From ea50023ca5dcdf64de39b2f8505a4d20059e8f03 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 24 Jun 2021 15:53:14 -0400
Subject: [PATCH] Fix filebeat modules

---
 salt/filebeat/init.sls                | 3 ++-
 salt/filebeat/thirdpartydefaults.yaml | 7 -------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 0cbbf0594..f03d3dc1a 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -129,7 +129,8 @@ so-filebeat:
 {% for module in THIRDPARTY.modules.keys() %}
   {% for submodule in THIRDPARTY.modules[module] %}
     {% if THIRDPARTY.modules[module][submodule].enabled and THIRDPARTY.modules[module][submodule]["var.syslog_port"] is defined %}
-        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/{{ THIRDPARTY.modules[module][submodule]["var.input"] }}
+        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/tcp
+        - {{ THIRDPARTY.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}:{{ THIRDPARTY.modules[module][submodule]["var.syslog_port"] }}/udp
     {% endif %}
   {% endfor %}
 {% endfor %}
diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml
index 1b378f84b..112ed6d6c 100644
--- a/salt/filebeat/thirdpartydefaults.yaml
+++ b/salt/filebeat/thirdpartydefaults.yaml
@@ -42,39 +42,32 @@ third_party_filebeat:
     cef:
       log:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9003
     checkpoint:
       firewall:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9505
     cisco:
       asa:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9001
       ftd:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9003
       ios:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9002
       nexus:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9506
       meraki:
         enabled: false
-        var.input: udp
         var.syslog_host: 0.0.0.0
         var.syslog_port: 9525
       umbrella: