From fff13d58613735fd6aeea2d3b730d3c74c422fcc Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Fri, 28 Dec 2018 13:56:06 -0500
Subject: [PATCH]  Tag & initial JSON decode for osquery logs

---
 salt/logstash/files/dynamic/0006_input_beats.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf
index 3d0306dd4..c7cab30b7 100644
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -25,5 +25,16 @@ filter {
       add_field => { "syslog-host_from" => "%{[beat][name]}" }
       remove_field => [ "beat", "prospector", "input", "offset" ]
     }
+    
+    if [type] == "osquery" {
+    mutate {
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+    
   }
 }