From 55b2f2211f0040f66c20058119c33dfa39744421 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 4 Oct 2018 14:23:30 -0400
Subject: [PATCH] Logstash Module - Update logstash output scripts

---
 .../files/dynamic/9500_output_beats.conf      |  7 +++--
 .../files/dynamic/9600_output_ossec.conf      | 26 +++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 salt/logstash/files/dynamic/9600_output_ossec.conf

diff --git a/salt/logstash/files/dynamic/9500_output_beats.conf b/salt/logstash/files/dynamic/9500_output_beats.conf
index c2bfd529e..f2bbd1ecd 100644
--- a/salt/logstash/files/dynamic/9500_output_beats.conf
+++ b/salt/logstash/files/dynamic/9500_output_beats.conf
@@ -1,18 +1,18 @@
 {%- if grains['role'] != 'so-master' -%}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 # Author: Wes Lambert
-# Last Update: 12/11/2017
+# Last Update: 09/14/2018
 filter {
   if "beat" in [tags] {
     mutate {
-          ##add_tag => [ "conf_file_9000"]
+          ##add_tag => [ "conf_file_9500"]
         }
   }
 }
 output {
   if "beat" in [tags] {
     elasticsearch {
-      hosts => "{{ ES }}"
+      hosts => {{ ES }}
       index => "logstash-beats-%{+YYYY.MM.dd}"
       template_name => "logstash-beats"
       template => "/beats-template.json"
@@ -20,4 +20,3 @@ output {
     }
   }
 }
-{%- endif %}
diff --git a/salt/logstash/files/dynamic/9600_output_ossec.conf b/salt/logstash/files/dynamic/9600_output_ossec.conf
new file mode 100644
index 000000000..204718174
--- /dev/null
+++ b/salt/logstash/files/dynamic/9600_output_ossec.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] != 'so-master' -%}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => {{ ES }}
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}