diff --git a/salt/logstash/files/custom/parsers/9100_output_osquery.conf b/salt/logstash/files/custom/parsers/9100_output_osquery.conf
new file mode 100644
index 000000000..59c16347b
--- /dev/null
+++ b/salt/logstash/files/custom/parsers/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}