diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls
new file mode 100644
index 000000000..654afd2b3
--- /dev/null
+++ b/pillar/logstash/eval.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    eval:
+      config: "/usr/share/logstash/pipelines/eval/*.conf"
diff --git a/pillar/logstash/mastersearch.sls b/pillar/logstash/master.sls
similarity index 56%
rename from pillar/logstash/mastersearch.sls
rename to pillar/logstash/master.sls
index 2fbc5be5f..3be98f6b9 100644
--- a/pillar/logstash/mastersearch.sls
+++ b/pillar/logstash/master.sls
@@ -2,5 +2,3 @@ logstash:
   pipelines:
     master:
       config: "/usr/share/logstash/pipelines/master/*.conf"
-    search:
-      config: "/usr/share/logstash/pipelines/search/*.conf"
diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls
new file mode 100644
index 000000000..0eca8571f
--- /dev/null
+++ b/pillar/logstash/search.sls
@@ -0,0 +1,4 @@
+logstash:
+  pipelines:
+    search:
+      config: "/usr/share/logstash/pipelines/search/*.conf"
diff --git a/pillar/top.sls b/pillar/top.sls
index 99fe26556..8b604283e 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -2,8 +2,10 @@ base:
   '*':
     - patch.needs_restarting
 
-  'G@role:so-mastersearch':
-    - logstash.mastersearch
+  'G@role:so-mastersearch or G@role:so-heavynode':
+    - match: compound
+    - logstash.master
+    - logstash.search
 
   'G@role:so-sensor':
     - static
@@ -19,12 +21,16 @@ base:
     - auth
     - minions.{{ grains.id }}
 
+  'G@role:so-master':
+    - logstash.master
+
   'G@role:so-eval':
     - static
     - firewall.*
     - data.*
     - brologs
     - auth
+    - logstash.eval
     - minions.{{ grains.id }}
 
   'G@role:so-node':
@@ -32,6 +38,12 @@ base:
     - firewall.*
     - minions.{{ grains.id }}
 
+  'G@role:so-heavynode':
+    - static
+    - firewall.*
+    - brologs
+    - minions.{{ grains.id }}
+
   'G@role:so-helix':
     - static
     - firewall.*
diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index c59a70ba0..18850d534 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,4 +1,4 @@
-{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 
 so-auth-api-dir:
@@ -10,7 +10,7 @@ so-auth-api-dir:
 
 so-auth-api:
     docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:HH{{ VERSION }}
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
         - hostname: so-auth-api
         - name: so-auth-api
         - environment:
@@ -22,7 +22,7 @@ so-auth-api:
 
 so-auth-ui:
     docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:HH{{ VERSION }}
+        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
         - hostname: so-auth-ui
         - name: so-auth-ui
         - port_bindings:
diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json
index 8dd5532d1..069226d3c 100644
--- a/salt/common/grafana/grafana_dashboards/eval/eval.json
+++ b/salt/common/grafana/grafana_dashboards/eval/eval.json
@@ -1395,7 +1395,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
@@ -1913,7 +1913,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
diff --git a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
index 83a1fc9e6..8e35246eb 100644
--- a/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
+++ b/salt/common/grafana/grafana_dashboards/forward_nodes/sensor.json
@@ -1396,7 +1396,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
@@ -1901,7 +1901,7 @@
               "condition": "AND",
               "key": "container_name",
               "operator": "=",
-              "value": "so-bro"
+              "value": "so-zeek"
             }
           ]
         }
diff --git a/salt/common/init.sls b/salt/common/init.sls
index 7ed59efa1..4ae78f57b 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,6 +1,6 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
+{% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 # Add socore Group
 socoregroup:
   group.present:
@@ -343,7 +343,7 @@ dashboard-{{ SN }}:
 
 {% if salt['pillar.get']('nodestab', False) %}
 {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
-dashboard-{{ SN }}:
+dashboardsearch-{{ SN }}:
   file.managed:
     - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
     - user: 939
diff --git a/salt/common/nginx/nginx.conf.so-heavynode b/salt/common/nginx/nginx.conf.so-heavynode
new file mode 100644
index 000000000..39688f3df
--- /dev/null
+++ b/salt/common/nginx/nginx.conf.so-heavynode
@@ -0,0 +1,89 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen       80 default_server;
+        listen       [::]:80 default_server;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+        }
+
+        error_page 404 /404.html;
+            location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+            location = /50x.html {
+        }
+    }
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2 default_server;
+#        listen       [::]:443 ssl http2 default_server;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers HIGH:!aNULL:!MD5;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        location / {
+#        }
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
diff --git a/salt/common/telegraf/scripts/broloss.sh b/salt/common/telegraf/scripts/broloss.sh
index a7bec4dc1..9fcf2d527 100644
--- a/salt/common/telegraf/scripts/broloss.sh
+++ b/salt/common/telegraf/scripts/broloss.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
-BROLOG=$(tac /host/nsm/bro/logs/packetloss.log | head -2)
-declare RESULT=($BROLOG)
+ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2)
+declare RESULT=($ZEEKLOG)
 CURRENTDROP=${RESULT[3]}
 PASTDROP=${RESULT[9]}
 DROPPED=$(($CURRENTDROP - $PASTDROP))
diff --git a/salt/common/tools/sbin/so-bro-restart b/salt/common/tools/sbin/so-bro-restart
deleted file mode 100644
index f71de5b91..000000000
--- a/salt/common/tools/sbin/so-bro-restart
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-docker stop so-bro && docker rm so-bro && salt-call state.apply bro
diff --git a/salt/common/tools/sbin/so-bro-start b/salt/common/tools/sbin/so-bro-start
deleted file mode 100644
index 3240b86e9..000000000
--- a/salt/common/tools/sbin/so-bro-start
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-docker rm so-bro && salt-call state.apply bro
diff --git a/salt/common/tools/sbin/so-bro-stop b/salt/common/tools/sbin/so-bro-stop
deleted file mode 100644
index 8cfdddc3c..000000000
--- a/salt/common/tools/sbin/so-bro-stop
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-docker stop so-bro 
diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear
index 79c7e99ad..2db400839 100644
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -14,6 +14,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
 . /usr/sbin/so-common
 
 SKIP=0
diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart
index 94137ddb4..bbcfe4c20 100644
--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -31,5 +31,6 @@ fi
 
 case $1 in
    "cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
+   "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
    *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
 esac
diff --git a/salt/common/tools/sbin/so-salt-start b/salt/common/tools/sbin/so-salt-start
new file mode 100644
index 000000000..c53a71535
--- /dev/null
+++ b/salt/common/tools/sbin/so-salt-start
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Starting local Salt Minion...\n"
+echo $banner
+
+service salt-minion start
+service salt-minion status
diff --git a/salt/common/tools/sbin/so-salt-stop b/salt/common/tools/sbin/so-salt-stop
new file mode 100644
index 000000000..fa3394cd6
--- /dev/null
+++ b/salt/common/tools/sbin/so-salt-stop
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+echo $banner
+printf "Stopping local Salt Minion...\n"
+echo $banner
+
+service salt-minion stop
+service salt-minion status
diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start
index f5e861818..a198377a1 100644
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -29,8 +29,8 @@ then
    salt-call saltutil.kill_all_jobs
 fi
 
-
 case $1 in
    "all") salt-call state.highstate queue=True;;
-   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
+   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
+   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac
diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status
new file mode 100644
index 000000000..45b52ae35
--- /dev/null
+++ b/salt/common/tools/sbin/so-status
@@ -0,0 +1,141 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# {% raw %}
+
+if ! [ $(id -u)=0 ]; then
+   echo "This command must be run as root"
+   exit 1
+fi
+
+# Constants
+ERROR_STRING="ERROR"
+SUCCESS_STRING="OK"
+PENDING_STRING="PENDING"
+declare -a BAD_STATUSES=("removing", "paused", "exited", "dead")
+declare -a PENDING_STATUSES=("paused", "created", "restarting")
+declare -a GOOD_STATUSES=("running")
+
+
+declare -a container_name_list=()
+declare -a container_state_list=()
+populate_container_lists() {
+    systemctl is-active --quiet docker
+
+    if [[ $? = 0 ]]; then
+        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/containers/json?all=1 \
+            | jq -c '.[] | { Name: .Names[0], State: .State }' \
+            | tr -d '/{"}')
+    else
+        exit 1
+    fi
+
+    local container_name=""
+    local container_state=""
+
+    for line in ${docker_raw_list[@]}; do
+        container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
+        container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
+        container_name_list+=( "${container_name}" )
+        container_state_list+=( "${container_state}" )
+    done
+}
+
+parse_status() {
+    local container_state=${1}
+    local found=0
+
+    for state in "${GOOD_STATUSES[@]}"; do
+        [[ $container_state = $state ]] && printf $SUCCESS_STRING && return 0
+    done
+
+    if [[ $found = 0 ]]; then
+        for state in "${PENDING_STATUSES[@]}"; do
+            [[ $container_state = $state ]] && printf $PENDING_STRING && return 0
+        done
+    fi
+
+    # This is technically not needed since the default is error state
+    if [[ $found = 0 ]]; then
+        for state in "${BAD_STATUSES[@]}"; do
+            [[ $container_state = $state ]] && printf $ERROR_STRING && return 1
+        done
+    fi
+
+    printf $ERROR_STRING && return 1
+}
+
+columns=$(tput cols)
+
+print_line() {
+    local service_name=${1}
+    local service_state=$( parse_status ${2} )
+    local PADDING_CONSTANT=14
+    local state_color="\e[0m"
+
+    if [[ $service_state = $ERROR_STRING ]]; then
+        state_color="\e[1;31m"
+    elif [[ $service_state = $SUCCESS_STRING ]]; then
+        state_color="\e[1;32m"
+    elif [[ $service_state = $PENDING_STRING ]]; then
+        state_color="\e[1;33m"
+    else
+        state_color="\e[0m"
+    fi
+
+    printf "    $service_name "
+    for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
+        printf "-"
+    done
+    printf " [ "
+    printf "${state_color}%b\e[0m" "$service_state"
+    printf "%s    \n" " ]"
+}
+
+main() {
+    local focus_color="\e[1;34m"
+    printf "\n"
+    printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
+
+    systemctl is-active --quiet docker
+    if [[ $? = 0 ]]; then
+        print_line "Docker" "running"
+    else
+        print_line "Docker" "exited"
+    fi
+
+    populate_container_lists
+
+    printf "\n"
+
+    printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
+
+
+    local num_containers=${#docker_raw_list[@]}
+    local container_name=""
+    local container_state=""
+
+    for i in $(seq 0 $(($num_containers - 1 ))); do
+        print_line ${container_name_list[$i]} ${container_state_list[$i]}
+    done
+
+    printf "\n"
+}
+
+main
+
+# {% endraw %}
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-suricata-restart b/salt/common/tools/sbin/so-suricata-restart
index 0fabe198c..151e1a44c 100644
--- a/salt/common/tools/sbin/so-suricata-restart
+++ b/salt/common/tools/sbin/so-suricata-restart
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-suricata && sudo docker rm so-suricata && salt-call state.apply suricata
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart suricata $1
diff --git a/salt/common/tools/sbin/so-suricata-start b/salt/common/tools/sbin/so-suricata-start
index dd9bd8df9..9e04eedfb 100644
--- a/salt/common/tools/sbin/so-suricata-start
+++ b/salt/common/tools/sbin/so-suricata-start
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker rm so-suricata && salt-call state.apply suricata
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start suricata $1
diff --git a/salt/common/tools/sbin/so-suricata-stop b/salt/common/tools/sbin/so-suricata-stop
index 8f0383164..7581f9c00 100644
--- a/salt/common/tools/sbin/so-suricata-stop
+++ b/salt/common/tools/sbin/so-suricata-stop
@@ -1,17 +1,20 @@
 #!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
 #
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-docker stop so-suricata
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop suricata $1
diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay
index 4b861890a..349bb6e84 100755
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -15,14 +15,16 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+# Usage: so-tcpreplay "/opt/so/samples/*"
+
 REPLAY_ENABLED=$(docker images | grep so-tcpreplay)
 REPLAY_RUNNING=$(docker ps | grep so-tcpreplay)
 
