{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 9/19/2018

filter {
  if [module] =~ "ossec" {
    mutate {
          ##add_tag => [ "conf_file_9600"]
        }
  }
}

output {
  if [module] =~ "ossec" {
    elasticsearch {
      pipeline => "%{module}.%{dataset}"
      hosts => "{{ ES }}"
      index => "so-ossec-%{+YYYY.MM.dd}"
      template_name => "so-common"
      template => "/so-common-template.json"
      template_overwrite => true
    }
  }
}