From cd823a26f31558f1892a9c9e3c85a02143757a0e Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 15 Oct 2018 19:24:01 -0400
Subject: [PATCH] Logstash Module - Change some parsing order

---
 salt/logstash/conf/conf.enabled.txt.so-master |   2 +-
 .../files/dynamic/0006_input_beats.conf       | 318 +++++++++++++++++-
 2 files changed, 314 insertions(+), 6 deletions(-)

diff --git a/salt/logstash/conf/conf.enabled.txt.so-master b/salt/logstash/conf/conf.enabled.txt.so-master
index c33e46abe..a4da29cad 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-master
+++ b/salt/logstash/conf/conf.enabled.txt.so-master
@@ -12,6 +12,6 @@
 /usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+/usr/share/logstash/pipeline.so/0006_input_beats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
index 35f526b2c..4fece4143 100644
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -1,8 +1,3 @@
-# Author: Justin Henderson
-# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolutions.com
-# Last Update: 12/11/2017
-
 input {
   beats {
     port => "5044"
@@ -13,3 +8,316 @@ input {
     tags => [ "beat" ]
   }
 }
+filter {
+  if "ids" in [tags] {
+    mutate {
+      replace => ["type" => "snort"]
+      add_tag => ["snort"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_conn" in [tags] {
+    mutate {
+      replace => ["type" => "bro_conn"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dhcp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dhcp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dns" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dns"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dpd" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dpd"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_files" in [tags] {
+    mutate {
+      replace => ["type" => "bro_files"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ftp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ftp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_http" in [tags] {
+    mutate {
+      replace => ["type" => "bro_http"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_irc" in [tags] {
+    mutate {
+      replace => ["type" => "bro_irc"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_kerberos" in [tags] {
+    mutate {
+      replace => ["type" => "bro_kerberos"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_notice" in [tags] {
+    mutate {
+      replace => ["type" => "bro_notice"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_rdp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_rdp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_signatures" in [tags] {
+    mutate {
+      replace => ["type" => "bro_signatures"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_smtp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_smtp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_snmp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_snmp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_software" in [tags] {
+    mutate {
+      replace => ["type" => "bro_software"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ssh" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ssh"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ssl" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ssl"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_syslog" in [tags] {
+    mutate {
+      replace => ["type" => "bro_syslog"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_tunnel" in [tags] {
+    mutate {
+      replace => ["type" => "bro_tunnel"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_weird" in [tags] {
+    mutate {
+      replace => ["type" => "bro_weird"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_mysql" in [tags] {
+    mutate {
+      replace => ["type" => "bro_mysql"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_socks" in [tags] {
+    mutate {
+      replace => ["type" => "bro_socks"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_x509" in [tags] {
+    mutate {
+      replace => ["type" => "bro_x509"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_intel" in [tags] {
+    mutate {
+      replace => ["type" => "bro_intel"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_modbus" in [tags] {
+    mutate {
+      replace => ["type" => "bro_modbus"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_sip" in [tags] {
+    mutate {
+      replace => ["type" => "bro_sip"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_radius" in [tags] {
+    mutate {
+      replace => ["type" => "bro_radius"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_pe" in [tags] {
+    mutate {
+      replace => ["type" => "bro_pe"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_rfb" in [tags] {
+    mutate {
+      replace => ["type" => "bro_rfb"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dnp3" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dnp3"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_smb_files" in [tags] {
+    mutate {
+      replace => ["type" => "bro_smb_files"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_smb_mapping" in [tags] {
+    mutate {
+      replace => ["type" => "bro_smb_mapping"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ntlm" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ntlm"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dce_rpc" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dce_rpc"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_telnet" in [tags] {
+    mutate {
+      replace => ["type" => "bro_telnet"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_openvpn" in [tags] {
+    mutate {
+      replace => ["type" => "bro_openvpn"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_mqtt" in [tags] {
+    mutate {
+      replace => ["type" => "bro_mqtt"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dhcpv6" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dhcpv6"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+}