input {
 file {
   mode => "tail"
   type => "snort-json"
   path => "/usr/share/logstash/ingest_data/alert_json.txt"
 }
 file {
  mode => "tail"
  type => "snort-appid"
  path => "/usr/share/logstash/ingest_data/appid_stats.log"
 }
}


filter {
  if [type] == "snort-json" {
    if [message] =~ /^{.*}$/ {
      json {
        source => "message"
      }
    }
  }
  if [type] == "snort-appid" {
    csv {
      source => "message"
      separator => ","
      skip_header => "false"
      columns => ["timestamp","app","bytesToClient","bytesToServer"]
    }
    mutate {
      convert => {
        timestamp => "date"
        bytesToClient => "integer"
        bytesToServer => "integer"
      }
    }
  }
}


output {
  if [type] == "snort-json" {
    elasticsearch {
      index => "snort-json-%{+YYYY.MM.dd}"
      hosts=> "${ELASTIC_HOSTS}"
      user=> "${ELASTIC_USER}"
      password=> "${ELASTIC_PASSWORD}"
      cacert=> "certs/ca/ca.crt"
    }
  }
  if [type] == "snort-appid" {
    elasticsearch {
      index => "snort-appid-%{+YYYY.MM.dd}"
      hosts=> "${ELASTIC_HOSTS}"
      user=> "${ELASTIC_USER}"
      password=> "${ELASTIC_PASSWORD}"
      cacert=> "certs/ca/ca.crt"
    }
    }
 
}