securityonion/salt/logstash/files/dynamic/0006_input_beats.conf

input {
  beats {
    port => "5044"
    ssl => true
    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
    ssl_certificate => "/usr/share/logstash/filebeat.crt"
    ssl_key => "/usr/share/logstash/filebeat.key"
    tags => [ "beat" ]
  }
}
filter {
  if "ids" in [tags] {
    mutate {
      add_field => {"sensor_name" => "%{[beat][name]}"}
      add_field => {"syslog-host_from" => "%{[beat][hostname]}"}
      remove_tag => ["beat"]
      rename => { "host" => "beat_host" }
      remove_field => ["[beat][name]", "[beat][hostname]"]
    }
  }

  if "bro" in [tags] {
    mutate {
      add_field => {"sensor_name" => "%{[beat][name]}"}
      add_field => {"syslog-host_from" => "%{[beat][hostname]}"}
      remove_tag => ["beat"]
      rename => { "host" => "beat_host" }
      remove_field => ["[beat][name]", "[beat][hostname]"]
    }
  }
}