From 172c9e059384e610e54f79b015d2f18fdd7ac491 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 14 Dec 2018 18:00:19 +0000
Subject: [PATCH] Logstash - Wazuh parsing updates

---
 salt/logstash/files/dynamic/0006_input_beats.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
index bd41a3024..3d0306dd4 100644
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -15,6 +15,7 @@ filter {
       remove_tag => ["beat"]
       add_field => { "sensor_name" => "%{[beat][name]}" }
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
     }
   }
   if [type] =~ "ossec" {
@@ -22,6 +23,7 @@ filter {
       rename => { "host" => "beat_host" }
       remove_tag => ["beat"]
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
     }
   }
 }