Instantly share code, notes, and snippets.

Embed
What would you like to do?
osquery & security onion Integration
# Place under /etc/logstash/custom, see here for more details:
# https://github.com/Security-Onion-Solutions/security-onion/wiki/Logstash
filter {
if "osquery" in [tags] {
json {
source => message
target => osquery
}
mutate {
remove_tag => [ "beat" ]
}
}
}
output {
if "osquery" in [tags] {
elasticsearch {
hosts => elasticsearch
index => "logstash-osquery-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment