diff --git a/conf.d/12-suricata.conf b/conf.d/12-suricata.conf
index a191cf084171a127381bcfe810294303635267b6..e7ee1416913b727aed0b8899d6273cc19cde1747 100644
--- a/conf.d/12-suricata.conf
+++ b/conf.d/12-suricata.conf
@@ -1,6 +1,6 @@
 # 12-suricata.conf
 filter {
-  if "pf" in [tags] and [application] =~ /^suricata$/ {
+  if "pf" in [tags] and [syslog_program] =~ /^suricata$/ {
     mutate {
       add_tag => [ "Suricata" ]
     }
@@ -84,12 +84,12 @@ filter {
           target => "[destination][as]"
         }
         mutate {
-        rename => { "[destination][as][asn]" => "[destination][as][number]"}
+            rename => { "[destination][as][asn]" => "[destination][as][number]"}
             rename => { "[destination][as][as_org]" => "[destination][as][organization][name]"}
         }
   	  }
 	}
-    mutate {
+        mutate {
 	    add_field => { "[event][module]" => "suricata"}
 	    add_field => { "[event][dataset]" => "suricata"}
 	    rename => { "[message]" => "[event][original]"}