From 44eed120cb1d7bf39da942a4133ac4b4a2391fc1 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Fri, 28 Dec 2018 13:49:53 -0500
Subject: [PATCH] add osquery logs if fleet is enabled

---
 salt/filebeat/etc/filebeat.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index b7ab91e12..738f87f40 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -2,6 +2,7 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
+{%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
 
 name: {{ HOSTNAME }}
 
@@ -61,6 +62,18 @@ filebeat.prospectors:
 
 {%- endif %}
 
+{%- if FLEETENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /osquery/logs/result.log
+    fields:
+      type: osquery
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
+{%- endif %}
 #----------------------------- Logstash output ---------------------------------
 output.logstash:
   # Boolean flag to enable or disable the output module.