Tighten & Document Pipelines

salt/logstash/defaults.yaml

@@ -21,21 +21,21 @@ logstash:
         - fleet
   defined_pipelines:
     fleet:
-      - so/0012_input_elastic_agent.conf     
+      - so/0012_input_elastic_agent.conf     # Logs from agents
-      - so/9806_output_lumberjack_fleet.conf.jinja
+      - so/9806_output_lumberjack_fleet.conf.jinja # Logstash to Logstash Output
     manager:
       - so/0011_input_endgame.conf
-      - so/0012_input_elastic_agent.conf
+      - so/0012_input_elastic_agent.conf # Logs from agents
-      - so/0013_input_lumberjack_fleet.conf
+      - so/0013_input_lumberjack_fleet.conf # Logstash to Logstash Input
       - so/9999_output_redis.conf.jinja        
     receiver:
       - so/0011_input_endgame.conf
-      - so/0012_input_elastic_agent.conf
+      - so/0012_input_elastic_agent.conf # Logs from agents
-      - so/0013_input_lumberjack_fleet.conf
+      - so/0013_input_lumberjack_fleet.conf # Logstash to Logstash Input
       - so/9999_output_redis.conf.jinja
     search:
       - so/0900_input_redis.conf.jinja
-      - so/9805_output_elastic_agent.conf.jinja
+      - so/9805_output_elastic_agent.conf.jinja # Elastic Agent data Output to ES (Final)
       - so/9900_output_endgame.conf.jinja
     custom0: []
     custom1: []

salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf

@@ -1,7 +1,7 @@
 input {
   elastic_agent {
     port => 5056
-    tags => [ "elastic-agent" ]
+    tags => [ "elastic-agent", "fleet-lumberjack-input" ]
     ssl => true
     ssl_certificate => "/usr/share/logstash/elasticfleet-lumberjack.crt"
     ssl_key => "/usr/share/logstash/elasticfleet-lumberjack.key"
@@ -10,9 +10,13 @@ input {
     codec => "json"
   }
 }
+
+
 filter {
+  if "fleet-lumberjack-input" in [tags] {
   mutate {
     rename => {"@metadata" => "metadata"}
   }
 }
+}