From c1dd26d97efb0c7d53e32d9427896aef3260c719 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Wed, 5 Feb 2020 08:12:08 -0500
Subject: [PATCH] Logstash EVAL pipeline fix - osquery

---
 .../conf/pipelines/eval/0800_input_eval.conf  |  1 +
 .../eval/templates/9100_output_osquery.conf   | 21 +++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
index e0f2e132e..d3fd00029 100644
--- a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
+++ b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
@@ -188,6 +188,7 @@ input {
   file {
     path => "/osquery/logs/result.log"
     type => "osquery"
+    tags => ["osquery"]
   }
   file {
     path => "/strelka/strelka.log"
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
index e95119562..132f0eb66 100644
--- a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
+++ b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
@@ -3,11 +3,24 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Josh Brower
-# Last Update: 12/29/2018
-# Output to ES for osquery tagged logs
+# Author: Security Onion Solutions
+# Last Update: 2/3/2020
+# Output to ES for osquery tagged logs - EVAL install
 
 
+filter {
+    if "osquery" in [tags] {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+                }
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
+
 output {
   if "osquery" in [tags] {
     elasticsearch {
@@ -16,4 +29,4 @@ output {
       template => "/logstash-template.json"
     }
   }
-}
\ No newline at end of file
+}