input {
  beats {
    port => "5044"
    ssl => true
    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
    ssl_certificate => "/usr/share/logstash/filebeat.crt"
    ssl_key => "/usr/share/logstash/filebeat.key"
    tags => [ "beat" ]
  }
}
filter {
  if [type] == "ids" or [type] =~ "bro" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_field => { "sensor_name" => "%{[beat][name]}" }
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
    }
  }
  if [type] =~ "ossec" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
    }
  }
}