Adds support for ECS compliant cloning

When Cloning with logstash in ECS complaint mode, [type] no longer created, instead the value is added as a [tag]
outflanknl · Nov 20, 2024 · bec57bd · bec57bd
1 parent 0bac709
commit bec57bd
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/99-outputs_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/99-outputs_logstash.conf
@@ -25,7 +25,7 @@ output {
     }
   }
 
-  if [type] == "implantsdb" {
+  if ([type] == "implantsdb" or "implantsdb" in [tags]) {
     elasticsearch {
       hosts => ["redelk-elasticsearch:9200"]
       sniffing => false
@@ -73,7 +73,7 @@ output {
     }
   }
 
-  if [type] == "bluecheck" {
+  if ([type] == "bluecheck" or "bluecheck" in [tags]) {
     elasticsearch {
       hosts => ["redelk-elasticsearch:9200"]
       sniffing => false