 if  [ "$REPLAY_ENABLED" != "" ] && [ "$REPLAY_RUNNING" != "" ]; then
    docker cp so-tcpreplay:/opt/samples /opt/samples
-   docker exec -it so-tcpreplay /usr/bin/tcpreplay -i bond0 -M10 $1
+   docker exec -it so-tcpreplay /usr/local/bin/tcpreplay -i bond0 -M10 $1
 else
   echo "Replay functionality not enabled!  To enable, run `so-tcpreplay-start`"
   echo
-  echo "Note that you will need internet access to download the appropiriate components"
+  echo "Note that you will need internet access to download the appropriate components"
 fi
diff --git a/salt/common/tools/sbin/so-tcpreplay-restart b/salt/common/tools/sbin/so-tcpreplay-restart
index 1a1ac971b..28230c600 100755
--- a/salt/common/tools/sbin/so-tcpreplay-restart
+++ b/salt/common/tools/sbin/so-tcpreplay-restart
@@ -17,5 +17,5 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart tcreplay $1
+/usr/sbin/so-restart tcpreplay $1
 
diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart
index fae36d8f9..51d90e924 100644
--- a/salt/common/tools/sbin/so-zeek-restart
+++ b/salt/common/tools/sbin/so-zeek-restart
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart bro $1
+/usr/sbin/so-restart zeek $1
diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start
index 595fdb24b..b3190c319 100644
--- a/salt/common/tools/sbin/so-zeek-start
+++ b/salt/common/tools/sbin/so-zeek-start
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-start bro $1
+/usr/sbin/so-start zeek $1
diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop
index 1b995e854..d57c91c2f 100644
--- a/salt/common/tools/sbin/so-zeek-stop
+++ b/salt/common/tools/sbin/so-zeek-stop
@@ -17,4 +17,4 @@
 
 . /usr/sbin/so-common
 
-/usr/sbin/so-stop bro $1
+/usr/sbin/so-stop zeek $1
diff --git a/salt/bro/cron/packetloss.sh b/salt/deprecated-bro/cron/packetloss.sh
similarity index 100%
rename from salt/bro/cron/packetloss.sh
rename to salt/deprecated-bro/cron/packetloss.sh
diff --git a/salt/bro/cron/zeek_clean b/salt/deprecated-bro/cron/zeek_clean
similarity index 100%
rename from salt/bro/cron/zeek_clean
rename to salt/deprecated-bro/cron/zeek_clean
diff --git a/salt/bro/files/local.bro b/salt/deprecated-bro/files/local.bro
similarity index 98%
rename from salt/bro/files/local.bro
rename to salt/deprecated-bro/files/local.bro
index 42112f7ee..afe4b94ca 100644
--- a/salt/bro/files/local.bro
+++ b/salt/deprecated-bro/files/local.bro
@@ -102,6 +102,9 @@
 # is currently considered a preview and therefore not loaded by default.
 @load base/protocols/smb
 
+# BPF Configuration
+@load securityonion/bpfconf
+
 # Add the interface to the log event
 #@load securityonion/add-interface-to-logs.bro
 
diff --git a/salt/bro/files/local.bro.community b/salt/deprecated-bro/files/local.bro.community
similarity index 100%
rename from salt/bro/files/local.bro.community
rename to salt/deprecated-bro/files/local.bro.community
diff --git a/salt/bro/files/node.cfg b/salt/deprecated-bro/files/node.cfg
similarity index 100%
rename from salt/bro/files/node.cfg
rename to salt/deprecated-bro/files/node.cfg
diff --git a/salt/bro/init.sls b/salt/deprecated-bro/init.sls
similarity index 82%
rename from salt/bro/init.sls
rename to salt/deprecated-bro/init.sls
index 6a972cbe7..8f36be420 100644
--- a/salt/bro/init.sls
+++ b/salt/deprecated-bro/init.sls
@@ -1,3 +1,7 @@
+{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
+{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf') %}
+{% set BPF_STATUS = 0  %}
+
 # Bro Salt State
 # Add Bro group
 brogroup:
@@ -103,6 +107,32 @@ zeekcleanscript:
     - month: '*'
     - dayweek: '*'
 
+# BPF compilation and configuration
+{% if BPF_ZEEK %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+       {% set BPF_STATUS = 1  %}
+  {% else  %}
+zeekbpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+   - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+zeekbpf:
+  file.managed:
+    - name: /opt/so/conf/bro/bpf
+    - user: 940
+    - group: 940
+   {% if BPF_STATUS %}
+    - contents_pillar: zeek:bpf
+   {% else %}
+    - contents:
+      - "ip or not ip"
+   {% endif %}
+
 # Sync local.bro
 {% if salt['pillar.get']('static:broversion', '') == 'COMMUNITY' %}
 localbrosync:
@@ -163,6 +193,7 @@ so-bro:
       - /nsm/bro/extracted:/nsm/bro/extracted:rw
       - /opt/so/conf/bro/local.bro:/opt/bro/share/bro/site/local.bro:ro
       - /opt/so/conf/bro/node.cfg:/opt/bro/etc/node.cfg:ro
+      - /opt/so/conf/bro/bpf:/opt/bro/share/bro/site/bpf:ro
       - /opt/so/conf/bro/policy/securityonion:/opt/bro/share/bro/policy/securityonion:ro
       - /opt/so/conf/bro/policy/custom:/opt/bro/share/bro/policy/custom:ro
       - /opt/so/conf/bro/policy/intel:/opt/bro/share/bro/policy/intel:rw
@@ -171,6 +202,5 @@ so-bro:
       - file: /opt/so/conf/bro/local.bro
       - file: /opt/so/conf/bro/node.cfg
       - file: /opt/so/conf/bro/policy
-
-
+      - file: /opt/so/conf/bro/bpf
 {% endif %}
diff --git a/salt/bro/policy/intel/__load__.bro b/salt/deprecated-bro/policy/intel/__load__.bro
similarity index 100%
rename from salt/bro/policy/intel/__load__.bro
rename to salt/deprecated-bro/policy/intel/__load__.bro
diff --git a/salt/bro/policy/securityonion/add-interface-to-logs.bro b/salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
similarity index 100%
rename from salt/bro/policy/securityonion/add-interface-to-logs.bro
rename to salt/deprecated-bro/policy/securityonion/add-interface-to-logs.bro
diff --git a/salt/bro/policy/securityonion/apt1/__load__.bro b/salt/deprecated-bro/policy/securityonion/apt1/__load__.bro
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/__load__.bro
rename to salt/deprecated-bro/policy/securityonion/apt1/__load__.bro
diff --git a/salt/bro/policy/securityonion/apt1/apt1-certs.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/apt1-certs.dat
rename to salt/deprecated-bro/policy/securityonion/apt1/apt1-certs.dat
diff --git a/salt/bro/policy/securityonion/apt1/apt1-fqdn.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/apt1-fqdn.dat
rename to salt/deprecated-bro/policy/securityonion/apt1/apt1-fqdn.dat
diff --git a/salt/bro/policy/securityonion/apt1/apt1-md5.dat b/salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
similarity index 100%
rename from salt/bro/policy/securityonion/apt1/apt1-md5.dat
rename to salt/deprecated-bro/policy/securityonion/apt1/apt1-md5.dat
diff --git a/salt/deprecated-bro/policy/securityonion/bpfconf.bro b/salt/deprecated-bro/policy/securityonion/bpfconf.bro
new file mode 100644
index 000000000..595aef8f2
--- /dev/null
+++ b/salt/deprecated-bro/policy/securityonion/bpfconf.bro
@@ -0,0 +1,106 @@
+##! This script is to support the bpf.conf file like other network monitoring tools use.
+##! Please don't try to learn from this script right now, there are a large number of
+##! hacks in it to work around bugs discovered in Bro.
+
+@load base/frameworks/notice
+
+module BPFConf;
+
+export {
+	## The file that is watched on disk for BPF filter changes.
+	## Two templated variables are available; "sensorname" and "interface".
+	## They can be used by surrounding the term by doubled curly braces.
+	const filename = "/opt/bro/share/bro/site/bpf" &redef;
+
+	redef enum Notice::Type += { 
+		## Invalid filter notice.
+		InvalidFilter
+	};
+}
+
+global filter_parts: vector of string = vector();
+global current_filter_filename = "";
+
+type FilterLine: record {
+	s: string;
+};
+
+redef enum PcapFilterID += {
+	BPFConfPcapFilter,
+};
+
+event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	local part = sub(s, /[[:blank:]]*#.*$/, "");
+
+	# We don't want any blank parts.
+	if ( part != "" )
+		filter_parts[|filter_parts|] = part;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( name == "bpfconf" )
+		{
+		local filter = join_string_vec(filter_parts, " ");
+		capture_filters["bpf.conf"] = filter;
+		if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
+			{
+			PacketFilter::install();
+			}
+		else
+			{
+			NOTICE([$note=InvalidFilter,
+			        $msg=fmt("Compiling packet filter from %s failed", filename),
+			        $sub=filter]);
+			}
+
+		filter_parts=vector();
+		}
+	}
+
+
+function add_filter_file()
+	{
+	local real_filter_filename = BPFConf::filename;
+
+	# Support the interface template value.
+	#if ( SecurityOnion::sensorname != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
+
+	# Support the interface template value.
+	#if ( SecurityOnion::interface != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
+
+	#if ( /\{\{/ in real_filter_filename )
+	#	{
+	#	return;
+	#	}
+	#else
+	#	Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
+
+	if ( real_filter_filename != current_filter_filename )
+		{
+		current_filter_filename = real_filter_filename;
+		Input::add_event([$source=real_filter_filename,
+		                  $name="bpfconf",
+		                  $reader=Input::READER_RAW,
+		                  $mode=Input::REREAD,
+		                  $want_record=F,
+		                  $fields=FilterLine,
+		                  $ev=BPFConf::line]);
+		}
+	}
+
+#event SecurityOnion::found_sensorname(name: string)
+#	{
+#	add_filter_file();
+#	}
+
+event bro_init() &priority=5
+	{
+	if ( BPFConf::filename != "" )
+		add_filter_file();
+	}
+
+
diff --git a/salt/bro/policy/securityonion/conn-add-sensorname.bro b/salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
similarity index 100%
rename from salt/bro/policy/securityonion/conn-add-sensorname.bro
rename to salt/deprecated-bro/policy/securityonion/conn-add-sensorname.bro
diff --git a/salt/bro/policy/securityonion/file-extraction/__load__.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro
similarity index 100%
rename from salt/bro/policy/securityonion/file-extraction/__load__.bro
rename to salt/deprecated-bro/policy/securityonion/file-extraction/__load__.bro
diff --git a/salt/bro/policy/securityonion/file-extraction/extract.bro b/salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
similarity index 100%
rename from salt/bro/policy/securityonion/file-extraction/extract.bro
rename to salt/deprecated-bro/policy/securityonion/file-extraction/extract.bro
diff --git a/salt/bro/policy/securityonion/json-logs/__load__.bro b/salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro
similarity index 100%
rename from salt/bro/policy/securityonion/json-logs/__load__.bro
rename to salt/deprecated-bro/policy/securityonion/json-logs/__load__.bro
diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml
index 735ccb190..e71f41bf8 100644
--- a/salt/elastalert/files/elastalert_config.yaml
+++ b/salt/elastalert/files/elastalert_config.yaml
@@ -82,3 +82,7 @@ writeback_index: elastalert_status
 # sending the alert until this time period has elapsed
 alert_time_limit:
   days: 2
+
+index_settings:
+  shards: 1
+  replicas: 0
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index a2493091a..a97a2ae0f 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -31,7 +31,7 @@
 {% set esclustername = salt['pillar.get']('master:esclustername', '') %}
 {% set esheap = salt['pillar.get']('master:esheap', '') %}
 
