From 54c35cdc0dc1e9fb2ac0d35f65cef5009aed7d34 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 20:51:41 +0000
Subject: [PATCH 1/2] Filebeat - Add Wazuh archive logs

---
 salt/filebeat/etc/filebeat.yml | 10 ++++++++++
 salt/filebeat/init.sls         |  1 +
 2 files changed, 11 insertions(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 342b925a0..4384d124e 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -47,6 +47,16 @@ filebeat.prospectors:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+
+  - type: log
+    paths:
+      - /wazuh/archives/archives.json
+    fields:
+      type: ossec_archive
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
 {%- endif %}
 
 #----------------------------- Logstash output ---------------------------------
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 8b0ec3f4c..da8f0637c 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -62,6 +62,7 @@ so-filebeat:
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro

From 41e9c4c7e0caf0fbe3fe3860d740c8510179cbfe Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 20:52:18 +0000
Subject: [PATCH 2/2] Logstash - Alter input for Wazuh logs

---
 salt/logstash/files/dynamic/0006_input_beats.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
index b263e611b..bd41a3024 100644
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -9,7 +9,7 @@ input {
   }
 }
 filter {
-  if [type] == "ids" {
+  if [type] == "ids" or [type] =~ "bro" {
     mutate {
       rename => { "host" => "beat_host" }
       remove_tag => ["beat"]
@@ -17,11 +17,10 @@ filter {
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
     }
   }
-  if "bro" in [tags] {
+  if [type] =~ "ossec" {
     mutate {
       rename => { "host" => "beat_host" }
       remove_tag => ["beat"]
-      add_field => { "sensor_name" => "%{[beat][name]}" }
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
     }
   }