changes for multipipelines / mastersearch node - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/124

salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf

@@ -0,0 +1,40 @@
+input {
+  beats {
+    port => "5644"
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+  if [type] == "ids" or [type] =~ "bro" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "sensor_name" => "%{[beat][name]}" }
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+  }
+  if [type] =~ "ossec" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+   }
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}

salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf

@@ -0,0 +1,21 @@
+{%- if salt['grains.get']('role') == 'so-master' %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- set nodetype = 'master' %}
+{%- else %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- endif %}
+output {
+	redis {
+		host => '{{ master }}'
+		data_type => 'list'
+		{%- if nodetype == 'parser' %}
+		key => 'logstash:parsed'
+		{%- else %}
+		key => 'logstash:unparsed'
+		{%- endif %}
+		congestion_interval => 1
+		congestion_threshold => 50000000
+		# batch_events => 500
+	}
+}