-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 
 {% set esclustername = salt['pillar.get']('node:esclustername', '') %}
 {% set esheap = salt['pillar.get']('node:esheap', '') %}
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 4706e4c5a..2eb2092f4 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,4 +1,10 @@
+{%- if grains.role == 'so-heavynode' %}
+{%- set MASTER = salt['pillar.get']('sensor:mainip' '') %}
+{%- else %}
 {%- set MASTER = grains['master'] %}
+{%- endif %}
+
+
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
@@ -67,12 +73,12 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
-{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" %}
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
   - type: log
     paths:
-      - /nsm/bro/logs/current/{{ LOGNAME }}.log
+      - /nsm/zeek/logs/current/{{ LOGNAME }}.log
     fields:
       type: bro_{{ LOGNAME }}
     fields_under_root: true
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 44cc7c65c..b058f1408 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,5 +1,4 @@
-  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
-
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -14,36 +13,31 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+{% set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 {% set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {% if FEATURES %}
   {% set FEATURES = "-features" %}
 {% else %}
   {% set FEATURES = '' %}
 {% endif %}
-
-# Filebeat Setup
 filebeatetcdir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc
     - user: 939
     - group: 939
     - makedirs: True
-
 filebeatlogdir:
   file.directory:
     - name: /opt/so/log/filebeat
     - user: 939
     - group: 939
     - makedirs: True
-
 filebeatpkidir:
   file.directory:
     - name: /opt/so/conf/filebeat/etc/pki
     - user: 939
     - group: 939
     - makedirs: True
-
 # This needs to be owned by root
 filebeatconfsync:
   file.managed:
@@ -52,7 +46,6 @@ filebeatconfsync:
     - user: 0
     - group: 0
     - template: jinja
-
 so-filebeat:
   docker_container.running:
     - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }}
@@ -67,13 +60,8 @@ so-filebeat:
       - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
-{%- if grains['role'] == 'so-master' %}
-      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
-      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
-{%- else %}
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
-{%- endif %}
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
     - watch:
       - file: /opt/so/conf/filebeat/etc/filebeat.yml
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index a016a9767..a26993cc0 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,7 +1,7 @@
 # Firewall Magic for the grid
 {%- if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch'] %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
@@ -584,7 +584,7 @@ enable_standard_analyst_443_{{ip}}:
 {% endif %}
 
