From 41e9c4c7e0caf0fbe3fe3860d740c8510179cbfe Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 20:52:18 +0000
Subject: [PATCH] Logstash - Alter input for Wazuh logs

---
 salt/logstash/files/dynamic/0006_input_beats.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
index b263e611b..bd41a3024 100644
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -9,7 +9,7 @@ input {
   }
 }
 filter {
-  if [type] == "ids" {
+  if [type] == "ids" or [type] =~ "bro" {
     mutate {
       rename => { "host" => "beat_host" }
       remove_tag => ["beat"]
@@ -17,11 +17,10 @@ filter {
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
     }
   }
-  if "bro" in [tags] {
+  if [type] =~ "ossec" {
     mutate {
       rename => { "host" => "beat_host" }
       remove_tag => ["beat"]
-      add_field => { "sensor_name" => "%{[beat][name]}" }
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
     }
   }