securityonion/salt/filebeat/map.jinja

{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %}
{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %}
{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %}
{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %}
{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %}

{% set MODULESENABLED = [] %}
{% for module in MODULESMERGED.modules.keys() %}
  {% set ENABLEDFILESETS = {} %}                               
  {% for fileset in MODULESMERGED.modules[module] %}                        
    {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %}  
      {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %}
    {% endif %}
  {% endfor %}
  {% if ENABLEDFILESETS|length > 0 %}
    {% do MODULESENABLED.append(ENABLEDFILESETS) %}
  {% endif %}
{% endfor %}
{{ MODULESENABLED }}

{% set role = grains.role %}
{% set FILEBEAT_EXTRA_HOSTS = [] %}
{% set mainint = salt['pillar.get']('host:mainint') %}
{% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %}
{% if role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %}
  {% set node_data = salt['pillar.get']('logstash:nodes') %}
  {% for node_type, node_details in node_data.items() | sort %}
    {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %}
      {% for hostname in node_data[node_type].keys() %}
        {% do FILEBEAT_EXTRA_HOSTS.append({hostname:node_details[hostname].ip}) %}
      {% endfor %}
    {% endif %}
  {% endfor %}
{% endif %}

{% do FILEBEAT_EXTRA_HOSTS.append({grains.host:localhostip}) %}