#
# Logstash Server configuration for processing wazuh events from Filebeat to 
# OpenSearch server
#

input {
  beats {
    port => 5044
    ssl => false
#    ssl => true
#    ssl_certificate => "/usr/local/etc/logstash/certs/logstash.pem"
#    ssl_certificate_authorities => ["/usr/local/etc/logstash/certs/root-ca.pem"]
#    ssl_key => "/usr/local/etc/logstash/certs/logstash-key.pem"
#    ssl_verify_mode => "force_peer"
  }
}

filter {

  json {
    source => "message"
    target => "wazuhroot"
  }

  mutate {
        copy => { "[wazuhroot][agent]" => "agent" }
        copy => { "[wazuhroot][rule]" => "rule" }
        copy => { "[wazuhroot][predecoder]" => "predecoder" }
        copy => { "[wazuhroot][decoder]" => "decoder" }
        copy => { "[wazuhroot][id]" => "id" }
        copy => { "[wazuhroot][location]" => "location" }
        copy => { "[wazuhroot][manager]" => "manager" }
        copy => { "[wazuhroot][agent][name]" => "host" }
        copy => { "[wazuhroot][full_log]" => "full_log" }
        copy => { "[wazuhroot][data]" => "data" }
        copy => { "[wazuhroot][timestamp]" => "timestamp" }
	remove_field => [ "message", "wazuhroot"]
  }
}

#
# You can define it for output testing
#
#output {
#  file {
#    path => "/var/log/logstash/logstash-output.json"
#  }
#}
#
#

output {
  opensearch {
    hosts => ["https://10.0.0.20:9200"]
    index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
    user => "admin"
    password => "adminpass"
    ecs_compatibility => "disabled"
    ssl => true
    ssl_certificate_verification => false
#    cacert => "/usr/local/etc/logstash/certs/root-ca.pem"
#    tls_certificate => "/usr/local/etc/logstash/certs/logstash.pem"
#    tls_key => "/usr/local/etc/logstash/certs/logstash-key.pem"
    manage_template => true
    template => "/usr/local/etc/logstash/wazuh-template.json"
    template_name => "wazuh-template"
    template_overwrite => true
  }
}