 # Rules if you are a Node
-{% if grains['role'] == 'so-node' %}
+{% if 'node' in grains['role'] %}
 
 #This should be more granular
 iptables_allow_docker:
@@ -655,3 +655,39 @@ iptables_drop_all_the_things:
     - chain: LOGGING
     - jump: DROP
     - save: True
+
+{% if grains['role'] == 'so-heavynode' %}
+# Allow Redis
+enable_heavynode_redis_6379_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 6379
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5044_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5044
+    - position: 1
+    - save: True
+
+enable_forwardnode_beats_5644_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5644
+    - position: 1
+    - save: True
+{% endif %}
diff --git a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
new file mode 100644
index 000000000..d3fd00029
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
@@ -0,0 +1,204 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/zeek/logs/current/conn*.log"
+		type => "bro_conn"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dce_rpc*.log"
+		type => "bro_dce_rpc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dhcp*.log"
+		type => "bro_dhcp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dnp3*.log"
+		type => "bro_dnp3"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dns*.log"
+		type => "bro_dns"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dpd*.log"
+		type => "bro_dpd"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/files*.log"
+		type => "bro_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ftp*.log"
+		type => "bro_ftp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/http*.log"
+		type => "bro_http"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/intel*.log"
+		type => "bro_intel"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/irc*.log"
+		type => "bro_irc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/kerberos*.log"
+		type => "bro_kerberos"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/modbus*.log"
+		type => "bro_modbus"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/mysql*.log"
+		type => "bro_mysql"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/notice*.log"
+		type => "bro_notice"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ntlm*.log"
+		type => "bro_ntlm"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/pe*.log"
+		type => "bro_pe"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/radius*.log"
+		type => "bro_radius"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rdp*.log"
+		type => "bro_rdp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rfb*.log"
+		type => "bro_rfb"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/signatures*.log"
+		type => "bro_signatures"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/sip*.log"
+		type => "bro_sip"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_files*.log"
+		type => "bro_smb_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_mapping*.log"
+		type => "bro_smb_mapping"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smtp*.log"
+		type => "bro_smtp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/snmp*.log"
+		type => "bro_snmp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/socks*.log"
+		type => "bro_socks"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/software*.log"
+		type => "bro_software"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssh*.log"
+		type => "bro_ssh"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssl*.log"
+		type => "bro_ssl"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/syslog*.log"
+		type => "bro_syslog"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/tunnel*.log"
+		type => "bro_tunnels"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/weird*.log"
+		type => "bro_weird"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/x509*.log"
+		type => "bro_x509"
+	    	tags => ["bro"]
+	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+    tags => ["osquery"]
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_start', Time.now.to_f)"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..84bce8802
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
@@ -0,0 +1,33 @@
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+		rename => { "MESSAGE" => "message" }
+		rename => { "PROGRAM" => "type" }
+		rename => { "FACILITY" => "syslog-facility" }
+		rename => { "FILE_NAME" => "syslog-file_name" }
+		rename => { "HOST" => "syslog-host" }
+		rename => { "HOST_FROM" => "syslog-host_from" }
+		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+		rename => { "PID" => "syslog-pid" }
+		rename => { "PRIORITY" => "syslog-priority" }
+		rename => { "SOURCEIP" => "syslog-sourceip" }
+		rename => { "TAGS" => "syslog-tags" }
+		lowercase => [ "syslog-host_from" ]
+		remove_field => [ "ISODATE" ]
+		remove_field => [ "SEQNUM" ]
+          	#add_tag => [ "conf_file_1001"]
+	}
+	if "bro_" in [type] {
+		mutate {
+			add_tag => [ "bro" ]
+		}
+	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
+		mutate {
+			add_tag => [ "syslog" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
new file mode 100644
index 000000000..ea7c677da
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "json" in [tags]{
+    json {
+      source => "message"
+    }
+    mutate {
+      remove_tag => [ "json" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..243abcc15
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+  if "syslog" in [tags] {
+    if [host] == "172.16.1.1" {
+      mutate {
+        add_field => { "type" => "fortinet" }
+        add_tag => [ "firewall" ]
+      }
+    }
+    if [host] == "10.0.0.101" {
+      mutate {
+        add_field => { "type" => "brocade" }
+        add_tag => [ "switch" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1004"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..2f893cf7a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
@@ -0,0 +1,140 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/9/2016
+# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
+filter {
+  if [type] == "dhcp" {
+    mutate {
+      add_field => { "Hostname" => "%{host}" }
+    }
+    mutate {
+      strip => "message"
+    }
+	  # This is the initial parsing of the log
+      grok {
+        # Server 2008+
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+        # Server 2003
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+      }
+	  # This section below translates the message ID into something humans can understand.
+      if [id] == "00" {
+        mutate {
+          add_field => [ "event", "The log was started"]
+        }
+      }
+      if [id] == "01" {
+        mutate {
+          add_field => [ "event", "The log was stopped"]
+        }
+      }
+      if [id] == "02" {
+        mutate {
+          add_field => [ "event", "The log was temporarily paused due to low disk space"]
+        }
+      }
+      if [id] == "10" {
+        mutate {
+          add_field => [ "event", "A new IP address was leased to a client"]
+        }
+      }
+      if [id] == "11" {
+        mutate {
+          add_field => [ "event", "A lease was renewed by a client"]
+        }
+      }
+      if [id] == "12" {
+        mutate {
+          add_field => [ "event", "A lease was released by a client"]
+        }
+      }
+      if [id] == "13" {
+        mutate {
+          add_field => [ "event", "An IP address was found to be in use on the network"]
+        }
+      }
+      if [id] == "14" {
+        mutate {
+          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+        }
+      }
+      if [id] == "15" {
+        mutate {
+          add_field => [ "event", "A lease was denied"]
+        }
+      }
+      if [id] == "16" {
+        mutate {
+          add_field => [ "event", "A lease was deleted"]
+        }
+      }
+      if [id] == "17" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+        }
+      }
+      if [id] == "18" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records were deleted"]
+        }
+      }
+      if [id] == "20" {
+        mutate {
+          add_field => [ "event", "A BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "21" {
+        mutate {
+          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "22" {
+        mutate {
+          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+        }
+      }
+      if [id] == "23" {
+        mutate {
+          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+        }
+      }
+      if [id] == "24" {
+        mutate {
+          add_field => [ "event", "IP address cleanup operation has began"]
+        }
+      }
+      if [id] == "25" {
+        mutate {
+          add_field => [ "event", "IP address cleanup statistics"]
+        }
+      }
+      if [id] == "30" {
+        mutate {
+          add_field => [ "event", "DNS update request to the named DNS server"]
+        }
+      }
+      if [id] == "31" {
+        mutate {
+          add_field => [ "event", "DNS update failed"]
+        }
+      }
+      if [id] == "32" {
+        mutate {
+          add_field => [ "event", "DNS update successful"]
+        }
+      }
+      if [id] == "33" {
+        mutate {
+          add_field => [ "event", "Packet dropped due to NAP policy"]
+        }
+      }
+	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
+      #if "_grokparsefailure" not in [tags] { 
+      #  mutate {
+      #    remove_field => [ "message"]
+      #  }
+      #}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
+filter {
+  # This is an example of using an IP address range to classify a syslog message to a specific type of log
+  # This is helpful as so many devices only send logs via syslog
+  if [host] =~ "10\.[0-1]\.9\." {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [host] =~ "\.234$" {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [type] == "esxi" {
+     grok {
+          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+    }
+	mutate {
+		#add_tag => [ "conf_file_1029"]
+	}
+  }
+}
+
diff --git a/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "greensql" {
+    # This section is parsing out the fields for GreenSQL syslog data
+    grok {
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+    }
+	# Remove the message field as it is unnecessary
+    #mutate {
+    #  remove_field => [ "message"]
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1030"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "iis" {
+    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
+    json {
+      source => "message"
+    }
+    # This removes the message field as it is unneccesary and tags the packet as web
+    mutate {
+    #  remove_field => [ "message"]
+      add_tag => [ "web" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1031"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+  if [type] == "mcafee" {
+    # NXLog should be sending the logs in JSON format so they auto parse
+    json {
+      source => "message"
+    }
+	# This section converts the UTC fields to the proper time format
+    date {
+      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "ReceivedUTC" ]
+    }
+    date {
+      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "DetectedUTC" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1032"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+  if [type] == "ids" {
+    # This is the initial parsing of the log
+    if [engine] == "suricata" {
+        json {
+            source => "message"
+        }
+        mutate {
+	    rename => { "alert" => "orig_alert" } 
+            rename => { "[orig_alert][gid]" => "gid" }
+            rename => { "[orig_alert][signature_id]" => "sid" }
+            rename => { "[orig_alert][rev]" => "rev" }
+            rename => { "[orig_alert][signature]" => "alert" }
+            rename => { "[orig_alert][category]" => "classification" }
+            rename => { "[orig_alert][severity]" => "priority" }
+	    rename => { "[orig_alert][rule]" => "rule_signature" }
+            rename => { "app_proto" => "application_protocol" }
+            rename => { "dest_ip" => "destination_ip" }
+            rename => { "dest_port" => "destination_port" }
+            rename => { "in_iface" => "interface" }
+            rename => { "proto" => "protocol" }
+            rename => { "src_ip" => "source_ip" }
+            rename => { "src_port" => "source_port" }
+	    #rename => { "[fileinfo][filename]" => "filename" }
+            #rename => { "[fileinfo][gaps]" => "gaps" }
+            #rename => { "[fileinfo][size]" => "size" }
+            #rename => { "[fileinfo][state]" => "state" }
+            #rename => { "[fileinfo][stored]" => "stored" }
+            #rename => { "[fileinfo][tx_id]" => "tx_id" }
+            #rename => { "[flow][age]" => "duration" }
+            #rename => { "[flow][alerted]" => "flow_alerted" }
+            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+            #rename => { "[flow][end]" => "flow_end" }
+            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+            #rename => { "[flow][reason]" => "reason" }
+            #rename => { "[flow][start]" => "flow_start" }
+            #rename => { "[flow][state]" => "state" }
+            #rename => { "[netflow][age]" => "duration" }
+            #rename => { "[netflow][bytes]" => "bytes" }
+            #rename => { "[netflow][end]" => "netflow_end" }
+            #rename => { "[netflow][start]" => "netflow_start" }
+            #rename => { "[netflow][pkts]" => "packets" }
+            rename => { "[alert][action]" => "action" }
+            rename => { "[alert][category]" => "category" }
+            rename => { "[alert][gid]" => "gid" }
+            rename => { "[alert][rev]" => "rev" }
+            rename => { "[alert][severity]" => "severity" }
+            rename => { "[alert][signature]" => "signature" }
+            rename => { "[alert][signature_id]" => "sid" }
+	    #rename => { "[dns][aa]" => "aa" }
+            #rename => { "[dns][flags]" => "flags" }
+	    #rename => { "[dns][id]" => "id" }
+	    #rename => { "[dns][qr]" => "qr" }
+            #rename => { "[dns][rcode]" => "rcode_name" }
+	    #rename => { "[dns][rrname]" => "rrname" }
+	    #rename => { "[dns][rrtype]" => "rrtype" }
+            #rename => { "[dns][tx_id]" => "tx_id" }
+	    #rename => { "[dns][type]" => "record_type" }
+	    #rename => { "[dns][version]" => "version" }
+            rename => { "[http][hostname]" => "virtual_host" }
+            rename => { "[http][http_content_type]" => "content_type" }
+            rename => { "[http][http_port]" => "http_port" }
+            rename => { "[http][http_method]" => "method" }
+	    rename => { "[http][http_user_agent]" => "useragent" }
+            #rename => { "[http][length]" => "payload_length" }
+            #rename => { "[http][protocol]" => "http_version" }
+            rename => { "[http][status]" => "status_message" }
+            rename => { "[http][url]" => "url" }
+            #rename => { "[metadata][flowbits]" => "flowbits" }
+            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+            rename => { "[tls][subject]" => "certificate_common_name" }
+            rename => { "[tls][version]" => "tls_version" }
+	    rename => { "event_type" => "ids_event_type" }
+	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+	    remove_tag => [ "beats_input_codec_plain_applied" ]
+	    add_tag => [ "eve" ]
+             
+	}
+    } else {
+        grok {
+          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+                "message", "%{GREEDYDATA:alert}"]
+        }
+    }
+    if [timestamp] {
+        mutate {
+                add_field => { "logstash_timestamp" => "%{@timestamp}" }
+        }
+        mutate {
+                convert => { "logstash_timestamp" => "string" }
+        }
+        date {
+                match => [ "timestamp", "ISO8601" ]
+        }
+        mutate {
+                rename => { "logstash_timestamp" => "timestamp" }
+        }
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+  if [type] == "syslog" { 
+    # This drops syslog messages regarding license messages.  You may want to comment it out.
+    #if [message] =~ "license" {
+    #  drop { }
+    #}
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	}
+  }  
+}
diff --git a/salt/logstash/conf/pipelines/eval/2000_network_flow.conf b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "sflow" {
+    if [message] =~ /CNTR/ {
+      drop { }
+    }
+
+    grok {
+      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+    }
+
+    if "_grokparsefailure" in [tags] {
+      drop { }
+    }
+
+    mutate {
+      add_field => {
+        "[source_hostname]" => "%{source_ip}"
+        "[destination_hostname]" => "%{destination_ip}"
+        "[sflow_source_hostname]" => "%{sflow_source_ip}"
+      }
+    }
+
+    translate {
+      field => "[source_port]"
+      destination => "[source_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[destination_port]"
+      destination => "[destination_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[protocol]"
+      destination => "[protocol_name]"
+      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+    }
+
+    translate {
+      field => "[tcp_flags]"
+      destination => "[tcp_flag]"
+      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+    }
+
+    mutate {
+      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+    }
+	mutate {
+		#add_tag => [ "conf_file_2000"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6002_syslog.conf b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+  if "syslog" in [tags] {
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	  #add_tag => [ "conf_file_6002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "brocade" {
+    grok {
+      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+    }
+    grok {
+      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+    }
+    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+      grok {
+        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+      }
+      mutate {
+        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+      }
+    }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      timezone => "America/Chicago"
+      remove_field => "syslog_timestamp"
+      remove_field => "received_at"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6101"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "fortinet" {
+    mutate {
+      gsub => [ "message", "= ", "=NA " ]
+    }
+
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+       tag_on_failure => []
+    }
+    grok {
+       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+       tag_on_failure => []
+    }
+    kv {
+      source => "kv"
+      exclude_keys => [ "type" ]
+    }
+    mutate {
+      gsub => [ "log", "= ", "=NA " ]
+    }
+    kv {
+      source => "log"
+      target => "SubLog"
+    }
+    grok {
+       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+       tag_on_failure => [ "" ]
+    }
+    mutate {
+      rename => {  "action" => "action" }
+      rename => {  "addr" => "addr_ip" }
+      rename => {  "age" => "age" }
+      rename => {  "assigned" => "assigned_ip" }
+      rename => {  "assignip" => "assign_ip" }
+      rename => {  "ap" => "access_point" }
+      rename => {  "app" => "application" }
+      rename => {  "appcat" => "application_category" }
+      rename => {  "applist" => "application_list" }
+      rename => {  "apprisk" => "application_risk" }
+      rename => {  "approfile" => "accessPoint_profile" }
+      rename => {  "apscan" => "access_point_scan" }
+      rename => {  "apstatus" => "acces_point_status" }
+      rename => {  "aptype" => "access_point_type" }
+      rename => {  "authproto" => "authentication_protocol" }
+      rename => {  "bandwidth" => "bandwidth" }
+      rename => {  "banned_src" => "banned_source" }
+      rename => {  "cat" => "category" }
+      rename => {  "catdesc" => "category_description" }
+      rename => {  "cfgattr" => "configuration_attribute" }
+      rename => {  "cfgobj" => "configuration_object" }
+      rename => {  "cfgpath" => "configuration_path" }
+      rename => {  "cfgtid" => "configuration_transaction_id" }
+      rename => {  "channel" => "channel" }
+      rename => {  "community" => "community" }
+      rename => {  "cookies" => "cookies" }
+      rename => {  "craction" => "cr_action" }
+      rename => {  "crlevel" => "cr_level" }
+      rename => {  "crscore" => "cr_score" }
+      rename => {  "datarange" => "data_range" }
+      rename => {  "desc" => "description" }
+      rename => {  "detectionmethod" => "detection_method" }
+      rename => {  "devid" => "device_id" }
+      rename => {  "devname" => "device_name" }
+      rename => {  "devtype" => "device_type" }
+      rename => {  "dhcp_msg" => "dhcp_message" }
+      rename => {  "disklograte" => "disk_lograte" }
+      rename => {  "dstcountry" => "destination_country" }
+      rename => {  "dstintf" => "destination_interface" }
+      rename => {  "dstip" => "destination_ip" }
+      rename => {  "dstport" => "destination_port" }
+      rename => {  "duration" => "elapsed_time" }
+      rename => {  "error_num" => "error_number" }
+      rename => {  "espauth" => "esp_authentication" }
+      rename => {  "esptransform" => "esp_transform" }
+      rename => {  "eventid" => "event_id" }
+      rename => {  "eventtype" => "event_type" }
+      rename => {  "fazlograte" => "faz_lograte" }
+      rename => {  "filename" => "file_name" }
+      rename => {  "filesize" => "file_size" }
+      rename => {  "filetype" => "file_type" }
+      rename => {  "hostname" => "hostname" }
+      rename => {  "ip" => "source_ip" }
+      rename => {  "localip" => "source_ip" }
+      rename => {  "locip" => "local_ip" }
+      rename => {  "locport" => "source_port" }
+      rename => {  "logid" => "log_id" }
+      rename => {  "logver" => "log_version" }
+      rename => {  "manuf" => "manufacturer" }
+      rename => {  "mem" => "memory" }
+      rename => {  "meshmode" => "mesh_mode" }
+      rename => {  "msg" => "message" }
+      rename => {  "nextstat" => "next_stat" }
+      rename => {  "onwire" => "on_wire" }
+      rename => {  "osname" => "os_name" }
+      rename => {  "osversion" => "unauthenticated_user" }
+      rename => {  "outintf" => "outbound_interface" }
+      rename => {  "peer_notif" => "peer_notification" }
+      rename => {  "phase2_name" => "phase2_name" }
+      rename => {  "policyid" => "policy_id" }
+      rename => {  "policytype" => "policy_type" }
+      rename => {  "port" => "port" }
+      rename => {  "probeproto" => "probe_protocol" }
+      rename => {  "proto" => "protocol_number" }
+      rename => {  "radioband" => "radio_band" }
+      rename => {  "radioidclosest" => "radio_id_closest" }
+      rename => {  "radioiddetected" => "radio_id_detected" }
+      rename => {  "rcvd" => "bytes_received" }
+      rename => {  "rcvdbyte" => "bytes_received" }
+      rename => {  "rcvdpkt" => "packets_received" }
+      rename => {  "remip" => "destination_ip" }
+      rename => {  "remport" => "remote_port" }
+      rename => {  "reqtype" => "request_type" }
+      rename => {  "scantime" => "scan_time" }
+      rename => {  "securitymode" => "security_mode" }
+      rename => {  "sent" => "bytes_sent" }
+      rename => {  "sentbyte" => "bytes_sent" }
+      rename => {  "sentpkt" => "packets_sent" }
+      rename => {  "session_id" => "session_id" }
+      rename => {  "setuprate" => "setup_rate" }
+      rename => {  "sn" => "serial" }
+      rename => {  "snclosest" => "serial_closest_access_point" }
+      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+      rename => {  "snmeshparent" => "serial_mesh_parent" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "stacount" => "station_count" }
+      rename => {  "stamac" => "static_mac" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "sn" => "serial" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "total" => "total_bytes" }
+      rename => {  "totalsession" => "total_sessions" }
+      rename => {  "trandisp" => "nat_translation_type" }
+      rename => {  "tranip" => "nat_destination_ip" }
+      rename => {  "tranport" => "nat_destination_port" }
+      rename => {  "transip" => "nat_source_ip" }
+      rename => {  "transport" => "nat_source_port" }
+      rename => {  "tunnelid" => "tunnel_id" }
+      rename => {  "tunnelip" => "tunnel_ip" }
+      rename => {  "tunneltype" => "tunnel_type" }
+      rename => {  "unauthuser" => "unauthenticated_user_source" }
+      rename => {  "unauthusersource" => "os_version" }
+      rename => {  "vendorurl" => "vendor_url" }
+      rename => {  "vpntunnel" => "vpn_tunnel" }
+      rename => {  "vulncat" => "vulnerability_category" }
+      rename => {  "vulncmt" => "vulnerability_count" }
+      rename => {  "vulnid" => "vulnerability_id" }
+      rename => {  "vulnname" => "vulnerability_name" }
+      rename => {  "vulnref" => "vulnerability_reference" }
+      rename => {  "vulnscore" => "vulnerability_score" }
+      rename => {  "xauthgroup" => "x_authentication_group" }
+      rename => {  "xauthuser" => "x_authentication_user" }
+      rename => {  "[SubLog][appid]" => "sub_application_id" }
+      rename => {  "[SubLog][devid]" => "sub_device_id" }
+      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
+      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
+      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
+      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
+      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
+      rename => {  "[SubLog][date]" => "sub_date" }
+      rename => {  "[SubLog][time]" => "sub_time" }
+      rename => {  "[SubLog][srcport]" => "sub_source_port" }
+      rename => {  "[SubLog][subtype]" => "sub_subtype" }
+      rename => {  "[SubLog][devname]" => "sub_device_name" }
+      rename => {  "[SubLog][itime]" => "sub_itime" }
+      rename => {  "[SubLog][level]" => "sub_level" }
+      rename => {  "[SubLog][logid]" => "sub_log_id" }
+      rename => {  "[SubLog][logver]" => "sub_log_version" }
+      rename => {  "[SubLog][type]" => "sub_event_type" }
+      rename => {  "[SubLog][vd]" => "sub_vd" }
+      rename => {  "[SubLog][action]" => "sub_action" }
+      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
+      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
+      rename => {  "[SubLog][reason]" => "sub_reason" }
+      rename => {  "[SubLog][service]" => "sub_service" }
+      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
+      rename => {  "[SubLog][src]" => "sub_source_ip" }
+      rename => {  "[SubLog][status]" => "sub_status" }
+      rename => {  "[SubLog][ui]" => "sub_ui" }
+      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+      strip => [ "bytes_sent", "bytes_received" ]
+      convert => [ "bytes_sent", "integer" ]
+      convert => [ "bytes_received", "integer" ]
+      convert => [ "cr_score", "integer" ]
+      convert => [ "cr_action", "integer" ]
+      convert => [ "elapsed_time", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "local_port", "integer" ]
+      convert => [ "remote_port", "integer" ]
+      convert => [ "packets_sent", "integer" ]
+      convert => [ "packets_received", "integer" ]
+      convert => [ "port", "integer" ]
+      convert => [ "ProtocolNumber", "integer" ]
+      convert => [ "XAuthUser", "string" ]
+      remove_field => [ "kv", "log" ]
+    }
+    if [tunnel_ip] == "N/A" {
+      mutate {
+        remove_field => [ "tunnel_ip" ]
+      }
+    }
+    if [nat_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+      }
+    }
+    if [sub_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+      }
+    }
+    if [nat_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+      }
+    }
+    if [sub_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+      }
+    }
+    if [addr_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{addr_ip}" ] }
+      }
+    }
+    if [assign_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assign_ip}" ] }
+      }
+    }
+    if [assigned_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assigned_ip}" ] }
+      }
+    }
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+    }
+    if [date] and [time] {
+      mutate {
+        add_field => { "receive_time" => "%{date} %{time}" }
+        remove_field => [ "date", "time" ]
+      }
+      date {
+        timezone => "America/Chicago"
+        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+        target => "receive_time"
+      }
+      mutate {
+        rename => { "receive_time" => "@timestamp" }
+      }
+    } else {
+      mutate {
+        add_tag => [ "missing_date" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6200"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+  if [type] == "filterlog" {
+    dissect {
+      mapping => {
+        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+      }
+    }
+    if [ip_version] == "4" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [ip_version] == "6" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [protocol] == "tcp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+      	}
+      }
+    }
+    if [protocol] == "udp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+      	}
+      }
+    }
+    if [protocol] == "Options" {
+      mutate {
+	  copy => { "ip_sub_msg" => "options" }
+        }
+      mutate {
+          split => { "options" => "," }
+        }
+    }
+    mutate {
+      convert 		=> [ "destination_port", "integer" ]
+      convert 		=> [ "source_port", "integer" ]    
+      convert 		=> [ "ip_version", "integer" ]
+      replace 		=> { "type" => "firewall" }
+      add_tag		=> [ "pfsense","firewall" ]
+      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6300_windows.conf b/salt/logstash/conf/pipelines/eval/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "windows" {
+#    json {
+#      source => "message"
+#    }
+    date {
+      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+      remove_field => [ "EventTime" ]
+    }
+    if [EventID] == 4634 {
+      mutate {
+        add_tag => [ "logoff" ]
+      }
+    }
+    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+      mutate {
+        add_tag => [ "logon" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+      mutate {
+        add_tag => [ "logon_failure" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+      mutate {
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 5152 { drop {} }
+    if [EventID] == 4688 { drop {} }
+    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+    # Whitelist/Blacklist check
+    if [EventID] == 7045 {
+      translate {
+        field => "ServiceName"
+        destination => "ServiceCheck"
+        dictionary_path => "/lib/dictionaries/services.yaml"
+      }
+    }
+    if [EventID] == 7045 and !([ServiceCheck]) {
+      mutate {
+        add_tag => [ "alert_data","new_service" ] 
+      }
+    }
+    if [ServiceCheck] == 'whitelist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "whitelist" ]
+      }
+    }
+    if [ServiceCheck] == 'blacklist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "blacklist" ]
+      }
+    }
+    if [EventID] == 5158 {
+      if [Application] == "System" { drop {} }
+      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+      if [Application] =~ "mcafee" { drop {} }
+      if [Application] =~ "carestream" { drop {} }
+      if [Application] =~ "Softdent" { drop {} }
+    }
+    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+    if [EventID] == 4690 { drop {} }
+    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+    if [EventID] == 5447 { drop {} }
+
+    mutate {
+      rename => [ "AccountName", "user" ]
+      rename => [ "AccountType", "account_type" ]
+      rename => [ "ActivityID", "activity_id" ]
+      rename => [ "Category", "category" ]
+      rename => [ "ClientAddress", "client_ip" ]
+      rename => [ "Channel", "channel" ]
+      rename => [ "DCIPAddress", "domain_controller_ip" ]
+      rename => [ "DCName", "domain_controller_name" ]
+      rename => [ "EventID", "event_id" ]
+      rename => [ "EventReceivedTime", "event_received_time" ]
+      rename => [ "EventType", "event_type" ]
+      rename => [ "GatewayIPAddress", "gateway_ip" ]
+      rename => [ "IPAddress", "client_ip" ]
+      rename => [ "Ipaddress", "client_ip" ]
+      rename => [ "IpAddress", "client_ip" ]
+      rename => [ "IPPort", "source_port" ]
+      rename => [ "OpcodeValue", "opcode_value" ]
+      rename => [ "PreAuthType", "preauthentication_type" ]
+      rename => [ "PrincipleSAMName", "user" ]
+      rename => [ "ProcessID", "process_id" ]
+      rename => [ "ProviderGUID", "providerguid" ]
+      rename => [ "RecordNumber", "record_number" ]
+      rename => [ "RemoteAddress", "destination_ip" ]
+      rename => [ "ServiceName", "service_name" ]
+      rename => [ "ServiceID", "service_id" ]
+      rename => [ "SeverityValue", "severity_value" ]
+      rename => [ "SourceAddress", "client_ip" ]
+      rename => [ "SourceModuleName", "source_module_name" ]
+      rename => [ "SourceModuleType", "source_module_type" ]
+      rename => [ "SourceName", "source_name" ]
+      rename => [ "SubjectUserName", "user" ]
+      rename => [ "TaskName", "task_name" ]
+      rename => [ "TargetDomainName", "target_domain_name" ]
+      rename => [ "TargetUserName", "user" ]
+      rename => [ "ThreadID", "thread_id" ]
+      rename => [ "User_ID", "user" ]
+      rename => [ "UserID", "user" ]
+      rename => [ "username", "user" ]
+    }
+    # For any accounts that are service accounts or special accounts add the tag of service_account
+    # This example applies the tag to any username that starts with SVC_.  If you use a different
+    # standard change this.
+    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+      mutate {
+        add_tag => [ "service_account" ]
+      }
+    }
+    # This looks for events that are typically noisy but may be of use for deep dive investigations
+    # A tag of noise is added to quickly filter out noise
+    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+      mutate {
+        add_tag => [ "noise" ]
+      }
+    }
+    #Identify machine accounts
+    if [user] =~ /\$/ {
+      mutate {
+        add_tag => [ "machine", "noise" ]
+      }
+    }
+    # Lower case all field names
+    ruby {
+      code => "
+        event_hash = event.to_hash
+        new_event = {}
+        event_hash.keys.each do |key|
+        new_event[key.downcase] = event[key]
+        end
+        event.instance_variable_set(:@data, new_event)"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6300"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "dns" and "bro" not in [tags] {
+    json {
+      source => "message"
+    }
+    # strip whitespace from message field
+    mutate {
+      strip => "message"
+    }
+    # If the message is blank, drop the log
+    if [Message] =~ /^$/ {
+      drop {  }
+    } else {
+      if [type] == "dns" {
+  	  # This section is lookup for a match against the log and parsing out the fields
+        grok {
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          remove_field => [ "Message" ]
+        }
+  	  # This section attempts to convert the dns_domain into the traditional domain.com format
+        mutate {
+          gsub => [ "dns_domain", "(\(\d+\))", "." ]
+        }
+        grok {
+          match => { "dns_domain" => "\.%{DATA:query}\.$" }
+          remove_field => [ "dns_domain" ]
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6301"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6400_suricata.conf b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+  if [type] == "suricata" {
+    if "test_data" not in [tags] {
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+    } else {
+      mutate {
+        remove_field => [ "netflow.start","netflow.end","timestamp" ]
+      }
+    }
+    if [event_type] == "fileinfo" {
+      ruby {
+        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
+      }
+    }
+	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
+    mutate {
+      rename => [ "src_ip", "source_ip" ]
+      rename => [ "dest_ip", "destination_ip" ]
+      rename => [ "src_port", "source_port" ]
+      rename => [ "dest_port", "destination_port" ]
+    }
+	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
+    if [event_type] == "alert" {
+      if [alert][severity] == 1 {
+        mutate {
+          add_field => { "severity" => "High" }
+        }
+      }
+      if [alert][severity] == 2 {
+        mutate {
+          add_field => { "severity" => "Medium" }
+        }
+      }
+      if [alert][severity] == 3 {
+        mutate {
+          add_field => { "severity" => "Low" }
+        }
+      }
+	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "GPL " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Snort GPL" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "ET " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Emerging Threats" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # This section adds URLs to lookup information about a rule online
+      if [rule_type] == "Snort GPL" {
+        mutate {
+          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+        }
+      }
+      if [rule_type] == "Emerging Threats" {
+        mutate {
+          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+        }
+      }
+    }
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+    #  mutate {
+    #    remove_field => [ "message" ]
+    #  }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6400"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6500_ossec.conf b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+  # OSSEC Alerts
+  if [type] == "ossec" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+        if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate {
+                replace => { "type" => "sysmon" }
+                add_tag => [ "ossec" ]
+            }
+        }
+        if [message] =~ "AR-LOG" {
+            mutate {
+                replace => { "type" => "autoruns" }
+                add_tag => [ "ossec" ]
+            }
+        }
+		
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+			rename => { "rule" => "wazuh-rule" }
+			rename => { "[wazuh-rule][level]" => "alert_level" }
+			rename => { "[wazuh-rule][description]" => "description" }
+			rename => { "[data][srcuser]" => "username" }
+			rename => { "[data][dstuser]" => "escalated_user" }
+			rename => { "[data][command]" => "command" }
+			rename => { "[predecoder][program_name]" => "process" }
+			
+                }
+                # Wazuh 3.8.2
+                if [data][EventChannel] {
+        		mutate {
+				rename => { "[data][EventChannel][EventData][User]" => "username" }
+        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+			}
+		}
+                # Wazuh 3.9.2
+		if [data][win] {
+                        mutate {
+				rename => { "[data][win][eventdata][user]" => "username" }
+                        	rename => { "[data][win][system][eventID]" => "event_id" }
+                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
+                        }
+		}
+	} else {
+		grok {
+			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+		}
+	}
+	
+	# Add tag for OSSEC alerts
+	if [alert_level] {
+            mutate {
+		add_tag => [ "alert" ]
+	    }
+        }
+
+	translate {
+		field => "alert_level"
+
+		destination => "classification"
+
+		dictionary => [
+               	    "1", "None",
+		    "2", "System low priority notification",
+		    "3", "Successful/authorized event",
+		    "4", "System low priority error",
+		    "5", "User generated error",
+		    "6", "Low relevance attack",
+		    "7", '"Bad word" matching',
+		    "8", "First time seen",
+		    "9", "Error from invalid source",
+		    "10", "Multiple user generated errors",
+		    "11", "Integrity checking warning",
+		    "12", "High importance event",
+		    "13", "Unusal error (high importance)",
+		    "14", "High importance security event",
+		    "15", "Severe attack"
+               	]
+	}
+  }
+
+  # OSSEC Archive Logs
+  if [type] == "ossec_archive" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+	if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate { 
+                replace => { "type" => "sysmon" } 
+                add_tag => [ "ossec" ] 
+	    }
+        }
+	if [message] =~ "AR-LOG" {
+            mutate { 
+                replace => { "type" => "autoruns" } 
+                add_tag => [ "ossec" ]
+            }
+        }
+
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+                        rename => [ "rule", "wazuh-rule" ]
+                        rename => [ "[wazuh-rule][level]", "alert_level" ]
+                        rename => [ "[wazuh-rule][description]", "description" ]
+                        rename => [ "[data][srcuser]", "username" ]
+                        rename => [ "[data][dstuser]", "escalated_user" ]
+                        rename => [ "[data][command]", "command" ]
+                        rename => [ "[predecoder][program_name]", "process" ]
+                }
+	} else {
+		grok {
+			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+			remove_field => [ "ossec_timestamp" ]
+		}
+		mutate {
+			convert => [ "status_code", "integer" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "sysmon" or "sysmon" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      #mutate { replace => { "type" => "sysmon" } }
+      grok {
+      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+      }
+      mutate {
+        convert => ["event_id", "integer"]
+        remove_field => ["timestamp"]
+        remove_field => ["year"]
+      }
+      if [event_id] == 1 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_creation"]
+        }
+      }
+      if [event_id] == 3 {
+        mutate {
+          remove_field => ["source_ip"]
+        }
+        grok {
+        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          convert => ["source_port", "integer"]
+          convert => ["destination_port", "integer"]
+          add_tag => ["network_connection"]
+        }
+      }
+      if [event_id] == 5 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_termination"]
+        }
+      }
+      if [event_id] == 11 {
+        grok {
+          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["file_created"]
+        }
+      }
+      mutate {
+        remove_field => ["rest_of_msg"]
+      }
+    } else {
+      mutate {
+	rename => { "[data][srcuser]" => "username" }
+        rename => { "[data][id]" => "event_id" }
+        rename => { "[data][dstport]" => "destination_port" }
+        rename => { "[data][dstip]" => "destination_ip" }
+        rename => { "[data][srcip]" => "source_ip" }
+        rename => { "[data][sysmon][image]" => "image_path" }
+        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+      }
+      # Wazuh 3.8.2  
+      if [data][EventChannel] {
+        mutate {
+           rename => { "[data][EventChannel][EventData][User]" => "username" }
+           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+	}
+      }
+      # Wazuh 3.9.2
+      if [data][win] {
+        mutate {
+          rename => { "[data][win][eventdata][user]" => "username" }
+          rename => { "[data][win][system][eventID]" => "event_id" }
+          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+          rename => { "[data][win][eventdata][image]" => "image_path" }
+          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+        }
+      }    
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+  if [type] == "autoruns" or "autoruns" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      grok {
+        match => [
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+    #csv {
+#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+#      separator => "|"
+#      }
+      mutate {
+        remove_field => [ "year" ]
+        remove_field => [ "timestamp" ]
+      }
+    } else {
+        grok {
+        match => [
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+      mutate {
+        # Rename fields
+      }
+    }
+    date {
+      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+      target => "image_timestamp"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+      mutate {
+        replace => { "type" => "sysmon" }
+        rename => { "[event_data][User]" => "username" }
+        rename => { "[event_data][DestinationPort]" => "destination_port" }
+        rename => { "[event_data][DestinationIp]" => "destination_ip" }
+        rename => { "[event_data][SourceIp]" => "source_ip" }
+        rename => { "[event_data][Image]" => "image_path" }
+        rename => { "[event_data][ParentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[event_data][SourceHostname]" => "source_hostname" }
+        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+	rename => { "[event_data][TargetFilename]" => "target_filename" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+  if "beat" in [tags] {
+      mutate {
+	# As of beats 6.3.0, host is now an object:
+	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+	# This creates a conflict with our existing host string.
+	# So let's rename the host object to beat_host.
+        rename => { "host" => "beat_host" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_http" {
+    if [uri] {
+      ruby {
+        code => "event.set('uri_length', event.get('uri').length)"
+      }
+    }
+    if [virtual_host] {
+      ruby {
+        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+      }
+    }
+    if [useragent] {
+      ruby {
+        code => "event.set('useragent_length', event.get('useragent').length)"
+      }
+    }
+	mutate {
+	  ##add_tag => [ "conf_file_8007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [destination_ip] {
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_destination" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_destination" ]
+      }
+    }
+    if "internal_destination" not in [tags] {
+      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+  }
+  if [source_ip] {
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_source" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_source" ]
+      }
+    }
+    if "internal_source" not in [tags] {
+      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+	mutate {
+		##add_tag => [ "conf_file_8200"]
+	}
+  }
+  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+      mutate {
+          remove_tag => [ "syslog" ]
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_end', Time.now.to_f)"
+  }
+  ruby {
+    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
new file mode 100644
index 000000000..553500281
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      pipeline => "%{event_type}"
+      hosts => "{{ ES }}"
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "ids" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "ids" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
new file mode 100644
index 000000000..132f0eb66
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
@@ -0,0 +1,32 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Security Onion Solutions
+# Last Update: 2/3/2020
+# Output to ES for osquery tagged logs - EVAL install
+
+
+filter {
+    if "osquery" in [tags] {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+                }
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
new file mode 100644
index 000000000..4bffd7f0a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9500"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
new file mode 100644
index 000000000..f176e0b94
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
@@ -0,0 +1,26 @@
+{%- if salt['grains.get']('role') == 'so-master' %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
+{%- else %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- endif %}
+
+
+output {
+	redis {
+		host => '{{ master }}'
+		data_type => 'list'
+		{%- if nodetype == 'parser' %}
+		key => 'logstash:parsed'
+		{%- else %}
+		key => 'logstash:unparsed'
+		{%- endif %}
+		congestion_interval => 1
+		congestion_threshold => 50000000
+		# batch_events => 500
+	}
+}
diff --git a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
index fa650b538..f176e0b94 100644
--- a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
+++ b/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
@@ -1,10 +1,15 @@
 {%- if salt['grains.get']('role') == 'so-master' %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
 {%- else %}
 {%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 {% set master = salt['pillar.get']('static:masterip', '') %}
 {%- endif %}
+
+
 output {
 	redis {
 		host => '{{ master }}'
diff --git a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
index 660d2e741..ede940367 100644
--- a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
+++ b/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
@@ -1,4 +1,8 @@
-{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- if grains.role == 'so-heavynode' %}
+{%- set master = salt['pillar.get']('node:mainip', '') %}
+{%- else %}
+{%- set master = salt['pillar.get']('static:masterip', '') %}
+{% endif -%}
 input {
 	redis {
 		host => '{{ master }}'
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index e5bb76b5b..47b487ebe 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,11 +63,11 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' %}
+{%- if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' and grains.role != 'so-eval' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
-{% else %} 
+{%- else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
-{% endif %}
+{%- endif %}
 
 # Special Docker path
 # path.config: /usr/share/logstash/pipeline
diff --git a/salt/logstash/files/dynamic/0008_input_eval.conf b/salt/logstash/files/dynamic/0008_input_eval.conf
new file mode 100644
index 000000000..b02f9d516
--- /dev/null
+++ b/salt/logstash/files/dynamic/0008_input_eval.conf
@@ -0,0 +1,203 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/bro/logs/current/conn*.log"
+		type => "bro_conn"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dce_rpc*.log"
+		type => "bro_dce_rpc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dhcp*.log"
+		type => "bro_dhcp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dnp3*.log"
+		type => "bro_dnp3"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dns*.log"
+		type => "bro_dns"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/dpd*.log"
+		type => "bro_dpd"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/files*.log"
+		type => "bro_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ftp*.log"
+		type => "bro_ftp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/http*.log"
+		type => "bro_http"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/intel*.log"
+		type => "bro_intel"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/irc*.log"
+		type => "bro_irc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/kerberos*.log"
+		type => "bro_kerberos"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/modbus*.log"
+		type => "bro_modbus"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/mysql*.log"
+		type => "bro_mysql"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/notice*.log"
+		type => "bro_notice"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ntlm*.log"
+		type => "bro_ntlm"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/pe*.log"
+		type => "bro_pe"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/radius*.log"
+		type => "bro_radius"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rdp*.log"
+		type => "bro_rdp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/rfb*.log"
+		type => "bro_rfb"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/signatures*.log"
+		type => "bro_signatures"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/sip*.log"
+		type => "bro_sip"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_files*.log"
+		type => "bro_smb_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smb_mapping*.log"
+		type => "bro_smb_mapping"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/smtp*.log"
+		type => "bro_smtp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/snmp*.log"
+		type => "bro_snmp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/socks*.log"
+		type => "bro_socks"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/software*.log"
+		type => "bro_software"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssh*.log"
+		type => "bro_ssh"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/ssl*.log"
+		type => "bro_ssl"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/syslog*.log"
+		type => "bro_syslog"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/tunnel*.log"
+		type => "bro_tunnels"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/weird*.log"
+		type => "bro_weird"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/bro/logs/current/x509*.log"
+		type => "bro_x509"
+	    	tags => ["bro"]
+	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 2d94c5354..f52413006 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -27,7 +27,7 @@
 {% set lsheap = salt['pillar.get']('sensor:lsheap', '') %}
 {% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %}
 
-{% elif grains['role'] == 'so-node' %}
+{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {% set lsheap = salt['pillar.get']('node:lsheap', '') %}
 {% set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
 
@@ -130,7 +130,7 @@ lspipelinesyml:
     - name: /opt/so/conf/logstash/etc/pipelines.yml
     - source: salt://logstash/etc/pipelines.yml.jinja
     - template: jinja
-    - defaults: 
+    - defaults:
         pipelines: {{ pipelines }}
 
 # Copy down all the configs including custom - TODO add watch restart
@@ -162,11 +162,11 @@ lscustsync:
 lsconfsync:
   file.managed:
     - name: /opt/so/conf/logstash/conf.enabled.txt
-{% if grains.role == 'so-mastersearch' %}
+{% if grains.role == 'so-mastersearch' or grains.role == 'so-heavynode' %}
     - source: salt://logstash/conf/conf.enabled.txt.so-master
 {% else %}
     - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}
-{% endif %} 
+{% endif %}
     - user: 931
     - group: 939
     - template: jinja
@@ -239,8 +239,12 @@ so-logstash:
       - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
       - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
       {%- if grains['role'] == 'so-eval' %}
-      - /nsm/bro:/nsm/bro:ro
+      - /nsm/zeek:/nsm/zeek:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/fleet/:/osquery/logs:ro
+      - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
     - watch:
       - file: /opt/so/conf/logstash/etc
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index f3e815174..83c7c92e4 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -41,7 +41,7 @@ m2cryptopkgs:
         bits: 4096
         backup: True
 
-{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %}
 
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
@@ -49,7 +49,11 @@ m2cryptopkgs:
     - ca_server: {{ ca_server }}
     - signing_policy: filebeat
     - public_key: /etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -129,7 +133,7 @@ fbcrtlink:
         backup: True
 
 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch'  %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
 
 fbcertdir:
   file.directory:
@@ -142,7 +146,11 @@ fbcertdir:
     - ca_server: {{ ca_server }}
     - signing_policy: filebeat
     - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ master }}
+{% if grains.role == 'so-heavynode' %}
+    - CN: {{grains.id}}
+{% else %}
+    - CN: {{master}}
+{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml
index 093612335..05412fa6c 100644
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -489,7 +489,7 @@ logging:
   - file:
       enabled: yes
       level: info
-      filename: /usr/local/var/log/suricata/suricata.log
+      filename: /var/log/suricata/suricata.log
       # type: json
   - syslog:
       enabled: no
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 65b80c9ae..dcea927ae 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -18,7 +18,7 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %}
-
+{% set BPF_STATUS = 0  %}
 
 # Suricata
 
@@ -85,7 +85,9 @@ surithresholding:
 # BPF compilation and configuration
 {% if BPF_NIDS %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ")  ) %}
-   {% if BPF_CALC['stderr'] != "" %}
+   {% if BPF_CALC['stderr'] == "" %}
+      {% set BPF_STATUS = 1  %}
+   {% else  %}
 suribpfcompilationfailure:
   test.configurable_test_state:
    - changes: False
@@ -99,7 +101,7 @@ suribpf:
     - name: /opt/so/conf/suricata/bpf
     - user: 940
     - group: 940
-   {% if BPF_CALC['stderr'] == "" %}
+   {% if BPF_STATUS %}
     - contents_pillar: nids:bpf
    {% else %}
     - contents:
diff --git a/salt/top.sls b/salt/top.sls
index 14556b67e..b1ef40ae6 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -72,7 +72,6 @@ base:
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
-    - filebeat
     - utility
     - schedule
     - soctopus
@@ -233,3 +232,31 @@ base:
     {%- if DOMAINSTATS != 0 %}
     - domainstats
     {%- endif %}
+
+  'G@role:so-heavynode':
+    - ca
+    - ssl
+    - common
+    - firewall
+    - redis
+    - logstash
+    - elasticsearch
+    - curator
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - pcap
+    - suricata
+    {%- if BROVER != 'SURICATA' %}
+    - zeek
+    {%- endif %}
+    - wazuh
+    - filebeat
+    {%- if OSQUERY != 0 %}
+    - launcher
+    {%- endif %}
+    - schedule
diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
index 8f54e6a08..c5a61e8ad 100644
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index dbf4a4968..8a8c2ab7f 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,6 +1,6 @@
 {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
 {%- set ip = salt['pillar.get']('static:masterip', '') %}
-{%- elif grains['role'] == 'so-node' %}
+{%- elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- elif grains['role'] == 'so-sensor' %}
 {%- set ip = salt['pillar.get']('sensor:mainip', '') %}
diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist
index b8612f820..300dcf140 100644
--- a/salt/wazuh/files/wazuh-manager-whitelist
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -27,7 +27,7 @@ if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
               echo "Added whitelist entry for {{ MASTERIP }} in $WAZUH_MGR_CFG."
               echo
               echo "Restarting OSSEC Server..."
-            #   /usr/sbin/so-wazuh-restart
+              #/usr/sbin/so-wazuh-restart
       fi
 fi
 
diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
index 92104dbf0..b902eee32 100644
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -102,10 +102,10 @@
 # @load policy/protocols/conn/mac-logging
 
 # JA3 - SSL Detection Goodness
-@load policy/ja3
+@load ja3
 
 # HASSH
-@load policy/hassh
+@load hassh
 
 # You can load your own intel into:
 # /opt/so/saltstack/bro/policy/intel/ on the master
@@ -121,3 +121,6 @@ redef LogAscii::json_timestamps = JSON::TS_ISO8601;
 
 # CVE-2020-0601
 @load cve-2020-0601
+
+# BPF Configuration
+@load securityonion/bpfconf
diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls
index e0f1f8c9b..e7124727e 100644
--- a/salt/zeek/init.sls
+++ b/salt/zeek/init.sls
@@ -1,5 +1,8 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
+{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %}
+{% set BPF_STATUS = 0  %}
+{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
 # Zeek Salt State
 # Add Zeek group
 zeekgroup:
@@ -90,6 +93,32 @@ plcronscript:
     - month: '*'
     - dayweek: '*'
 
