From 90d55104c6cab39377252b19c567c9a0fe86a0f8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 25 Oct 2018 22:43:19 -0400
Subject: [PATCH] Filebeat Module - Fix bro logs to make them work

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 salt/filebeat/init.sls         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 8f053a42b..15317921e 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -14,7 +14,7 @@ filebeat.prospectors:
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
     paths:
-      - /nsm/bro/spool/{{ LOGNAME }}.log
+      - /nsm/bro/logs/current/{{ LOGNAME }}.log
     fields:
       type: bro_{{ LOGNAME }}
     fields_under_root: true
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index fcac162cd..6fb65bd63 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -59,7 +59,7 @@ so-filebeat:
     - binds:
       - /opt/so/log/filebeat:/var/log/filebeat:rw
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
-      - /nsm/bro/spool/manager:/nsm/bro/spool:ro
+      - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro