From 884cc2d054b6e366e2625fb0c6201bcac4ecded5 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 12 Oct 2020 15:41:47 +0000
Subject: [PATCH 1/2] Don't predefine index date for Logstash outputs

---
 salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja   | 2 +-
 salt/logstash/pipelines/config/so/9002_output_import.conf.jinja | 2 +-
 salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja   | 2 +-
 salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja  | 2 +-
 salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja | 2 +-
 .../logstash/pipelines/config/so/9100_output_osquery.conf.jinja | 2 +-
 .../pipelines/config/so/9200_output_firewall.conf.jinja         | 2 +-
 .../pipelines/config/so/9400_output_suricata.conf.jinja         | 2 +-
 salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja  | 2 +-
 salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja  | 2 +-
 .../logstash/pipelines/config/so/9700_output_strelka.conf.jinja | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
index 2a3babcbd..d1764eecc 100644
--- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
-      index => "so-zeek-%{+YYYY.MM.dd}"
+      index => "so-zeek"
       template_name => "so-zeek"
       template => "/templates/so-zeek-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
index fdb969865..35900471e 100644
--- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
-      index => "so-import-%{+YYYY.MM.dd}"
+      index => "so-import"
       template_name => "so-import"
       template => "/templates/so-import-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
index a9ca4c60d..0a7d961de 100644
--- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
@@ -8,7 +8,7 @@ output {
   if [event_type] == "sflow" {
     elasticsearch {
       hosts => "{{ ES }}"
-      index => "so-flow-%{+YYYY.MM.dd}"
+      index => "so-flow"
       template_name => "so-flow"
       template => "/templates/so-flow-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
index 9da6c5b14..7f0e30fbc 100644
--- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
@@ -8,7 +8,7 @@ output {
   if [event_type] == "ids" and "import" not in [tags] {
     elasticsearch {
       hosts => "{{ ES }}"
-      index => "so-ids-%{+YYYY.MM.dd}"
+      index => "so-ids"
       template_name => "so-ids"
       template => "/templates/so-ids-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
index d57611cb7..4a27428f7 100644
--- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}"
       hosts => "{{ ES }}"
-      index => "so-syslog-%{+YYYY.MM.dd}"
+      index => "so-syslog"
       template_name => "so-syslog"
       template => "/templates/so-syslog-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
index ee0718029..2a71e3fab 100644
--- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"
-      index => "so-osquery-%{+YYYY.MM.dd}"
+      index => "so-osquery"
       template_name => "so-osquery"
       template => "/templates/so-osquery-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
index 8227aab01..9b93d327b 100644
--- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
@@ -8,7 +8,7 @@ output {
   if [dataset] =~ "firewall" {
     elasticsearch {
       hosts => "{{ ES }}"
-      index => "so-firewall-%{+YYYY.MM.dd}"
+      index => "so-firewall"
       template_name => "so-firewall"
       template => "/templates/so-firewall-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
index 93bfd7020..29837040a 100644
--- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
-      index => "so-ids-%{+YYYY.MM.dd}"
+      index => "so-ids"
       template_name => "so-ids" 
       template => "/templates/so-ids-template.json"
       {%- if grains['role'] in ['so-node','so-heavynode'] %}
diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
index 4d26d491a..beaf24727 100644
--- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "beats.common" 
       hosts => "{{ ES }}"
-      index => "so-beats-%{+YYYY.MM.dd}"
+      index => "so-beats"
       template_name => "so-beats"
       template => "/templates/so-beats-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
index 63e20c59a..95c81577b 100644
--- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}"
       hosts => "{{ ES }}"
-      index => "so-ossec-%{+YYYY.MM.dd}"
+      index => "so-ossec"
       template_name => "so-ossec"
       template => "/templates/so-ossec-template.json"
       template_overwrite => true
diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
index 193057a53..1e8c44cc6 100644
--- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
@@ -9,7 +9,7 @@ output {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"
-      index => "so-strelka-%{+YYYY.MM.dd}"
+      index => "so-strelka"
       template_name => "so-strelka"
       template => "/templates/so-strelka-template.json"
       template_overwrite => true

From 4fc4913d1efa1c590d5cc10b220ae8f22bc8a350 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 12 Oct 2020 15:44:00 +0000
Subject: [PATCH 2/2] Don't predefine index date for Filebeat ES outputs

---
 salt/filebeat/etc/filebeat.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 01febed92..99f1de188 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -82,7 +82,7 @@ filebeat.inputs:
     module: syslog
     dataset: syslog
   pipeline: "syslog"
-  index: "so-syslog-%{+yyyy.MM.dd}"
+  index: "so-syslog"
   processors:
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
@@ -95,7 +95,7 @@ filebeat.inputs:
     module: syslog
     dataset: syslog
   pipeline: "syslog"
-  index: "so-syslog-%{+yyyy.MM.dd}"
+  index: "so-syslog"
   processors:
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
@@ -259,22 +259,22 @@ output.elasticsearch:
   pipelines:
     - pipeline: "%{[module]}.%{[dataset]}"
   indices:
-    - index: "so-import-%{+yyyy.MM.dd}"
+    - index: "so-import"
       when.contains:
         tags: "import"
-    - index: "so-zeek-%{+yyyy.MM.dd}"
+    - index: "so-zeek"
       when.contains:
         module: "zeek"
-    - index: "so-ids-%{+yyyy.MM.dd}"
+    - index: "so-ids"
       when.contains:
         module: "suricata"
-    - index: "so-ossec-%{+yyyy.MM.dd}"
+    - index: "so-ossec"
       when.contains:
         module: "ossec"
-    - index: "so-osquery-%{+yyyy.MM.dd}"
+    - index: "so-osquery"
       when.contains:
         module: "osquery"
-    - index: "so-strelka-%{+yyyy.MM.dd}"
+    - index: "so-strelka"
       when.contains:
         module: "strelka"