Dynamix Pipelines take 2

salt/elasticsearch/templates/so/so-common-template.json

@@ -1,5 +1,5 @@
 {
-  "index_patterns": ["so-grid-*","so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka-*", "so-beats-*", "so-osquery-*","so-playbook-*"],
+  "index_patterns": ["so-*"],
   "version":50001,
   "order":10,
   "settings":{

salt/filebeat/securityoniondefaults.yaml

@@ -2,25 +2,30 @@
 {% set ZEEKLOGLOOKUP = {
     'conn': 'connection',
 } %}
-
 securityonion_filebeat:
   modules:
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']   %}
     elasticsearch:
       server:
         enabled: true
         var.paths: ["/logs/elasticsearch/*.log"]
-    kibana:
-      log:
-        enabled: true
-        var.paths: ["/logs/kibana/kibana.log"]
     logstash:
       log:
         enabled: true
         var.paths: ["/logs/logstash.log"]
+  {%- endif %}
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %}
+    kibana:
+      log:
+        enabled: true
+        var.paths: ["/logs/kibana/kibana.log"]
+  {%- endif %}
+  {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode'] %}
     redis:
       log:
         enabled: true
         var.paths: ["/logs/redis.log"]
       slowlog:
         enabled: false
+  {%- endif %}
         

salt/logstash/pipelines/config/so/0009_input_beats.conf

@@ -6,6 +6,6 @@ input {
 }
 filter {
   mutate {
-    rename => {“@metadata” => “metadata”}
+    rename => {"@metadata" => "metadata"}
   }
 }