[fix] Fix dev merge issues

2025-12-06 09:12:45 +01:00 · 2020-05-04 10:55:00 -04:00
parent a2fbdf644c
commit 5805d68b58
45 changed files with 12 additions and 1138 deletions
--- a/pillar/sensors/example.sls
+++ b/pillar/sensors/example.sls
@@ -1,14 +0,0 @@
-# Example Pillar file for a sensor
-sensor:
-  interface: CHANGEME
-  bro_pins:
-    - 1
-    - 2
-    - 3
-    - 4
-  brobpf:
-  pcapbpf:
-  nidsbpf:
-  s3bucket:
-  s3key:
-
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,30 +0,0 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
-{% set MASTER = salt['grains.get']('master') %}
-
-so-auth-api-dir:
-  file.directory:
-    - name: /opt/so/conf/auth/api
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-so-auth-api:
-    docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
-        - hostname: so-auth-api
-        - name: so-auth-api
-        - environment:
-            - BASE_PATH: "/so-auth/api"
-            - AUTH_TOKEN_TIMEOUT: 32400
-        - binds:
-            - /opt/so/conf/auth/api:/data
-        - port_bindings:
-            - 0.0.0.0:5656:5656
-
-so-auth-ui:
-    docker_container.running:
-        - image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
-        - hostname: so-auth-ui
-        - name: so-auth-ui
-        - port_bindings:
-            - 0.0.0.0:4242:80
--- a/salt/common/tools/sbin/so-auth-restart
+++ b/salt/common/tools/sbin/so-auth-restart
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-restart auth $1
-
--- a/salt/common/tools/sbin/so-auth-start
+++ b/salt/common/tools/sbin/so-auth-start
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start auth $1
--- a/salt/common/tools/sbin/so-auth-stop
+++ b/salt/common/tools/sbin/so-auth-stop
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop auth $1
--- a/salt/elasticsearch/files/ingest/bro_common
+++ b/salt/elasticsearch/files/ingest/bro_common
@@ -1,9 +0,0 @@
-{
-  "description" : "bro_common",
-  "processors" : [
-    { "rename":		{ "field": "@timestamp",	"target_field": "timestamp",	"ignore_missing": true					} },
-    { "date":		{ "field": "message2.ts",	"target_field": "@timestamp",	"formats": ["ISO8601", "UNIX"], "ignore_failure": true	} },
-    { "remove":		{ "field": "message2.ts",	"ignore_failure": true									} },
-    { "pipeline":	{ "name": "common" 													} }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_common_ssl
+++ b/salt/elasticsearch/files/ingest/bro_common_ssl
@@ -1,58 +0,0 @@
-{
-  "description" : "bro_common_ssl",
-  "processors" : [
-    {
-  	"kv": {
-    		"field": "certificate_issuer",
-		"field_split": ",",
-		"value_split": "=",
-		"ignore_missing": true,
-		"ignore_failure": true,
-		"include_keys": [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
-	}
-    },
-    { 	"rename":{ "field": "CN",		"target_field": "issuer_common_name",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "C",		"target_field": "issuer_country_code",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "O",		"target_field": "issuer_organization",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "OU",		"target_field": "issuer_organization_unit",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "ST",		"target_field": "issuer_state",			"ignore_failure": true 	} },
-    { 	"rename":{ "field": "SN",		"target_field": "issuer_surname",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "L",		"target_field": "issuer_locality",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "DC",		"target_field": "issuer_distinguised_name",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "GN",		"target_field": "issuer_given_name",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "pseudonym",	"target_field": "issuer_pseudonym",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "serialNumber",	"target_field": "issuer_serial_number",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "title",		"target_field": "issuer_title",			"ignore_failure": true 	} },
-    { 	"rename":{ "field": "initials",		"target_field": "issuer_initials",		"ignore_failure": true 	} },
-    {
-  	"kv": {
-    		"field": "certificate_subject",
-		"field_split": ",",
-		"value_split": "=",
-		"ignore_missing": true,
-		"ignore_failure": true,
-		"include_keys": [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
-	}
-    },
-    { 	"rename":{ "field": "CN",		"target_field": "certificate_common_name",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "C",		"target_field": "certificate_country_code",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "O",		"target_field": "certificate_organization",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "OU",		"target_field": "certificate_organization_unit","ignore_failure": true 	} },
-    { 	"rename":{ "field": "ST",		"target_field": "certificate_state",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "SN",		"target_field": "certificate_surname",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "L",		"target_field": "certificate_locality",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "GN",		"target_field": "certificate_given_name",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "pseudonym",	"target_field": "certificate_pseudonym",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "serialNumber",	"target_field": "certificate_serial_number",	"ignore_failure": true 	} },
-    { 	"rename":{ "field": "title",		"target_field": "certificate_title",		"ignore_failure": true 	} },
-    { 	"rename":{ "field": "initials",		"target_field": "certificate_initials",		"ignore_failure": true 	} },
-    { 	"script":{ "lang": "painless", "source": "ctx.certificate_common_name_length = ctx.certificate_common_name.length()", "ignore_failure": true } },
-    { 	"script":{ "lang": "painless", "source": "ctx.issuer_common_name_length = ctx.issuer_common_name.length()", "ignore_failure": true } },
-    { 	"script":{ "lang": "painless", "source": "ctx.server_name_length = ctx.server_name.length()", "ignore_failure": true } },
-    { 
-	"pipeline": { 
-		"name": "bro_common"
-	}
-    }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_conn
+++ b/salt/elasticsearch/files/ingest/bro_conn
@@ -1,48 +0,0 @@
-{
-  "description" : "bro_conn",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.service", 		"target_field": "service",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.duration", 	"target_field": "duration",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_bytes", 	"target_field": "original_bytes",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_bytes", 	"target_field": "respond_bytes",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.conn_state", 	"target_field": "connection_state",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.local_orig", 	"target_field": "local_orig",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.local_resp", 	"target_field": "local_respond",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.missed_bytes", 	"target_field": "missed_bytes",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.history", 		"target_field": "history",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_pkts", 	"target_field": "original_packets",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_ip_bytes", 	"target_field": "original_ip_bytes",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_pkts", 	"target_field": "respond_packets",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_ip_bytes", 	"target_field": "respond_ip_bytes",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.tunnel_parents",	"target_field": "tunnel_parents",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_cc", 		"target_field": "original_country_code","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_cc", 		"target_field": "respond_country_code",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sensorname", 	"target_field": "sensor_name",		"ignore_missing": true 	} },
-    { "script":		{ "lang": "painless", "source":	"ctx.total_bytes = (ctx.original_bytes + ctx.respond_bytes)", "ignore_failure": true } },
-    { "set": { "if": "ctx.connection_state == 'S0'", 	"field": "connection_state_description", "value": "Connection attempt seen, no reply" } },
-    { "set": { "if": "ctx.connection_state == 'S1'", 	"field": "connection_state_description", "value": "Connection established, not terminated" } },
-    { "set": { "if": "ctx.connection_state == 'S2'", 	"field": "connection_state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
-    { "set": { "if": "ctx.connection_state == 'S3'", 	"field": "connection_state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
-    { "set": { "if": "ctx.connection_state == 'SF'", 	"field": "connection_state_description", "value": "Normal SYN/FIN completion" } },
-    { "set": { "if": "ctx.connection_state == 'REJ'", 	"field": "connection_state_description", "value": "Connection attempt rejected" } },
-    { "set": { "if": "ctx.connection_state == 'RSTO'", 	"field": "connection_state_description", "value": "Connection established, originator aborted (sent a RST)" } },
-    { "set": { "if": "ctx.connection_state == 'RSTR'", 	"field": "connection_state_description", "value": "Established, responder aborted" } },
-    { "set": { "if": "ctx.connection_state == 'RSTOS0'","field": "connection_state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
-    { "set": { "if": "ctx.connection_state == 'RSTRH'", "field": "connection_state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
-    { "set": { "if": "ctx.connection_state == 'SH'", 	"field": "connection_state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
-    { "set": { "if": "ctx.connection_state == 'SHR'", 	"field": "connection_state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
-    { "set": { "if": "ctx.connection_state == 'OTH'", 	"field": "connection_state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
-    { "pipeline": 	{ "name": "bro_common" } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_dce_rpc
+++ b/salt/elasticsearch/files/ingest/bro_dce_rpc
@@ -1,20 +0,0 @@
-{
-  "description" : "bro_dce_rpc",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rtt", 		"target_field": "rtt",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.named_pipe",	"target_field": "named_pipe",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.endpoint", 	"target_field": "endpoint",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.operation", 	"target_field": "operation",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_dhcp
+++ b/salt/elasticsearch/files/ingest/bro_dhcp
@@ -1,20 +0,0 @@
-{
-  "description" : "bro_dhcp",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uids", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mac", 		"target_field": "mac",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.assigned_ip",	"target_field": "assigned_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.lease_time", 	"target_field": "lease_time",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.trans_id", 	"target_field": "transaction_id",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.assigned_addr", 	"target_field": "assigned_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_addr", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_addr", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.requested_addr", 	"target_field": "requested_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.domain", 		"target_field": "domain_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host_name",	"target_field": "hostname",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.duration",		"target_field": "duration",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.msg_types", 	"target_field": "message_types",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_dnp3
+++ b/salt/elasticsearch/files/ingest/bro_dnp3
@@ -1,19 +0,0 @@
-{
-  "description" : "bro_dnp3",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fc_request",	"target_field": "fc_request",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "fc_reply",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.iin", 		"target_field": "iin",			"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_dns
+++ b/salt/elasticsearch/files/ingest/bro_dns
@@ -1,35 +0,0 @@
-{
-  "description" : "bro_dns",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.trans_id",		"target_field": "transaction_id",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rtt",	 	"target_field": "rtt",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.query", 		"target_field": "query",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.qclass", 		"target_field": "query_class",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.qclass_name", 	"target_field": "query_class_name",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.qtype", 		"target_field": "query_type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.qtype_name", 	"target_field": "query_type_name",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rcode",	 	"target_field": "rcode",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rcode_name", 	"target_field": "rcode_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.AA", 		"target_field": "aa",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.TC", 		"target_field": "tc",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.RD", 		"target_field": "rd",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.RA", 		"target_field": "ra",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.Z",		"target_field": "z",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.answers", 		"target_field": "answers",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.TTLs", 		"target_field": "ttls",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rejected", 	"target_field": "rejected",		"ignore_missing": true 	} },
-    { "script": 	{ "lang": "painless", "source": "ctx.query_length = ctx.query.length()",	"ignore_failure": true  } },
-    { "pipeline":       { "name": "bro_common"											} }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_dpd
+++ b/salt/elasticsearch/files/ingest/bro_dpd
@@ -1,19 +0,0 @@
-{
-  "description" : "bro_dpd",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.analyzer", 	"target_field": "analyzer",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.failure_reason", 	"target_field": "failure_reason",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_files
+++ b/salt/elasticsearch/files/ingest/bro_files
@@ -1,32 +0,0 @@
-{
-  "description" : "bro_files",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "fuid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "file_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rx_hosts.0",	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "remove": 	{ "field": "message2.rx_hosts",							"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.conn_uids", 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "remove": 	{ "field": "source",								"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.source", 		"target_field": "source",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.depth",	 	"target_field": "depth",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.analyzers", 	"target_field": "analyzer",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mime_type", 	"target_field": "mimetype",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.filename", 	"target_field": "file_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.duration", 	"target_field": "duration",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.local_orig",	"target_field": "local_orig",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "is_orig",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.seen_bytes", 	"target_field": "seen_bytes",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.total_bytes", 	"target_field": "total_bytes",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.missing_bytes", 	"target_field": "missing_bytes",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.overflow_bytes",	"target_field": "overflow_bytes",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.timedout",		"target_field": "timed_out",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.parent_fuid",	"target_field": "parent_fuid",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.md5",		"target_field": "md5",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sha1",		"target_field": "sha1",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.extracted",	"target_field": "extracted",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.extracted_cutoff",	"target_field": "extracted_cutoff",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.extracted_size",	"target_field": "extracted_size",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_ftp
+++ b/salt/elasticsearch/files/ingest/bro_ftp
@@ -1,33 +0,0 @@
-{
-  "description" : "bro_http",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.user",		"target_field": "username",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.password",		"target_field": "password",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.command", 		"target_field": "ftp_command",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.arg", 		"target_field": "ftp_argument",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mime_type", 	"target_field": "mimetype",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.file_size", 	"target_field": "file_size",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.reply_code", 	"target_field": "reply_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.reply_msg", 	"target_field": "reply_message",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "data_channel.passive", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.data_channel.passive","target_field": "data_channel_passive",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "data_channel.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.data_channel.orig_h","target_field": "data_channel_source_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "data_channel.resp_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.data_channel.resp_h","target_field": "data_channel_destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "data_channel.resp_p", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.data_channel.resp_p","target_field": "data_channel_destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fuid",		"target_field": "fuid",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_http
+++ b/salt/elasticsearch/files/ingest/bro_http
@@ -1,42 +0,0 @@
-{
-  "description" : "bro_http",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.trans_depth",	"target_field": "trans_depth",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.method", 		"target_field": "method",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host", 		"target_field": "virtual_host",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uri", 		"target_field": "uri",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.referrer", 	"target_field": "referrer",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.version", 		"target_field": "version",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.user_agent", 	"target_field": "useragent",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_body_len", "target_field": "request_body_length",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.response_body_len","target_field": "response_body_length",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.status_code",	"target_field": "status_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.status_msg", 	"target_field": "status_message",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.info_code", 	"target_field": "info_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.info_msg", 	"target_field": "info_message",		"ignore_missing": true 	} },
-    { "remove":		{ "field": "message2.tags",		"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.username", 	"target_field": "user",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.password", 	"target_field": "password",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proxied", 		"target_field": "proxied",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_fuids",	"target_field": "orig_fuids",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_filenames",	"target_field": "orig_filenames",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.orig_mime_types",	"target_field": "orig_mime_types",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_fuids",	"target_field": "resp_fuids",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_filenames",	"target_field": "resp_filenames",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resp_mime_types",	"target_field": "resp_mime_types",	"ignore_missing": true 	} },
-    { "script":	{ "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", 			"ignore_failure": true 	} },
-    { "script":	{ "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()",	"ignore_failure": true 	} },
-    { "script":	{ "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", 	"ignore_failure": true	} },
-    { "pipeline":       { "name": "bro_common"											} }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_intel
+++ b/salt/elasticsearch/files/ingest/bro_intel
@@ -1,29 +0,0 @@
-{
-  "description" : "bro_intel",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "seen.indicator", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.seen.indicator", 	"target_field": "indicator",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "seen.indicator_type", 	"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.seen.indicator_type", 	"target_field": "indicator_type",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "seen.where", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.seen.where", 	"target_field": "seen_where",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "seen.node", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.seen.node", 	"target_field": "seen_node",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.matched", 		"target_field": "matched",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sources", 		"target_field": "sources",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fuid", 		"target_field": "fuid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.file_mime_type", 	"target_field": "mimetype",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.file_desc", 	"target_field": "file_description",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_irc
+++ b/salt/elasticsearch/files/ingest/bro_irc
@@ -1,25 +0,0 @@
-{
-  "description" : "bro_irc",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.nick", 		"target_field": "nick",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.user", 		"target_field": "irc_username",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.command", 		"target_field": "irc_command",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.value", 		"target_field": "value",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.addl", 		"target_field": "additional_info",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dcc_file_name", 	"target_field": "dcc_file_name",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dcc_file_size", 	"target_field": "dcc_file_size",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dcc_mime_type", 	"target_field": "dcc_mime_type",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fuid", 		"target_field": "fuid",			"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_kerberos
+++ b/salt/elasticsearch/files/ingest/bro_kerberos
@@ -1,30 +0,0 @@
-{
-  "description" : "bro_kerberos",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_type", 	"target_field": "request_type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client", 		"target_field": "client",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.service", 		"target_field": "service",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.success", 		"target_field": "kerberos_success",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.error_msg", 	"target_field": "error_message",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.from", 		"target_field": "valid_from",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.till", 		"target_field": "valid_till",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cipher", 		"target_field": "cipher",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.forwardable", 	"target_field": "forwardable",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.renewable", 	"target_field": "renewable",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_cert_subject", 	"target_field": "client_certificate_subject",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_cert_fuid", 	"target_field": "client_certificate_fuid",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_cert_subject", 	"target_field": "server_certificate_subject",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_cert_fuid", 	"target_field": "server_certificate_fuid",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_modbus
+++ b/salt/elasticsearch/files/ingest/bro_modbus
@@ -1,18 +0,0 @@
-{
-  "description" : "bro_modbus",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.func", 		"target_field": "function",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.exception", 	"target_field": "exception",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_mysql
+++ b/salt/elasticsearch/files/ingest/bro_mysql
@@ -1,21 +0,0 @@
-{
-  "description" : "bro_mysql",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cmd", 		"target_field": "mysql_command",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.arg", 		"target_field": "mysql_argument",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.success", 		"target_field": "mysql_success",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rows", 		"target_field": "rows",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.response",		"target_field": "response",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_notice
+++ b/salt/elasticsearch/files/ingest/bro_notice
@@ -1,36 +0,0 @@
-{
-  "description" : "bro_notice",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "remove":		{ "field": "message2.dst",		"ignore_failure": true						} },
-    { "remove":		{ "field": "message2.src",		"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fuid", 		"target_field": "fuid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mime", 		"target_field": "file_mime_type",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.desc", 		"target_field": "file_description",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.note", 		"target_field": "note",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.msg", 		"target_field": "msg",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sub", 		"target_field": "sub_msg",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.p", 		"target_field": "p",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.n", 		"target_field": "n",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "peer_description",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.actions", 		"target_field": "action",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "suppress_for",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dropped", 		"target_field": "dropped",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "destination_country_code",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "destination_region",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "destination_city",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "destination_latitude",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "destination_longitude",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_ntlm
+++ b/salt/elasticsearch/files/ingest/bro_ntlm
@@ -1,24 +0,0 @@
-{
-  "description" : "bro_ntlm",
-  "processors" : [
-    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 		"target_field": "uid",				"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 			"path": "message2", 				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 		"target_field": "source_ip",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 			"path": "message2",				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 		"target_field": "source_port",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 			"path": "message2",				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 		"target_field": "destination_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 			"path": "message2",				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 		"target_field": "destination_port",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.hostname",			"target_field": "hostname",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.domainname",		"target_field": "domain_name",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.success", 			"target_field": "ntlm_success",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.status", 			"target_field": "status",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.username",			"target_field": "username",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_dns_computer_name",	"target_field": "server_dns_computer_name", 	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_nb_computer_name",	"target_field": "server_nb_computer_name", 	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_tree_name",		"target_field": "server_tree_name",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   		} }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_pe
+++ b/salt/elasticsearch/files/ingest/bro_pe
@@ -1,23 +0,0 @@
-{
-  "description" : "bro_pe",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.id", 	 	"target_field": "fuid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.machine",		"target_field": "machine",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.compile_ts",	"target_field": "compile_ts",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.os", 		"target_field": "os",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.subsystem",	"target_field": "subsystem",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.is_exe", 		"target_field": "is_exe",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.is_64bit",		"target_field": "is_64bit",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uses_aslr", 	"target_field": "uses_aslr",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uses_dep", 	"target_field": "uses_dep",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uses_code_integrity","target_field": "uses_code_integrity","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uses_seh",		"target_field": "uses_seh",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.has_import_table", "target_field": "has_import_table",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.has_export_table", "target_field": "has_export_table",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.has_cert_table", 	"target_field": "has_cert_table",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.has_debug_data", 	"target_field": "has_debug_data",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.section_names", 	"target_field": "section_names",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_radius
+++ b/salt/elasticsearch/files/ingest/bro_radius
@@ -1,25 +0,0 @@
-{
-  "description" : "bro_radius",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.username", 	"target_field": "username",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mac", 		"target_field": "mac",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.framed_addr", 	"target_field": "framed_addr",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.remote_ip", 	"target_field": "remote_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.connect_info", 	"target_field": "connect_info",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.reply_msg", 	"target_field": "reply_message",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.result", 		"target_field": "result",		"ignore_missing": true 	} },
-    { "remove":		{ "field": "message2.ttl",		"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.logged", 		"target_field": "logged",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_rdp
+++ b/salt/elasticsearch/files/ingest/bro_rdp
@@ -1,31 +0,0 @@
-{
-  "description" : "bro_rdp",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cookie", 		"target_field": "cookie",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.result", 		"target_field": "result",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.security_protocol","target_field": "security_protocol",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.keyboard_layout", 	"target_field": "keyboard_layout",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_build", 	"target_field": "client_build",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_name", 	"target_field": "client_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_dig_product_id", 	"target_field": "client_digital_product_id",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.desktop_width", 	"target_field": "desktop_width",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.desktop_height", 	"target_field": "desktop_height",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.requested_color_depth", 	"target_field": "requested_color_depth",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cert_type", 	"target_field": "certificate_type",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cert_count", 	"target_field": "certificate_count",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cert_permanent", 	"target_field": "certificate_permanent","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.encryption_level",	"target_field": "encryption_level",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.encryption_method","target_field": "encryption_method",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_rfb
+++ b/salt/elasticsearch/files/ingest/bro_rfb
@@ -1,26 +0,0 @@
-{
-  "description" : "bro_rfb",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_major_version",	"target_field": "client_major_version",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_minor_version",	"target_field": "client_minor_version",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_major_version",	"target_field": "server_major_version",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_minor_version",	"target_field": "server_minor_version",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.authentication_method",	"target_field": "authentication_method","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.auth", 			"target_field": "auth",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.share_flag", 	"target_field": "share_flag",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.desktop_name", 	"target_field": "desktop_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.width", 		"target_field": "width",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.height", 		"target_field": "height",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_signatures
+++ b/salt/elasticsearch/files/ingest/bro_signatures
@@ -1,22 +0,0 @@
-{
-  "description" : "bro_signatures",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.note", 		"target_field": "note",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sig_id", 		"target_field": "signature_id",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.event_msg", 	"target_field": "event_message",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sub_msg", 		"target_field": "sub_message",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sig_count", 	"target_field": "signature_count",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host_count", 	"target_field": "host_count",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_sip
+++ b/salt/elasticsearch/files/ingest/bro_sip
@@ -1,37 +0,0 @@
-{
-  "description" : "bro_sip",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.trans_depth", 	"target_field": "trans_depth",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.method", 		"target_field": "method",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uri", 		"target_field": "uri",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.date", 		"target_field": "date",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_from", 	"target_field": "request_from",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_to", 	"target_field": "request_to",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.response_from", 	"target_field": "response_from",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.response_to", 	"target_field": "response_to",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.reply_to", 	"target_field": "reply_to",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.call_id", 		"target_field": "call_id",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.seq", 		"target_field": "seq",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.subject", 		"target_field": "subject",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_path", 	"target_field": "request_path",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.response_path", 	"target_field": "response_path",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.user_agent", 	"target_field": "user_agent",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.status_code", 	"target_field": "status_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.status_msg",	"target_field": "status_msg",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.warning", 		"target_field": "warning",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_body_len",	"target_field": "request_body_length",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.response_body_len","target_field": "response_body_length",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.content_type", 	"target_field": "content_type",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_smb_files
+++ b/salt/elasticsearch/files/ingest/bro_smb_files
@@ -1,31 +0,0 @@
-{
-  "description" : "bro_smb_files",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fuid", 		"target_field": "fuid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.action", 		"target_field": "action",		"ignore_missing": true 	} },
-    { "remove":		{ "field": "path",			"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.path", 		"target_field": "path",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.name", 		"target_field": "name",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.size", 		"target_field": "size",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.prev_name", 	"target_field": "prev_name",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "times.modified", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.times.modified", 	"target_field": "times_modified",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "times.accessed", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.times.accessed", 	"target_field": "times_accessed",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "times.created", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.times.created", 	"target_field": "times_created",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "times.changed", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.times.changed", 	"target_field": "times_changed",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_smb_mapping
+++ b/salt/elasticsearch/files/ingest/bro_smb_mapping
@@ -1,21 +0,0 @@
-{
-  "description" : "bro_smb_files",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "remove":		{ "field": "path",			"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.path", 		"target_field": "path",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.service", 		"target_field": "service",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.native_file_system",	"target_field": "native_file_system",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.share_type",	"target_field": "share_type",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_smtp
+++ b/salt/elasticsearch/files/ingest/bro_smtp
@@ -1,38 +0,0 @@
-{
-  "description" : "bro_smtp",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "remove":		{ "field": "path",			"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.trans_depth", 	"target_field": "trans_depth",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.helo", 		"target_field": "helo",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mailfrom", 	"target_field": "mail_from",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.rcptto", 		"target_field": "recipient_to",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.date", 		"target_field": "mail_date",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.from", 		"target_field": "from",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.to", 		"target_field": "to",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cc", 		"target_field": "cc",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.reply_to", 	"target_field": "reply_to",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.msg_id", 		"target_field": "message_id",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.in_reply_to", 	"target_field": "in_reply_to",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.subject", 		"target_field": "subject",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.x_originating_ip",	"target_field": "x_originating_ip",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.first_received", 	"target_field": "first_received",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.second_received",	"target_field": "second_received",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.last_reply",	"target_field": "last_reply",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.path", 		"target_field": "path",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.user_agent", 	"target_field": "useragent",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.tls", 		"target_field": "tls",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fuids", 		"target_field": "fuids",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.is_webmail",	"target_field": "is_webmail",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_snmp
+++ b/salt/elasticsearch/files/ingest/bro_snmp
@@ -1,25 +0,0 @@
-{
-  "description" : "bro_snmp",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.duration",		"target_field": "duration",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.version", 		"target_field": "version",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.community", 	"target_field": "community",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.get_requests", 	"target_field": "get_requests",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.get_bulk_requests","target_field": "get_bulk_requests",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.get_responses",	"target_field": "get_responses",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.set_requests", 	"target_field": "set_requests",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.display_string", 	"target_field": "display_string",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.up_since", 	"target_field": "up_since",		"ignore_missing": true 	} },
-    { "pipeline":	{ "name": "bro_common"											} }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_socks
+++ b/salt/elasticsearch/files/ingest/bro_socks
@@ -1,28 +0,0 @@
-{