+# BPF compilation and configuration
+{% if BPF_ZEEK %}
+   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_ZEEK|join(" ")  ) %}
+   {% if BPF_CALC['stderr'] == "" %}
+       {% set BPF_STATUS = 1  %}
+  {% else  %}
+zeekbpfcompilationfailure:
+  test.configurable_test_state:
+    - changes: False
+    - result: False
+    - comment: "BPF Syntax Error - Discarding Specified BPF"
+   {% endif %}
+{% endif %}
+
+zeekbpf:
+  file.managed:
+    - name: /opt/so/conf/zeek/bpf
+    - user: 940
+    - group: 940
+{% if BPF_STATUS %}
+    - contents_pillar: zeek:bpf
+{% else %}
+    - contents:
+      - "ip or not ip"
+{% endif %}
+
 localzeeksync:
   file.managed:
     - name: /opt/so/conf/zeek/local.zeek
@@ -110,9 +139,12 @@ so-zeek:
       - /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
       - /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
       - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
+      - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro
       - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
+      - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro 
     - network_mode: host
     - watch:
       - file: /opt/so/conf/zeek/local.zeek
       - file: /opt/so/conf/zeek/node.cfg
       - file: /opt/so/conf/zeek/policy
+      - file: /opt/so/conf/zeek/bpf
diff --git a/salt/zeek/policy/securityonion/bpfconf.zeek b/salt/zeek/policy/securityonion/bpfconf.zeek
new file mode 100644
index 000000000..cf7b17113
--- /dev/null
+++ b/salt/zeek/policy/securityonion/bpfconf.zeek
@@ -0,0 +1,106 @@
+##! This script is to support the bpf.conf file like other network monitoring tools use.
+##! Please don't try to learn from this script right now, there are a large number of
+##! hacks in it to work around bugs discovered in Bro.
+
+@load base/frameworks/notice
+
+module BPFConf;
+
+export {
+	## The file that is watched on disk for BPF filter changes.
+	## Two templated variables are available; "sensorname" and "interface".
+	## They can be used by surrounding the term by doubled curly braces.
+	const filename = "/opt/zeek/etc/bpf" &redef;
+
+	redef enum Notice::Type += { 
+		## Invalid filter notice.
+		InvalidFilter
+	};
+}
+
+global filter_parts: vector of string = vector();
+global current_filter_filename = "";
+
+type FilterLine: record {
+	s: string;
+};
+
+redef enum PcapFilterID += {
+	BPFConfPcapFilter,
+};
+
+event BPFConf::line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	local part = sub(s, /[[:blank:]]*#.*$/, "");
+
+	# We don't want any blank parts.
+	if ( part != "" )
+		filter_parts[|filter_parts|] = part;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( name == "bpfconf" )
+		{
+		local filter = join_string_vec(filter_parts, " ");
+		capture_filters["bpf.conf"] = filter;
+		if ( Pcap::precompile_pcap_filter(BPFConfPcapFilter, filter) )
+			{
+			PacketFilter::install();
+			}
+		else
+			{
+			NOTICE([$note=InvalidFilter,
+			        $msg=fmt("Compiling packet filter from %s failed", filename),
+			        $sub=filter]);
+			}
+
+		filter_parts=vector();
+		}
+	}
+
+
+function add_filter_file()
+	{
+	local real_filter_filename = BPFConf::filename;
+
+	# Support the interface template value.
+	#if ( SecurityOnion::sensorname != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{sensorname\}\}/, SecurityOnion::sensorname);
+
+	# Support the interface template value.
+	#if ( SecurityOnion::interface != "" )
+	#	real_filter_filename = gsub(real_filter_filename, /\{\{interface\}\}/, SecurityOnion::interface);
+
+	#if ( /\{\{/ in real_filter_filename )
+	#	{
+	#	return;
+	#	}
+	#else
+	#	Reporter::info(fmt("BPFConf filename set: %s (%s)", real_filter_filename, Cluster::node));
+
+	if ( real_filter_filename != current_filter_filename )
+		{
+		current_filter_filename = real_filter_filename;
+		Input::add_event([$source=real_filter_filename,
+		                  $name="bpfconf",
+		                  $reader=Input::READER_RAW,
+		                  $mode=Input::REREAD,
+		                  $want_record=F,
+		                  $fields=FilterLine,
+		                  $ev=BPFConf::line]);
+		}
+	}
+
+#event SecurityOnion::found_sensorname(name: string)
+#	{
+#	add_filter_file();
+#	}
+
+event zeek_init() &priority=5
+	{
+	if ( BPFConf::filename != "" )
+		add_filter_file();
+	}
+
+
diff --git a/setup/so-functions b/setup/so-functions
index 893d552ee..3693ee1e7 100644
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -651,7 +651,7 @@ install_master() {
 ls_heapsize() {
 
   # Determine LS Heap Size
-  if [ $TOTAL_MEM -ge 32000 ] ; then
+  if [ $TOTAL_MEM -ge 32000 ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       LS_HEAP_SIZE="1000m"
   else
       # If minimal RAM, then set minimal heap
@@ -732,13 +732,13 @@ master_static() {
   echo "  cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
   echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
-  echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
-  echo "  features: False" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else
     echo "  masterupdate: 0" >> /opt/so/saltstack/pillar/static.sls
   fi
+  echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
+  echo "  features: False" >> /opt/so/saltstack/pillar/static.sls
 }
 
 minio_generate_keys() {
@@ -851,7 +851,7 @@ reserve_group_ids() {
   groupadd -g 932 kibana
   groupadd -g 933 elastalert
   groupadd -g 934 curator
-  groupadd -g 937 bro
+  groupadd -g 937 zeek
   groupadd -g 939 socore
   groupadd -g 940 suricata
   groupadd -g 941 stenographer
@@ -1283,6 +1283,14 @@ set_initial_firewall_policy() {
     ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
   fi
 
+  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+  fi
+
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
     echo "blah"
   fi
@@ -1316,7 +1324,7 @@ set_management_interface() {
 set_node_type() {
 
   # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
+  if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ; then
     NODETYPE='search'
   fi
   if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
diff --git a/setup/so-setup b/setup/so-setup
index 709b301a9..5e841dd5b 100644
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -541,7 +541,7 @@ if (whiptail_you_sure) ; then
     es_heapsize
     ls_heapsize
     NODE_ES_HEAP_SIZE="600m"
-    NODE_LS_HEAP_SIZE="500m"
+    NODE_LS_HEAP_SIZE="1000m"
     LSPIPELINEWORKERS=1
     LSPIPELINEBATCH=125
     LSINPUTTHREADS=1
@@ -803,6 +803,132 @@ if (whiptail_you_sure) ; then
 
   fi
 
+  ########################
+  ##     Heavy Node     ##
+  ########################
+
+  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
+
+    filter_unused_nics
+    whiptail_bond_nics
+    whiptail_management_server
+    whiptail_master_updates
+    set_updates
+    whiptail_homenet_sensor
+    whiptail_sensor_config
+    # Calculate lbprocs so we can call it in the prompts
+    calculate_useable_cores
+    if [ $NSMSETUP == 'ADVANCED' ]; then
+      whiptail_bro_pins
+      whiptail_suricata_pins
+      whiptail_bond_nics_mtu
+    else
+      whiptail_basic_bro
+      whiptail_basic_suri
+    fi
+
+    get_log_size_limit
+    CURCLOSEDAYS=30
+    es_heapsize
+    ls_heapsize
+    whiptail_node_advanced
+    if [ $NODESETUP == 'NODEADVANCED' ]; then
+      whiptail_node_es_heap
+      whiptail_node_ls_heap
+      whiptail_node_ls_pipeline_worker
+      whiptail_node_ls_pipline_batchsize
+      whiptail_node_ls_input_threads
+      whiptail_node_ls_input_batch_count
+      whiptail_cur_close_days
+      whiptail_log_size_limit
+    else
+      NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
+      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
+      LSPIPELINEWORKERS=$CPUCORES
+      LSPIPELINEBATCH=125
+      LSINPUTTHREADS=1
+      LSINPUTBATCHCOUNT=125
+    fi
+    whiptail_make_changes
+    set_hostname
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    if [ $INSTALLMETHOD == iso ]; then
+      add_admin_user
+      disable_onion_user
+    fi
+    copy_ssh_key >> $SETUPLOG 2>&1
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy >> $SETUPLOG 2>&1
+
+      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
+      create_sensor_bond >> $SETUPLOG 2>&1
+      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
+      sensor_pillar >> $SETUPLOG 2>&1
+      echo "** Generating the patch pillar **" >> $SETUPLOG
+      patch_pillar >> $SETUPLOG 2>&1
+
+
+
+      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
+      saltify >> $SETUPLOG 2>&1
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install >> $SETUPLOG 2>&1
+      echo -e "XXX\n30\nInitializing Minion... \nXXX"
+      configure_minion heavynode >> $SETUPLOG 2>&1
+      set_node_type >> $SETUPLOG 2>&1
+      node_pillar >> $SETUPLOG 2>&1
+      echo -e "XXX\n24\nCopying Minion Pillars to Master... \nXXX"
+      copy_minion_tmp_files >> $SETUPLOG 2>&1
+      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
+      salt_firstcheckin >> $SETUPLOG 2>&1
+      # Accept the Salt Key
+      accept_salt_key_remote >> $SETUPLOG 2>&1
+      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >> $SETUPLOG 2>&1
+      salt-call state.apply ssl >> $SETUPLOG 2>&1
+      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
+      salt-call state.apply common >> $SETUPLOG 2>&1
+      salt-call state.apply firewall >> $SETUPLOG 2>&1
+      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply logstash >> $SETUPLOG 2>&1
+      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
+      salt-call state.apply curator >> $SETUPLOG 2>&1
+      salt-call state.apply filebeat >> $SETUPLOG 2>&1
+      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
+      salt-call state.apply pcap >> $SETUPLOG 2>&1
+      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
+      salt-call state.apply suricata >> $SETUPLOG 2>&1
+
+      checkin_at_boot >> $SETUPLOG 2>&1
+      echo -e "XX\n97\nFinishing touches... \nXXX"
+      filter_unused_nics >> $SETUPLOG 2>&1
+      network_setup >> $SETUPLOG 2>&1
+      echo -e "XXX\n98\nVerifying Setup... \nXXX"
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+      shutdown -r now
+    else
+      whiptail_setup_failed
+      shutdown -r now
+    fi
+
+  fi
+
+
+
+
+
+
+
+
+
 else
     echo "User not sure. Cancelling setup.">> $SETUPLOG 2>&1
     whiptail_cancel
diff --git a/setup/so-whiptail b/setup/so-whiptail
index 171f180d2..3316d6e2c 100644
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -254,6 +254,7 @@ whiptail_install_type() {
   "MASTERONLY" "Start a new grid" OFF \
   "EVALMODE" "Evaluate all the things" OFF \
   "MASTERSEARCH" "Master + Search Node" OFF \
+  "HEAVYNODE" "Sensor + Search Node" OFF \
   "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \
   "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
   "HOTNODE" "TODO Add Hot Node (Search Node without Parsing)" OFF \