From d8abc0a19507ff0ea913a7ff32bf0ec6ecd9dc7a Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 11 May 2022 11:51:18 -0400
Subject: [PATCH] if in dmz_nodes dont add to filebeta

---
 pillar/logstash/nodes.sls      |  2 +-
 salt/filebeat/etc/filebeat.yml | 11 ++++++++++-
 salt/logstash/dmz_nodes.yaml   |  9 +++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 salt/logstash/dmz_nodes.yaml

diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls
index 92272e7d8..935574ff9 100644
--- a/pillar/logstash/nodes.sls
+++ b/pillar/logstash/nodes.sls
@@ -2,7 +2,7 @@
 {% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %}
 {% for minionid, ip in salt.saltutil.runner(
     'mine.get',
-    tgt='( G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ) and ( not I@logstash:dmz:true or not I@logstash:dmz:True )',
+    tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix',
     fun='network.ip_addrs',
     tgt_type='compound') | dictsort()
 %}
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 62a45e9c4..d3b377bfb 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -443,6 +443,13 @@ output.logstash:
 
   # The Logstash hosts
   hosts:
+{# dont let filebeat send to a node designated as dmz #}
+{% import_yaml 'logstash/dmz_nodes.yaml' as dmz_nodes -%}
+{% if dmz_nodes.logstash.dmz_nodes -%}
+{%   set dmz_nodes = dmz_nodes.logstash.dmz_nodes -%}
+{% else -%}
+{%   set dmz_nodes = [] -%}
+{% endif -%}
 {%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %}
 {%-   set LOGSTASH = namespace() %}
 {%-   set LOGSTASH.count = 0 %}
@@ -451,8 +458,10 @@ output.logstash:
 {%-   for node_type, node_details in node_data.items() | sort -%}
 {%-     if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %}
 {%-       for hostname in node_data[node_type].keys() %}
-{%-         set LOGSTASH.count = LOGSTASH.count + 1 %}
+{%-         if hostname not in dmz_nodes %}
+{%-           set LOGSTASH.count = LOGSTASH.count + 1 %}
     - "{{ hostname }}:5644" #{{ node_details[hostname].ip }}
+{%-         endif %}
 {%-       endfor %}
 {%-     endif %}
 {%-     if LOGSTASH.count > 1 %}
diff --git a/salt/logstash/dmz_nodes.yaml b/salt/logstash/dmz_nodes.yaml
new file mode 100644
index 000000000..982f72080
--- /dev/null
+++ b/salt/logstash/dmz_nodes.yaml
@@ -0,0 +1,9 @@
+# Do not edit this file. Copy it to /opt/so/saltstack/local/salt/logstash/ and make changes there. It should be formatted as a list.
+# logstash:
+# dmz_nodes:
+#   - mydmznodehostname1
+#   - mydmznodehostname2
+#   - mydmznodehostname3
+
+logstash:
+  dmz_nodes: