From 118277ebc576e19238cfec120d61a85edeaaced7 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Fri, 18 Feb 2022 11:49:02 -0500
Subject: [PATCH] Ingest Kratos logs

---
 salt/filebeat/etc/filebeat.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index f18a72752..0f6f65c71 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -264,6 +264,36 @@ filebeat.inputs:
 
 {%- endif %}
 
+{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager',  'so-managersearch', 'so-import'] %}
+- type: log
+  paths:
+    - /logs/kratos/kratos.log
+  fields:
+    module: kratos
+    category: host
+    tags: beat-ext
+  processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: ""
+        add_error_key: true
+    - rename:
+        fields:
+          - from: "audience"
+            to: "event.dataset"
+        ignore_missing: true
+    - add_fields:
+        when:
+          not: 
+            has_fields: ['event.dataset']
+        target: ''
+        fields:
+          event.dataset: access
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+{%- endif %}
+
 {%- if INPUTS %}
 # USER PILLAR DEFINED INPUTS
 {{ INPUTS | yaml(False) }}