diff --git a/salt/elasticsearch/files/ingest/logscan b/salt/elasticsearch/files/ingest/logscan.alert
similarity index 100%
rename from salt/elasticsearch/files/ingest/logscan
rename to salt/elasticsearch/files/ingest/logscan.alert
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index f5ba5dc74..3c482e274 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -307,6 +307,9 @@ output.elasticsearch:
     - index: "so-strelka"
       when.contains:
         module: "strelka"
+    - index: "so-logscan"
+      when.contains:
+        module: "logscan"
   
 setup.template.enabled: false
   {%- else %}
diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja
index 38ee29b69..86944d155 100644
--- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja
@@ -10,7 +10,7 @@ output {
   if [module] =~ "logscan" {
     elasticsearch {
       id => "logscan_pipeline"
-      pipeline => "logscan"
+      pipeline => "logscan.alert"
       hosts => "{{ ES }}"
     {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
       user => "{{ ES_USER }}"