securityonion/salt/logstash/defaults.yaml

logstash:
  enabled: False
  assigned_pipelines:
    roles:
      standalone:
        - manager
        - search
      receiver:
        - receiver
      heavynode:
        - manager
        - search
      searchnode:
        - search
      manager:
        - manager
      managersearch:
        - manager
        - search
      fleet:
        - fleet
  defined_pipelines:
    fleet:
      - so/0012_input_elastic_agent.conf.jinja
      - so/9806_output_lumberjack_fleet.conf.jinja
    manager:
      - so/0011_input_endgame.conf
      - so/0012_input_elastic_agent.conf.jinja
      - so/0013_input_lumberjack_fleet.conf
      - so/9999_output_redis.conf.jinja        
    receiver:
      - so/0011_input_endgame.conf
      - so/0012_input_elastic_agent.conf.jinja
      - so/0013_input_lumberjack_fleet.conf
      - so/9999_output_redis.conf.jinja
    search:
      - so/0900_input_redis.conf.jinja
      - so/9805_output_elastic_agent.conf.jinja
      - so/9900_output_endgame.conf.jinja
    custom0: []
    custom1: []
    custom2: []
    custom3: []
    custom4: []
  pipeline_config:
    custom001: |-
      filter {
        if [event][module] =~ "zeek" {
          mutate {
            add_tag => ["network_stuff"]
          }
        }
      }
    custom002: PLACEHOLDER
    custom003: PLACEHOLDER
    custom004: PLACEHOLDER
    custom005: PLACEHOLDER
    custom006: PLACEHOLDER
    custom007: PLACEHOLDER
    custom008: PLACEHOLDER
    custom009: PLACEHOLDER
    custom010: PLACEHOLDER
  settings:
    lsheap: 500m
  config:
    http_x_host: 0.0.0.0
    path_x_logs: /var/log/logstash
    pipeline_x_workers: 1
    pipeline_x_batch_x_size: 125
    pipeline_x_ecs_compatibility: disabled
  dmz_nodes: []