Move osquery parsers from custom to dynamic

salt/logstash/files/dynamic/7100_osquery_wel.conf

@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}

salt/logstash/files/dynamic/9100_output_osquery.conf

@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}