diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup
new file mode 100755
index 000000000..a42b0ac80
--- /dev/null
+++ b/salt/common/tools/sbin/so-filebeat-module-setup
@@ -0,0 +1,56 @@
+{%- set mainint = salt['pillar.get']('host:mainint') %}
+{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
+
+#!/bin/bash
+# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+default_conf_dir=/opt/so/conf
+ELASTICSEARCH_HOST="{{ MYIP }}"
+ELASTICSEARCH_PORT=9200
+#ELASTICSEARCH_AUTH=""
+
+# Define a default directory to load pipelines from
+FB_MODULE_YML="/usr/share/filebeat/module-setup.yml"
+
+if [ "$1" == "" ]; then
+        echo "No module supplied. Exiting..."
+else
+        # Wait for ElasticSearch to initialize
+        echo -n "Waiting for ElasticSearch..."
+        COUNT=0
+        ELASTICSEARCH_CONNECTED="no"
+        while [[ "$COUNT" -le 240 ]]; do
+                curl -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
+                if [ $? -eq 0 ]; then
+                        ELASTICSEARCH_CONNECTED="yes"
+                        echo "connected!"
+                        break
+                else
+                        ((COUNT+=1))
+                        sleep 1
+                        echo -n "."
+                fi
+        done
+        if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+                echo
+                echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+                echo
+        fi
+
+        echo "Setting up ingest pipeline(s) for $1..."
+        docker exec -it so-filebeat filebeat setup modules -pipelines -modules $1 -c $FB_MODULE_YML
+fi
+
diff --git a/salt/filebeat/etc/module-setup.yml b/salt/filebeat/etc/module-setup.yml
new file mode 100644
index 000000000..431e432b3
--- /dev/null
+++ b/salt/filebeat/etc/module-setup.yml
@@ -0,0 +1,10 @@
+{%- if grains['role'] in ['so-managersearch', 'so-heavynode', 'so-node'] %}
+{%- set MANAGER = salt['grains.get']('host' '') %}
+{%- else %}
+{%- set MANAGER = salt['grains.get']('master') %}
+{%- endif %}
+
+output.elasticsearch:
+  enabled: true
+  hosts: ["https://{{ MANAGER }}:9200"]
+  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]