From 9dc115134779a480c5be80f0a2bcf19e998186fa Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 14 Jul 2020 22:59:42 -0400
Subject: [PATCH] Imported logs are sent to so-import index on eval
 installations

---
 salt/filebeat/etc/filebeat.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 6aeac7bba..1342775b7 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -127,7 +127,7 @@ filebeat.inputs:
       imported: true
   processors:
   - add_tags:
-      tags: [import]
+      tags: ["import"]
   - dissect:
       tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
       field: "log.file.path"
@@ -167,7 +167,7 @@ filebeat.inputs:
     imported: true 
   processors:
   - add_tags:
-      tags: [import]
+      tags: ["import"]
   - dissect:
       tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
       field: "log.file.path"
@@ -260,6 +260,9 @@ output.elasticsearch:
   pipelines:
     - pipeline: "%{[module]}.%{[dataset]}"
   indices:
+    - index: "so-import-%{+yyyy.MM.dd}"
+      when.contains:
+        tags: "import"
     - index: "so-zeek-%{+yyyy.MM.dd}"
       when.contains:
         module: "zeek"