securityonion/salt/logstash/files/dynamic/0006_input_beats.conf

input {
  beats {
    port => "5044"
    ssl => false
    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
    ssl_certificate => "/usr/share/logstash/filebeat.crt"
    ssl_key => "/usr/share/logstash/filebeat.key"
    tags => [ "beat" ]
  }
}
filter {
    if [type] == "osquery" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_tag => ["osquery"]
        	}
   json {
    source => "message"
    target => "osquery"
        }
  }
}