From 91673a5d70a49677c6eea65ab6b820d598d6dd89 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 2 Jun 2020 17:33:42 +0000
Subject: [PATCH] Update FB config

---
 salt/filebeat/etc/filebeat.yml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index be04effb0..76c26b51d 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -75,10 +75,10 @@ filebeat.modules:
 filebeat.inputs:
 #------------------------------ Log prospector --------------------------------
 {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %}
-  - type: syslog
+
+  - type: udp
     enabled: true
-    protocol.udp:
-      host: "0.0.0.0:514"
+    host: "0.0.0.0:514"
     fields:
       module: syslog
       dataset: syslog
@@ -87,7 +87,20 @@ filebeat.inputs:
     processors:
     - drop_fields:
         fields: ["source", "prospector", "input", "offset", "beat"]
+    fields_under_root: true
 
+  - type: tcp
+    enabled: true
+    host: "0.0.0.0:514"
+    fields:
+      module: syslog
+      dataset: syslog
+    pipeline: "syslog"
+    index: "so-syslog-%{+yyyy.MM.dd}"
+    processors:
+    - drop_fields:
+        fields: ["source", "prospector", "input", "offset", "beat"]
+    fields_under_root: true
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log