From d96cf4c369a347b9adcbe942575f5f3d0255606a Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 5 Jul 2017 14:12:05 -0700
Subject: [PATCH] Allow programs to write below /etc/logstash

At least for some logstash configs, device files get written to below
/etc/logstash instead of elsewhere like /var.
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 6086be15..d962c539 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -341,7 +341,7 @@
                           systemd, systemd-machine, debconf-show, rollerd, bind9.postinst, sv,
                           gen_resolvconf., update-ca-certi)
     and not proc.pname in (sysdigcloud_binaries)
-    and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
+    and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java, /etc/logstash)
     and not ansible_running_python
     and not python_running_denyhosts