From d13e7559fe9349de27edd15b1fc5b588d2a038f3 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 13 Dec 2018 17:32:03 +0000
Subject: [PATCH] Filebeat - Enabled for master and only enable Bro/Suri inputs
 when needed

---
 salt/filebeat/etc/filebeat.yml | 4 ++--
 salt/filebeat/init.sls         | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 4384d124e..b7ab91e12 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -12,6 +12,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
@@ -36,6 +37,7 @@ filebeat.prospectors:
     fields_under_root: true
     clean_removed: false
     close_removed: false
+{%- endif %}
 
 {%- if WAZUHENABLED == '1' %}
 
@@ -73,7 +75,6 @@ output.logstash:
   # Set gzip compression level.
   compression_level: 3
 
-
   # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
   ssl.enabled: true
 
@@ -97,7 +98,6 @@ output.logstash:
   # Client Certificate Key
   ssl.key: "/usr/share/filebeat/filebeat.key"
 
-
 # Elasticsearch template settings
 #setup.template.settings:
 
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index da8f0637c..d3a1dfb14 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -63,8 +63,13 @@ so-filebeat:
       - /opt/so/log/suricata:/suricata:ro
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+{%- if grains['role'] == 'so-master' %}
+      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
+      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- else %}
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- endif %} 
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
     - watch:
       - file: /opt/so/conf/filebeat/etc