From 712a92aa39e443ba67b5ec9dc2c10b7011b4bfc2 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Thu, 17 Mar 2022 21:18:03 -0400
Subject: [PATCH] Switch from log input to filestream input

---
 salt/filebeat/etc/filebeat.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index e29b1a583..b918fa7d2 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -113,7 +113,7 @@ filebeat.inputs:
   fields_under_root: true
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}
-- type: log
+- type: filestream
   paths:
     - /logs/logscan/alerts.log
   fields:
@@ -130,7 +130,7 @@ filebeat.inputs:
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
     {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
-- type: log
+- type: filestream
   paths:
     - /nsm/zeek/logs/current/{{ LOGNAME }}.log
   fields:
@@ -145,7 +145,7 @@ filebeat.inputs:
   clean_removed: true
   close_removed: false
 
-- type: log
+- type: filestream
   paths:
     - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
   fields:
@@ -169,7 +169,7 @@ filebeat.inputs:
     {%- endfor %}
   {%- endif %}
 
-- type: log
+- type: filestream
   paths:
     - /nsm/suricata/eve*.json
   fields:
@@ -185,7 +185,7 @@ filebeat.inputs:
   clean_removed: false
   close_removed: false
 
-- type: log
+- type: filestream
   paths:
     - /nsm/import/*/suricata/eve*.json
   fields:
@@ -207,7 +207,7 @@ filebeat.inputs:
   clean_removed: false
   close_removed: false
   {%- if STRELKAENABLED == 1 %}
-- type: log
+- type: filestream
   paths:
     - /nsm/strelka/log/strelka.log
   fields:
@@ -228,7 +228,7 @@ filebeat.inputs:
 
 {%- if WAZUHENABLED == 1 %}
 
-- type: log
+- type: filestream
   paths:
     - /wazuh/archives/archives.json
   fields:
@@ -246,7 +246,7 @@ filebeat.inputs:
 
 {%- if FLEETMANAGER or FLEETNODE %}
 
-- type: log
+- type: filestream
   paths:
     - /nsm/osquery/fleet/result.log
   fields:
@@ -265,7 +265,7 @@ filebeat.inputs:
 {%- endif %}
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager',  'so-managersearch', 'so-import'] %}
-- type: log
+- type: filestream
   paths:
     - /logs/kratos/kratos.log
   fields:
@@ -295,7 +295,7 @@ filebeat.inputs:
 {%- endif %}
 
 {%- if grains.role == 'so-idh' %}
-- type: log
+- type: filestream
   paths:
     - /nsm/idh/opencanary.log
   fields: