diff --git a/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
similarity index 73%
rename from salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja
rename to salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
index 9ce08edf8..6def12650 100644
--- a/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja
@@ -10,17 +10,16 @@
 
 
 filter {
-  if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+  if [module] =~ "zeek" {
     mutate {
 	  ##add_tag => [ "conf_file_9000"]
 	}
   }
 }
 output {
-  if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-#    stdout { codec => rubydebug }
+  if [module] =~ "zeek" {
     elasticsearch {
-      pipeline => "%{event_type}"
+      pipeline => "%{module}.%{dataset}"
       hosts => "{{ ES }}"
       index => "so-zeek-%{+YYYY.MM.dd}"
       template_name => "so-zeek"
diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
index 5da6d0b12..1e192a8ee 100644
--- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
@@ -10,7 +10,7 @@
 
 
 filter {
-  if [event_type] =~ "strelka" {
+  if [module] =~ "strelka" {
     mutate {
           ##add_tag => [ "conf_file_9000"]
         }
@@ -19,6 +19,7 @@ filter {
 output {
   if [event_type] =~ "strelka" {
     elasticsearch {
+      pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"
       index => "so-strelka-%{+YYYY.MM.dd}"
       template_name => "so-common"