From 54c35cdc0dc1e9fb2ac0d35f65cef5009aed7d34 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 20:51:41 +0000
Subject: [PATCH] Filebeat - Add Wazuh archive logs

---
 salt/filebeat/etc/filebeat.yml | 10 ++++++++++
 salt/filebeat/init.sls         |  1 +
 2 files changed, 11 insertions(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 342b925a0..4384d124e 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -47,6 +47,16 @@ filebeat.prospectors:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+
+  - type: log
+    paths:
+      - /wazuh/archives/archives.json
+    fields:
+      type: ossec_archive
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
 {%- endif %}
 
 #----------------------------- Logstash output ---------------------------------
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 8b0ec3f4c..da8f0637c 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -62,6 +62,7 @@ so-filebeat:
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro