From e70db05a0f044684e87ea3d834e8d81fea3edf49 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Dec 2018 19:50:55 +0000
Subject: [PATCH] Filebeat - Modify config for Wazuh alerts

---
 salt/filebeat/etc/filebeat.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 7c6e0655b..f0bbe3e11 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,6 +1,7 @@
 {%- set MASTER = grains['master'] %}
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
 
 name: {{ HOSTNAME }}
 
@@ -36,16 +37,16 @@ filebeat.prospectors:
     clean_removed: false
     close_removed: false
 
+{%- if WAZUHENABLED != '1' %}
   - type: log
     paths:
-      - /alerts/alerts.json
+      - /wazuh/alerts/alerts.json
     fields:
       type: ossec
     fields_under_root: true
     clean_removed: false
     close_removed: false
-
-
+{%- endif %}
 
 #----------------------------- Logstash output ---------------------------------
 output.logstash: