diff --git a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
index 35b737593..aa586d3b6 100644
--- a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
+++ b/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
@@ -3,7 +3,7 @@
 {% set CBNAME = grains.host %}
 
 filter {
-  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
     grok {
       match => [
         "source_ip", "^%{IPV4:srcipv4}$",
@@ -17,28 +17,27 @@ filter {
        ]
     }
 
-    geoip {
-      source => "[source_ip]"
-      target => "source_geo"
-    }
-    geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-    }
+    #geoip {
+    #  source => "[source_ip]"
+    #  target => "source_geo"
+    #}
+    #geoip {
+    #  source => "[destination_ip]"
+    #  target => "destination_geo"
+    #}
     mutate {
-      #rename => { "%{[source_geo][country_code]}" => "srccountrycode" }
-      #rename => { "%{[destination_geo][country_code]}" => "dstcountrycode" }
       rename => { "[beat_host][name]" => "sensor" }
       copy => { "sensor" => "rawmsghostname" }
       rename => { "message" => "rawmsg" }
-      #rename => { "event_type" => "program" }
       copy => { "type" => "class" }
       copy => { "class" => "program"}
       rename => { "source_port" => "srcport" }
       rename => { "destination_port" => "dstport" }
-      add_field => { "metacbid" => "{{ UNIQUEID }}"}
-      add_field => { "metacbname" => "{{ CBNAME }}"}
-      remove_field => ["source_ip", "destination_ip"]
+      rename => { "[log][file][path]" => "filepath" }
+      add_field => { "meta_cbid" => "{{ UNIQUEID }}" }
+      add_field => { "meta_cbname" => "{{ CBNAME }}" }
+      remove_field => ["source_ip", "destination_ip", "syslog-host_from"]
+      remove_field => ["beat_host", "timestamp", "type", "log", "@version", "@timestamp"]
       remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"]
       remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"]
     }
@@ -56,6 +55,7 @@ filter {
         rename => { "local_respond" => "local_resp" }
         rename => { "local_orig" => "localorig" }
         rename => { "missed_bytes" => "missingbytes" }
+        rename => { "connection_state_description" => "description" }
       }
     }
     if "bro_dns" in [class] {
@@ -69,21 +69,31 @@ filter {
         rename => { "query_type_name" => "querytypename" }
         rename => { "ra" => "recursionavailable" }
         rename => { "rd" => "recursiondesired" }
+        rename => { "uid" => "connectionid" }
+        rename => { "ttls" => "ttl" }
+        rename => { "transaction_id" => "transactionid" }
       }
     }
     if "bro_dhcp" in [class] {
       mutate{
         #add_field = { "metaclass" => "dhcp"}
         rename => { "message_types" => "direction" }
-				rename => { "lease_time" => "duration" }
+        rename => { "uid" => "connectionid" }
+	rename => { "lease_time" => "duration" }
       }
     }
     if "bro_files" in [class] {
       mutate{
         #add_field = { "metaclass" => "dns"}
         rename => { "missing_bytes" => "missingbytes" }
+        rename => { "seen_bytes" => "seenbytes" }
+        rename => { "overflow_bytes" => "overflowbytes" }
         rename => { "fuid" => "fileid" }
-        rename => { "uid" => "connectionid" }
+        rename => { "conn_uids" => "connectionid" }
+        rename => { "is_orig" => "isorig" }
+        rename => { "timed_out" => "timedout" }
+        rename => { "local_orig" => "localorig" }
+        rename => { "file_ip" => "tx_host" }
       }
     }
     if "bro_http" in [class] {
@@ -98,7 +108,10 @@ filter {
         rename => { "request_body_len" => "sentbodybytes" }
         rename => { "uid" => "connectionid" }
         rename => { "ts"=> "eventtime" }
-	      rename => { "@timestamp"=> "eventtime" }
+        rename => { "@timestamp"=> "eventtime" }
+        rename => { "trans_depth" => "depth" }
+        rename => { "request_body_length" => "sentbodybytes" }
+        rename => { "response_body_length" => "rcvdbodybytes" }
       }
     }
     if "bro_ssl" in [class] {
@@ -110,30 +123,31 @@ filter {
         rename => { "resp_fuids" => "rcvdfileid" }
         rename => { "response_body_len" => "rcvdbodybytes" }
         rename => { "request_body_len" => "sentbodybytes" }
+        rename => { "uid" => "connectionid" }
       }
     }
-		if "bro_weird" in [class] {
+    if "bro_weird" in [class] {
       mutate{
         #add_field = { "metaclass" => "dns"}
         rename => { "name" => "eventname" }
       }
     }
-		if "bro_x509" in [class] {
+    if "bro_x509" in [class] {
       mutate{
         #add_field = { "metaclass" => "dns"}
-				rename => { "certificate_common_name" => "certname" }
+	rename => { "certificate_common_name" => "certname" }
         rename => { "certificate_subject" => "certsubject" }
-				rename => { "issuer_common_name" => "issuer" }
-				rename => { "certificate_issuer" => "issuersubject" }
-				rename => { "certificate_not_valid_before" => "issuetime" }
-				rename => { "certificate_key_type" => "cert_type" }
+	rename => { "issuer_common_name" => "issuer" }
+	rename => { "certificate_issuer" => "issuersubject" }
+	rename => { "certificate_not_valid_before" => "issuetime" }
+	rename => { "certificate_key_type" => "cert_type" }
       }
     }
   }
 }
 
 output {
-  if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509$/ {
+  if [class] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ {
     http {
       url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload"
       http_method => post