{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
{% set ZEEKLOGLOOKUP = {
    'conn': 'connection',
} %}

securityonion_filebeat:
  modules:
    elasticsearch:
      server:
        enabled: true
        var.paths: ["/logs/elasticsearch/*.log"]
    kibana:
      log:
        enabled: true
        var.paths: ["/logs/kibana/kibana.log"]
    logstash:
      log:
        enabled: true
        var.paths: ["/logs/logstash.log"]
    redis:
      log:
        enabled: true
        var.paths: ["/logs/redis.log"]
      slowlog:
        enabled: false
    suricata:
      eve:
        enabled: true
        var.paths: ["/nsm/suricata/eve*.json"]
    {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
      {%- if ZEEKVER != 'SURICATA' %}
    zeek:
        {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
          {% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
            {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
          {% else %}
            {% set FILESET = LOGNAME %}
          {% endif %}
      {{ FILESET }}:
        enabled: true
        var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
        {%- endfor %}
      {%- endif %}
    {%- endif %}