-  "description" : "bro_socks",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.version", 		"target_field": "version",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.user", 		"target_field": "user",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.password", 	"target_field": "password",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.status", 		"target_field": "status",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_host", 	"target_field": "request_host",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "request.name", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.request.name", 	"target_field": "request_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.request_p", 	"target_field": "request_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "bound.host", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.bound.host", 	"target_field": "bound_host",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.bound_name", 	"target_field": "bound_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.bound_p", 		"target_field": "bound_port",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_software
+++ b/salt/elasticsearch/files/ingest/bro_software
@@ -1,23 +0,0 @@
-{
-  "description" : "bro_software",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "version.major", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.version.major", 	"target_field": "version_major",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "version.minor", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.version.minor", 	"target_field": "version_minor",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "version.minor2", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.version.minor2", 	"target_field": "version_minor2",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "version.minor3", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.version.minor3", 	"target_field": "version_minor3",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "version.addl", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.version.addl", 	"target_field": "version_additional_info",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host", 		"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host_p", 		"target_field": "source_port",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.software_type", 	"target_field": "software_type",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.name", 		"target_field": "name",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.unparsed_version",	"target_field": "unparsed_version",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_ssh
+++ b/salt/elasticsearch/files/ingest/bro_ssh
@@ -1,40 +0,0 @@
-{
-  "description" : "bro_conn",
-  "processors" : [
-    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 			"path": "message2", 				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 		"target_field": "source_ip",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 			"path": "message2",				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 		"target_field": "source_port",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 			"path": "message2",				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 		"target_field": "destination_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 			"path": "message2",				"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 		"target_field": "destination_port",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.version", 			"target_field": "version",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.uid", 			"target_field": "uid",				"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.hassh", 			"target_field": "hassh",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.auth_success",		"target_field": "authentication_success",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.auth_attempts",		"target_field": "authentication_attempts",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.direction", 		"target_field": "direction",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client", 			"target_field": "client",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server", 			"target_field": "server",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cipher_alg", 		"target_field": "cipher_algorithm",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.compression_alg", 		"target_field": "compression_algorithm",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cshka", 			"target_field": "client_host_key_algorithms",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host_key_alg", 		"target_field": "host_key_algorithm",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.hasshAlgorithms", 		"target_field": "hassh_algorithms",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.hasshServer", 		"target_field": "hassh_server",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.hasshVersion", 		"target_field": "hassh_version",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.kex_alg", 			"target_field": "kex_algorithm",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.mac_alg", 			"target_field": "mac_algorithm",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sshka", 			"target_field": "server_host_key_algorithms",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.host_key", 		"target_field": "host_key",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "destination_region",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "destination_city",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "destination_latitude",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "destination_longitude",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_country_code", "target_field": "destination_country_code",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.hasshServerAlgorithms", 	"target_field": "hassh_server_algorithms",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   		} }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_ssl
+++ b/salt/elasticsearch/files/ingest/bro_ssl
@@ -1,33 +0,0 @@
-{
-  "description" : "bro_ssl",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.version", 		"target_field": "version",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cipher", 		"target_field": "cipher",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.curve", 		"target_field": "curve",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_name", 	"target_field": "server_name",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.resumed", 		"target_field": "resumed",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.last_alert", 	"target_field": "last_alert",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.next_protocol", 	"target_field": "next_protocol",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.established", 	"target_field": "established",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.cert_chain_fuids", 	"target_field": "certificate_chain_fuids",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_cert_chain_fuids",	"target_field": "client_certificate_chain_fuids",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.subject", 		"target_field": "certificate_subject",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.issuer", 		"target_field": "certificate_issuer",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_subject", 	"target_field": "client_subject",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_issuer", 	"target_field": "client_issuer",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.validation_status","target_field": "validation_status",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ja3", 		"target_field": "ja3",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ja3s", 		"target_field": "ja3s",			"ignore_missing": true 	} },
