Logstash EVAL pipeline fix - osquery

salt/logstash/conf/pipelines/eval/0800_input_eval.conf

@@ -188,6 +188,7 @@ input {
   file {
     path => "/osquery/logs/result.log"
     type => "osquery"
+    tags => ["osquery"]
   }
   file {
     path => "/strelka/strelka.log"

salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf

@@ -3,11 +3,24 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Josh Brower
-# Last Update: 12/29/2018
-# Output to ES for osquery tagged logs
+# Author: Security Onion Solutions
+# Last Update: 2/3/2020
+# Output to ES for osquery tagged logs - EVAL install
 
 
+filter {
+    if "osquery" in [tags] {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+                }
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
+
 output {
   if "osquery" in [tags] {
     elasticsearch {