From 79854f111ed7944a56e84b203bf24a65050e872a Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 19 Oct 2020 10:27:40 -0400
Subject: [PATCH 1/2] add 514 tcp listener to filebeat docker and add syslog
 listener to fb config for manager and manager search -
 https://github.com/Security-Onion-Solutions/securityonion/issues/1551

---
 salt/filebeat/etc/filebeat.yml | 2 +-
 salt/filebeat/init.sls         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 99f1de188..0ba7720fc 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -74,7 +74,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.inputs:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] in ['so-sensor', "so-eval", "so-helix", "so-heavynode", "so-standalone", "so-import"] %}
+{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
 - type: udp
   enabled: true
   host: "0.0.0.0:514"
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 6bbcea8b4..b770f7cc8 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -82,6 +82,7 @@ so-filebeat:
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
     - port_bindings:
         - 0.0.0.0:514:514/udp
+        - 0.0.0.0:514:514/tcp
     - watch:
       - file: /opt/so/conf/filebeat/etc/filebeat.yml
 

From 10e4248cfc344561f50376f0cbad9e85871fc778 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 19 Oct 2020 16:10:20 -0400
Subject: [PATCH 2/2] and node that gets filebeat state now can listen for
 syslog -
 https://github.com/Security-Onion-Solutions/securityonion/issues/1551

---
 salt/filebeat/etc/filebeat.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 0ba7720fc..3587b6ffd 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -74,7 +74,6 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.inputs:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
 - type: udp
   enabled: true
   host: "0.0.0.0:514"
@@ -100,6 +99,8 @@ filebeat.inputs:
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
   fields_under_root: true
+
+{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}
     {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
 - type: log