securityonion/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja

output {
  if [module] =~ "osquery" and "live_query" not in [dataset] {
    elasticsearch {
      pipeline => "%{module}.%{dataset}" 
      hosts => "{{ GLOBALS.manager }}"
      user => "{{ ES_USER }}"
      password => "{{ ES_PASS }}"
      index => "so-osquery"
      ssl => true
      ssl_certificate_verification => false
    }
  }
}