input {
    beats {
        port => 5044
        host => "0.0.0.0"
        ecs_compatibility => "v1"
        ssl => true
        ssl_certificate_authorities => "/usr/share/logstash/config/certificates/ca/ca.crt"
        ssl_key => "/usr/share/logstash/config/certificates/{{ logstash_certificate }}/{{ logstash_certificate }}.pkcs8.key"
        ssl_certificate => "/usr/share/logstash/config/certificates/{{ logstash_certificate }}/{{ logstash_certificate }}.crt"
    }
}

filter {
    if [message] =~ /^{.*}$/ {
        json {
            source => "message"
        }
        if [stack_trace] {
            ruby {
                code => "event.set('message_full', event.get('message') + ':' + 10.chr + event.get('stack_trace'))"
            }
        } else {
            ruby {
                code => "event.set('message_full', event.get('message'))"
            }
        }
    }
    mutate {
      remove_field => [ "[id]", "[agent]", "[log][file][path]", "[docker][container][labels]" ]
    }
}

output {
    if "audit" in [tags] {
        elasticsearch {
            hosts => ["https://{{ elastic_id }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

            index => "auditlog-%{+YYYY.MM}"

            manage_template => false
       }
    }
    else if [event][dataset] == "system.auth" {
        elasticsearch {
            hosts => ["https://{{ elastic_id }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

            index => "authlog-%{+YYYY.MM}"

            manage_template => false
        }
    }
    else if [event][dataset] == "system.syslog" {
        elasticsearch {
            hosts => ["https://{{ elastic_id }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

            index => "syslog-%{+YYYY.MM}"

            manage_template => false
        }
    }
    else if [container][name] and [@metadata][beat] {
        elasticsearch {
            hosts => ["https://{{ elastic_id }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

            index => "%{[container][name]}-%{+YYYY.MM}"

            manage_template => false
       }
    }
    else if [@metadata][beat] {
        elasticsearch {
            hosts => ["https://{{ elastic_id }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

            index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM}"

            manage_template => false
       }
    }
    else {
        elasticsearch {
            hosts => ["https://{{ elastic_id }}:{{ service_port_elasticsearch }}"]
            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
            user => "{{ elastic_admin_username }}"
            password => "{{ elastic_admin_password }}"

            index => "uncategorized-%{+YYYY.MM}"

            manage_template => false
        }
    }
}