Initial support for Live Queries in Hunt

salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja

@@ -2,15 +2,17 @@
 {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
 {% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
 
-## TO DO - Add this to Logstash Pipeline Pillar - Manager
-
 input {
 	redis {
 		host => '{{ MANAGER }}'
 		port => 6379
 		data_type => 'pattern_channel'
 		key => 'results_*'
-		type => 'osq'
+		type => 'live_query'
+        add_field => {
+        "module" => "osquery"
+          "dataset" => "live_query"
+          }        
 		threads => {{ THREADS }}
 		batch_count => {{ BATCH }}
 	}

salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja

@@ -5,7 +5,7 @@
 {%- endif %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 output {
-  if [module] =~ "osquery" {
+  if [module] =~ "osquery" and "live_query" not in [dataset] {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"

salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja

@@ -5,28 +5,30 @@
 {%- endif %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 
-## TO DO - Add this to Logstash Pipeline Pillar - Search
-
 filter {
-  if [type] =~ "osq" {
+  if [type] =~ "live_query" {
 
+    mutate {
+        rename => {
+            "[host][hostname]" => "computer_name"
+        }
+    }
+
+ prune {
+        blacklist_names => ["host"]
+      }
+    
  split {
    field => "rows"
   }
- mutate {
-   rename => { 
-      "[rows][cmdline]" => "[process][commandline]"
-      "[rows][name]" => "[process][name]" 
-    }
-    }
  }
 }
 
 
 output {
-  if [type] =~ "osq" {
+  if [type] =~ "live_query" {
     elasticsearch {
-      pipeline => "common" 
+      pipeline => "osquery.live_query" 
       hosts => "{{ ES }}"
       index => "so-osquery"
       template_name => "so-osquery"