Using common logstash container for Security Lake integration

integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf

@@ -42,4 +42,11 @@ output {
       }
       time_file => 5
    }
+   file {
+      id => "output.file"
+      path => "/usr/share/logstash/logs/indexer-to-file-%{+YYYY-MM-dd-HH}.log"
+      file_mode => 0644
+      codec => json_lines
+      flush_interval => 30
+   }
 }

integrations/docker/compose.amazon-security-lake.yml

@@ -80,7 +80,7 @@ services:
   wazuh.integration.security.lake:
     image: wazuh/indexer-security-lake-integration
     build:
-      context: ../amazon-security-lake
+      context: ../logstash
     container_name: wazuh.integration.security.lake
     depends_on:
       - wazuh.indexer
@@ -104,7 +104,6 @@ services:
       - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
       - ../amazon-security-lake/src:/usr/share/logstash/amazon-security-lake # TODO use dedicated folder
       # - ./credentials:/usr/share/logstash/.aws/credentials # TODO credentials are not commited (missing)
-    command: tail -f /var/log/logstash/logstash-plain.log
 
   s3.ninja:
     image: scireum/s3-ninja:latest

integrations/logstash/Dockerfile

@@ -8,7 +8,6 @@ USER logstash
 # Install plugin
 RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch
 
-COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline
 # Copy and run the setup.sh script to create and configure a keystore for Logstash.
 COPY --chown=logstash:logstash ./setup.sh /usr/share/logstash/bin/setup.sh
 RUN bash /usr/share/logstash/bin/setup.sh