{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016

filter {
  if "firewall" in [tags] and "test_data" not in [tags] {
    mutate {
	  ##add_tag => [ "conf_file_9200"]
	}
  }
}
output {
  if "firewall" in [tags] and "test_data" not in [tags] {
#    stdout { codec => rubydebug }
    elasticsearch {
      hosts => "{{ ES }}"
      index => "logstash-firewall-%{+YYYY.MM.dd}"
      template_name => "logstash"
      template => "/logstash-template.json"
      template_overwrite => true
    }
  }
}