_input_beats.conf
@@ -6,6 +6,6 @@ input {
 }
 filter {
   mutate {
-    rename => {“@metadata” => “metadata”}
+    rename => {"@metadata" => "metadata"}
   }
 }
\ No newline at end of file