From eb0c23387b55aea64f735e3051ba6f80f9bc4c6a Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Apr 2020 20:01:49 +0000
Subject: [PATCH 1/2] specify ES vs LS in FB config

---
 salt/filebeat/etc/filebeat.yml | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 3be56233e..50dab6d2f 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -179,7 +179,8 @@ filebeat.inputs:
     close_removed: false
 
 {%- endif %}
-#----------------------------- Logstash output ---------------------------------
+#----------------------------- Elasticsearch/Logstash output ---------------------------------
+{%- if grains['role'] == "so-eval" %}
 output.elasticsearch:
   enabled: true
   hosts: ["{{ MASTER }}:9200"]
@@ -202,12 +203,15 @@ output.elasticsearch:
       when.contains:
         module: "strelka"
 
-#output.logstash:
+setup.template.enabled: false
+{%- else %}
+
+output.logstash:
   # Boolean flag to enable or disable the output module.
-  #enabled: true
+  enabled: true
 
   # The Logstash hosts
-  #hosts: ["{{ MASTER }}:5644"]
+  hosts: ["{{ MASTER }}:5644"]
 
   # Number of workers per Logstash host.
   #worker: 1
@@ -222,21 +226,21 @@ output.elasticsearch:
   # and certificates will be accepted. In this mode, SSL based connections are
   # susceptible to man-in-the-middle attacks. Use only for testing. Default is
   # `full`.
-  #ssl.verification_mode: full
+  ssl.verification_mode: full
 
   # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
   # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
 
   # Optional SSL configuration options. SSL is off by default.
   # List of root certificates for HTTPS server verifications
-  #ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
+  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
 
   # Certificate for SSL client authentication
-  #ssl.certificate: "/usr/share/filebeat/filebeat.crt"
+  ssl.certificate: "/usr/share/filebeat/filebeat.crt"
 
   # Client Certificate Key
-  #ssl.key: "/usr/share/filebeat/filebeat.key"
+  ssl.key: "/usr/share/filebeat/filebeat.key"
 
 setup.template.enabled: false
   # A dictionary of settings to place into the settings.index dictionary
@@ -251,7 +255,7 @@ setup.template.enabled: false
   # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
   #_source:
     #enabled: false
-
+{%- endif %}
 #============================== Kibana =====================================
 
 # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

From 9a082725d165e6be67dce753762b03c58c4b721e Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Apr 2020 20:03:29 +0000
Subject: [PATCH 2/2] add Strelka for sensor if enabled

---
 salt/top.sls | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/top.sls b/salt/top.sls
index bb629c106..dd4e825db 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -42,6 +42,9 @@ base:
     - zeek
     {%- endif %}
     - wazuh
+    {%- if STRELKA %}
+    - strelka
+    {%- endif %}
     - filebeat
     {%- if FLEETMASTER or FLEETNODE %}
     - fleet.install_package