From 2f517a6c8d36ebf1a0905fd82b26b8d01332b635 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 16 Oct 2018 16:46:04 -0400
Subject: [PATCH] Logstash Module - Change it to arrays

---
 salt/logstash/files/dynamic/0006_input_beats.conf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
index bdfa4eefc..46cb2e51f 100644
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -11,18 +11,21 @@ input {
 filter {
   if "ids" in [tags] {
     mutate {
-      add_field => {"sensor_name" => "%{beat.name}"}
-      add_field => {"syslog-host_from" => "%{beat.hostname}"}
+      add_field => {"sensor_name" => "%{[beat][name]}"}
+      add_field => {"syslog-host_from" => "%{[beat][hostname]}"}
       remove_tag => ["beat"]
       rename => { "host" => "beat_host" }
-      remove_field => ["beat.name", "beat.hostname"]
+      remove_field => ["[beat][name]", "[beat][hostname]"]
     }
   }
 
   if "bro" in [tags] {
     mutate {
+      add_field => {"sensor_name" => "%{[beat][name]}"}
+      add_field => {"syslog-host_from" => "%{[beat][hostname]}"}
       remove_tag => ["beat"]
       rename => { "host" => "beat_host" }
+      remove_field => ["[beat][name]", "[beat][hostname]"]
     }
   }
 }