# {{ ansible_managed }}
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
    beats {
        port => 5000
        codec => "json_lines"
#        ssl => true
#        ssl_certificate => "/etc/logstash/logstash.crt"
#        ssl_key => "/etc/logstash/logstash.key"
    }
}
## Local Wazuh Manager - JSON file input
#input {
#   file {
#       type => "wazuh-alerts"
#       path => "/var/ossec/logs/alerts/alerts.json"
#       codec => "json"
#   }
#}
filter {
    geoip {
        source => "srcip"
        target => "GeoLocation"
        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
    }
    date {
        match => ["timestamp", "ISO8601"]
        target => "@timestamp"
    }
    mutate {
        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
    }
}
output {
    #stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "wazuh-alerts-%{+YYYY.MM.dd}"
        document_type => "wazuh"
        template => "/etc/logstash/wazuh-elastic5-template.json"
        template_name => "wazuh"
        template_overwrite => true
    }
}