# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
    beats {
       port => 5000
       codec => "json_lines"
       ssl => true
       ssl_certificate => "/etc/logstash/logstash.crt"
       ssl_key => "/etc/logstash/logstash.p8"
    }
}
filter {
    if [data][srcip] {
        mutate {
            add_field => [ "@src_ip", "%{[data][srcip]}" ]
        }
    }
    if [data][aws][sourceIPAddress] {
        mutate {
            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
        }
    }
}
filter {
    geoip {
        source => "@src_ip"
        target => "GeoLocation"
        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
    }
    date {
        match => ["timestamp", "ISO8601"]
        target => "@timestamp"
    }
    mutate {
        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
    }
}
output {
    elasticsearch {
        hosts => ["https://localhost:9200"]
        user => logstash
        password => logstash
        ssl => true
        ssl_certificate_verification => true
        truststore => "/etc/logstash/truststore.jks"
        truststore_password => changeit 
        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
        document_type => "wazuh"
    }
}