From 1917b469ecd025815183ad564800b7bd5f126b09 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Fri, 28 Dec 2018 13:55:02 -0500
Subject: [PATCH]  osquery-tagged logs output to ES

---
 .../custom/parsers/9100_output_osquery.conf   | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 salt/logstash/files/custom/parsers/9100_output_osquery.conf

diff --git a/salt/logstash/files/custom/parsers/9100_output_osquery.conf b/salt/logstash/files/custom/parsers/9100_output_osquery.conf
new file mode 100644
index 000000000..59c16347b
--- /dev/null
+++ b/salt/logstash/files/custom/parsers/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}