From ff98cdb30baf3f9228934662aa642da1e9bcf8f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 16 Oct 2018 10:20:00 -0400
Subject: [PATCH] Filebeat Module - Change the filebeat.yml

---
 salt/filebeat/etc/filebeat.yml | 42 +++++++++++++++-------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 246486e1b..a45768ae3 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -8,32 +8,28 @@ filebeat.modules:
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
 
-{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}}
-- type: log
-  enabled: true
-  paths:
-    - /nsm/bro/spool/{{ LOGNAME }}.log
-  tags: ["bro_{{ LOGNAME }}"]
-  exclude_files: ['.gz$']
+{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
+  - type: log
+    paths:
+      - /nsm/bro/spool/{{ LOGNAME }}.log
+    fields:
+      type: bro_{{ LOGNAME }}
+    fields_under_root: true
+    tags: ["bro"]
+    clean_removed: false
+    close_removed: false
 
 {%- endfor %}
 
-- type: log
-
-  # Change to true to enable this prospector configuration.
-  enabled: true
-
-  # Paths that should be crawled and fetched. Glob based paths.
-  # To fetch all ".log" files from a specific level of subdirectories
-  # /var/log/*/*.log can be used.
-  # For each file found under this path, a harvester is started.
-  # Make sure not file is defined twice as this can lead to unexpected behaviour.
-  paths:
-    - /suricata/eve.json
-  tags: ids
-    #- c:\programdata\elasticsearch\logs\*
-
-  exclude_files: ['.gz$']
+  - type: log
+    paths:
+      - /suricata/eve.json
+    fields:
+      type: snort
+    fields_under_root: true
+    tags: ["ids"]
+    clean_removed: false
+    close_removed: false
 
 
 #----------------------------- Logstash output ---------------------------------