changes for https://github.com/Security-Onion-Solutions/securityonion/issues/825

salt/filebeat/etc/filebeat.yml

@@ -75,7 +75,6 @@ filebeat.modules:
 filebeat.inputs:
 #------------------------------ Log prospector --------------------------------
 {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %}
-
 - type: udp
   enabled: true
   host: "0.0.0.0:514"
@@ -213,15 +212,6 @@ filebeat.inputs:
   clean_removed: false
   close_removed: false
 
-# - type: log
-#    paths:
-#      - /wazuh/archives/archives.json
-#    fields:
-#      type: ossec_archive
-#    fields_under_root: true
-#    clean_removed: false
-#    close_removed: false
-
 {%- endif %}
 
 {%- if FLEETMASTER or FLEETNODE %}
@@ -244,6 +234,20 @@ filebeat.inputs:
 
 {%- endif %}
 
+{%- if INPUTS %}
+# USER PILLAR DEFINED INPUTS
+{{ INPUTS | yaml(False) }}
+{%- endif %}
+
+{% if OUTPUT -%}
+# USER PILLAR DEFINED OUTPUT
+{%- set types = OUTPUT.keys() | list %}
+{%- set type = types[0] %}
+output.{{ type }}:
+  {%- for i in OUTPUT[type].items() %}
+  {{ i[0] }}: {{ i[1]}}
+  {%- endfor %}
+{%- else %}
 #----------------------------- Elasticsearch/Logstash output ---------------------------------
   {%- if grains['role'] == "so-eval" %}
 output.elasticsearch:
@@ -321,6 +325,7 @@ setup.template.enabled: false
   #_source:
     #enabled: false
   {%- endif %}
+{% endif %}
 #============================== Kibana =====================================
 
 # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

salt/filebeat/init.sls

@@ -46,6 +46,9 @@ filebeatconfsync:
     - user: 0
     - group: 0
     - template: jinja
+    - defaults:
+        INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }}
+        OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
 so-filebeat:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}