securityonion/salt/logstash/files/dynamic/9100_output_osquery.conf

{%- if grains['role'] == 'so-eval' -%}
{%- set ES = salt['pillar.get']('master:mainip', '') -%}
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Josh Brower
# Last Update: 12/29/2018
# Output to ES for osquery tagged logs


output {
  if "osquery" in [tags] {
    elasticsearch {
      hosts => "{{ ES }}"
      index => "logstash-osquery-%{+YYYY.MM.dd}"
      template => "/logstash-template.json"
    }
  }
}