From 3431411eafdd734197976daa341cb17d0c4f0f5e Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ <sitoruizbravo@hotmail.com>
Date: Thu, 12 Dec 2019 11:52:53 +0100
Subject: [PATCH] add workaround for vulnerability detector data published
 field (#282)

Former-commit-id: e3883725b9636666da2b739c0cb2643ad6399d53
---
 logstash/config/01-wazuh.conf | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/logstash/config/01-wazuh.conf b/logstash/config/01-wazuh.conf
index ea7b9fdb..d70d45e0 100644
--- a/logstash/config/01-wazuh.conf
+++ b/logstash/config/01-wazuh.conf
@@ -40,6 +40,22 @@ filter {
         remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
     }
 }
+filter {
+    # Workarounds for vulnerability-detector
+    if "vulnerability-detector" in [rule][groups] {
+        # Drop vulnerability-detector events from Manager
+        if [agent][id] == "000"{
+            drop { }
+        }
+
+        # if exists, remove data.vulnerability.published field due to conflicts
+        if [data][vulnerability][published] {
+            mutate {
+                remove_field => [ "[data][vulnerability][published]" ]
+            }
+        }
+    }
+}
 output {
     elasticsearch {
         hosts => ["elasticsearch:9200"]