From 31edf2e8ea3c31f144500e6a39e3a7930be9ca79 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Mon, 10 Jul 2023 14:17:42 -0400
Subject: [PATCH] Tighten & Document Pipelines

---
 salt/logstash/defaults.yaml                        | 14 +++++++-------
 .../config/so/0013_input_lumberjack_fleet.conf     |  6 +++++-
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/salt/logstash/defaults.yaml b/salt/logstash/defaults.yaml
index 574a4f826..da141b7d2 100644
--- a/salt/logstash/defaults.yaml
+++ b/salt/logstash/defaults.yaml
@@ -21,21 +21,21 @@ logstash:
         - fleet
   defined_pipelines:
     fleet:
-      - so/0012_input_elastic_agent.conf     
-      - so/9806_output_lumberjack_fleet.conf.jinja
+      - so/0012_input_elastic_agent.conf     # Logs from agents
+      - so/9806_output_lumberjack_fleet.conf.jinja # Logstash to Logstash Output
     manager:
       - so/0011_input_endgame.conf
-      - so/0012_input_elastic_agent.conf
-      - so/0013_input_lumberjack_fleet.conf
+      - so/0012_input_elastic_agent.conf # Logs from agents
+      - so/0013_input_lumberjack_fleet.conf # Logstash to Logstash Input
       - so/9999_output_redis.conf.jinja        
     receiver:
       - so/0011_input_endgame.conf
-      - so/0012_input_elastic_agent.conf
-      - so/0013_input_lumberjack_fleet.conf
+      - so/0012_input_elastic_agent.conf # Logs from agents
+      - so/0013_input_lumberjack_fleet.conf # Logstash to Logstash Input
       - so/9999_output_redis.conf.jinja
     search:
       - so/0900_input_redis.conf.jinja
-      - so/9805_output_elastic_agent.conf.jinja
+      - so/9805_output_elastic_agent.conf.jinja # Elastic Agent data Output to ES (Final)
       - so/9900_output_endgame.conf.jinja
     custom0: []
     custom1: []
diff --git a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf
index af42c86fb..0377a81c4 100644
--- a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf
+++ b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf
@@ -1,7 +1,7 @@
 input {
   elastic_agent {
     port => 5056
-    tags => [ "elastic-agent" ]
+    tags => [ "elastic-agent", "fleet-lumberjack-input" ]
     ssl => true
     ssl_certificate => "/usr/share/logstash/elasticfleet-lumberjack.crt"
     ssl_key => "/usr/share/logstash/elasticfleet-lumberjack.key"
@@ -10,9 +10,13 @@ input {
     codec => "json"
   }
 }
+
+
 filter {
+  if "fleet-lumberjack-input" in [tags] {
   mutate {
     rename => {"@metadata" => "metadata"}
   }
 }
+}