-    { "pipeline":       { "name":  "bro_common_ssl"                                                                             } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_syslog
+++ b/salt/elasticsearch/files/ingest/bro_syslog
@@ -1,21 +0,0 @@
-{
-  "description" : "bro_syslog",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.facility", 	"target_field": "facility",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.severity", 	"target_field": "severity",		"ignore_missing": true 	} },
-    { "remove":		{ "field": "message",			"ignore_failure": true						} },
-    { "rename": 	{ "field": "message2.message", 		"target_field": "message",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_tunnel
+++ b/salt/elasticsearch/files/ingest/bro_tunnel
@@ -1,7 +0,0 @@
-{
-  "description" : "bro_tunnel",
-  "processors" : [
-    { "set":		{ "field": "event_type", "value": "bro_tunnels"								} },
-    { "pipeline":       { "name": "bro_tunnels"                                                                                 } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_tunnels
+++ b/salt/elasticsearch/files/ingest/bro_tunnels
@@ -1,18 +0,0 @@
-{
-  "description" : "bro_tunnels",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.tunnel_type", 	"target_field": "tunnel_type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.action", 		"target_field": "action",		"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_weird
+++ b/salt/elasticsearch/files/ingest/bro_weird
@@ -1,20 +0,0 @@
-{
-  "description" : "bro_weird",
-  "processors" : [
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.name", 		"target_field": "name",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.addl", 		"target_field": "additional_info",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.notice", 		"target_field": "notice",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.peer", 		"target_field": "peer",			"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common"                                                                                   } }
-  ]
-}
--- a/salt/elasticsearch/files/ingest/bro_x509
+++ b/salt/elasticsearch/files/ingest/bro_x509
@@ -1,44 +0,0 @@
-{
-  "description" : "bro_x509",
-  "processors" : [
-    { "json":		{ "field": "message",					"target_field": "message2",				"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.id", 	 			"target_field": "id",					"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.version",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.version", 		"target_field": "certificate_version",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.serial",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.serial", 		"target_field": "certificate_serial",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.subject",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.subject", 		"target_field": "certificate_subject",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.issuer",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.issuer", 		"target_field": "certificate_issuer",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.not_valid_before",		"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.not_valid_before", 	"target_field": "certificate_not_valid_before",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.not_valid_after",		"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.not_valid_after", 	"target_field": "certificate_not_valid_after",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.key_alg",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.key_alg", 		"target_field": "certificate_key_algorithm",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.sig_alg",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.sig_alg", 		"target_field": "certificate_signing_algorithm",	"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.key_type",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.key_type", 		"target_field": "certificate_key_type",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.key_length",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.key_length", 		"target_field": "certificate_key_length",		"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.exponent",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.exponent", 		"target_field": "certificate_exponent",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "certificate.curve",				"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.certificate.curve", 		"target_field": "certificate_curve",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "san.dns",					"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.san.dns", 				"target_field": "san_dns",				"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "san.uri",					"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.san.uri", 				"target_field": "san_uri",				"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "san.email",					"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.san.email", 			"target_field": "san_email",				"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "san.ip",					"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.san.ip", 				"target_field": "san_ip",				"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "basic_constraints.ca",			"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.basic_constraints.ca", 		"target_field": "basic_constraints_ca",			"ignore_missing": true 	} },
-    { "dot_expander": 	{ "field": "basic_constraints.path_length",		"path": "message2", 					"ignore_failure": true 	} },
-    { "rename": 	{ "field": "message2.basic_constraints.path_length", 	"target_field": "basic_constraints_path_length",	"ignore_missing": true 	} },
-    { "pipeline":       { "name": "bro_common_ssl"                                                                                   				} }
-  ]
-}
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -13,6 +13,9 @@
  {% set MAINIP = salt['pillar.get']('static:masterip') %}
 {% endif %}

+include:
+  - mysql
+
 #{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %}
 #so/fleet:
 #  event.send:
@@ -86,6 +89,8 @@ fleetdb:
    - connection_port: 3306
    - connection_user: root
    - connection_pass: {{ MYSQLPASS }}
+    - require: 
+      - sls: mysql

 fleetdbuser:
  mysql_user.present:
@@ -95,6 +100,7 @@ fleetdbuser:
    - connection_port: 3306
    - connection_user: root
    - connection_pass: {{ MYSQLPASS }}
+    - require: fleetdb

 fleetdbpriv:
  mysql_grants.present:
@@ -106,6 +112,7 @@ fleetdbpriv:
    - connection_port: 3306
    - connection_user: root
    - connection_pass: {{ MYSQLPASS }}
+    - require: fleetdb


 {% if FLEETPASS == None or FLEETJWT == None %}
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -85,4 +85,9 @@ so-mysql:
      - /opt/so/log/mysql:/var/log/mysql:rw
    - watch:
      - /opt/so/conf/mysql/etc
+  cmd.run:
+    - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done
+    - timeout: 120
+    - onchanges:
+      - docker_container: so-mysql
 {% endif %}
--- a/test.log
+++ b/test.log
@@ -1,2 +0,0 @@
-Configuring minion type as eval
-Enabling checkin at boot