# {{ ansible_managed }}
# Wazuh - Logstash configuration file

{% if logstash_input_beats == true %}
## Remote Wazuh Manager - Filebeat input
input {
    beats {
        port => 5000
        codec => "json_lines"
{% if logstash_ssl == true %}
        ssl => true
        ssl_certificate => "{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}"
        ssl_key => "{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}"
{% endif %}
    }
}
{% else %}
## Local Wazuh Manager - JSON file input
input {
   file {
       type => "wazuh-alerts"
       path => "/var/ossec/logs/alerts/alerts.json"
       codec => "json"
   }
}
{% endif %}

filter {
    geoip {
        source => "srcip"
        target => "GeoLocation"
        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
    }
    date {
        match => ["timestamp", "ISO8601"]
        target => "@timestamp"
    }
    mutate {
        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
    }
}
output {
    #stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"]
        index => "wazuh-alerts-%{+YYYY.MM.dd}"
        document_type => "wazuh"
        template => "/etc/logstash/wazuh-elastic5-template.json"
        template_name => "wazuh"
        template_overwrite => true
    }
}