Filebeat - Enabled for master and only enable Bro/Suri inputs when needed

2025-12-06 09:12:45 +01:00 · 2018-12-13 17:32:03 +00:00
parent 8163beadb0
commit d13e7559fe
2 changed files with 7 additions and 2 deletions
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -12,6 +12,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
  - type: log
@@ -36,6 +37,7 @@ filebeat.prospectors:
    fields_under_root: true
    clean_removed: false
    close_removed: false
+{%- endif %}

 {%- if WAZUHENABLED == '1' %}

@@ -73,7 +75,6 @@ output.logstash:
  # Set gzip compression level.
  compression_level: 3

-
  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
  ssl.enabled: true

@@ -97,7 +98,6 @@ output.logstash:
  # Client Certificate Key
  ssl.key: "/usr/share/filebeat/filebeat.key"

-
 # Elasticsearch template settings
 #setup.template.settings:

--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -63,8 +63,13 @@ so-filebeat:
      - /opt/so/log/suricata:/suricata:ro
      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+{%- if grains['role'] == 'so-master' %}
+      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
+      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- else %}
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- endif %} 
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
    - watch:
      - file: /opt/so/conf/filebeat/etc