From 5a985736e5ef08ecd0bd16a461a8e719527b58e0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 9 Apr 2020 11:49:38 -0400
Subject: [PATCH] Disable Strelka for all things

---
 salt/filebeat/etc/filebeat.yml | 39 +++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 8e6193b42..7fa8dab3e 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -110,6 +110,26 @@ filebeat.inputs:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+
+  {%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /nsm/strelka/log/strelka.log
+    fields:
+      module: strelka
+      category: file
+      dataset: file
+
+    processors:
+    - drop_fields:
+        fields: ["source", "prospector", "input", "offset", "beat"]    
+
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
+  {%- endif %}
 {%- endif %}
 
 {%- if WAZUHENABLED == '1' %}
@@ -160,25 +180,6 @@ filebeat.inputs:
 
 {%- endif %}
 
-{%- if STRELKAENABLED == '1' %}
-
-  - type: log
-    paths:
-      - /nsm/strelka/log/strelka.log
-    fields:
-      module: strelka
-      category: file
-      dataset: file
-
-    processors:
-    - drop_fields:
-        fields: ["source", "prospector", "input", "offset", "beat"]    
-
-    fields_under_root: true
-    clean_removed: false
-    close_removed: false
-
-{%- endif %}
 #----------------------------- Elasticsearch/Logstash output ---------------------------------
 {%- if grains['role'] == "so-eval" %}
 output.elasticsearch: