Fix logscan pipeline on eval

* Rename logscan pipeline to logscan.alert * Add module to indices array in filebeat.yml
2025-12-06 09:12:45 +01:00 · 2021-07-30 14:41:15 -04:00
parent b9980c9d30
commit 33bd6aed20
3 changed files with 4 additions and 1 deletions
--- a/salt/elasticsearch/files/ingest/logscan.alert
+++ b/salt/elasticsearch/files/ingest/logscan.alert
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -307,6 +307,9 @@ output.elasticsearch:
    - index: "so-strelka"
      when.contains:
        module: "strelka"
+    - index: "so-logscan"
+      when.contains:
+        module: "logscan"
  
 setup.template.enabled: false
  {%- else %}
--- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja
@@ -10,7 +10,7 @@ output {
  if [module] =~ "logscan" {
    elasticsearch {
      id => "logscan_pipeline"
-      pipeline => "logscan"
+      pipeline => "logscan.alert"
      hosts => "{{ ES }}"
    {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
      user => "{{ ES_USER }}"