diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 000000000..6dac78507
Binary files /dev/null and b/.DS_Store differ
diff --git a/pillar/sensors/example.sls b/pillar/sensors/example.sls
new file mode 100644
index 000000000..77068ef91
--- /dev/null
+++ b/pillar/sensors/example.sls
@@ -0,0 +1,6 @@
+# Example Pillar file for a sensor
+sensor:
+  interface: CHANGEME
+  lbprocs: CHANGEME
+
+  
diff --git a/pillar/top.sls b/pillar/top.sls
new file mode 100644
index 000000000..868da6033
--- /dev/null
+++ b/pillar/top.sls
@@ -0,0 +1,4 @@
+base:
+  'G@role:so-sensor'
+    - sensor.schedule
+    - sensors.{{ hostname }}
diff --git a/salt/bro/files/node.cfg b/salt/bro/files/node.cfg
new file mode 100644
index 000000000..c9a0a5665
--- /dev/null
+++ b/salt/bro/files/node.cfg
@@ -0,0 +1,19 @@
+{%- set interface = salt['pillar.get'](sensor:interface) %}
+{%- set lbprocs = salt['pillar.get'](sensor:lbprocs) %}
+[manager]
+type=manager
+host=localhost
+
+[proxy]
+type=proxy
+host=localhost
+
+[sotest-eth1]
+type=worker
+host=localhost
+interface=af_packet::{{ interface }}
+lb_method=custom
+lb_procs={{ lbprocs }}
+af_packet_fanout_id=23
+af_packet_fanout_mode=AF_Packet::FANOUT_HASH
+af_packet_buffer_size=128*1024*1024
diff --git a/salt/bro/init.sls b/salt/bro/init.sls
new file mode 100644
index 000000000..cca953e7b
--- /dev/null
+++ b/salt/bro/init.sls
@@ -0,0 +1,35 @@
+# Bro Salt State
+# Add Bro User
+bro:
+  user.present:
+    - uid: 937
+    - gid: 937
+    - home: /home/bro
+
+file.directory:
+  - name: /opt/so/conf/bro
+  - user: 937
+  - group: 939
+
+file.directory:
+  - name: /opt/so/conf/bro/policy
+  - user: 937
+  - group: 939
+
+# Add the container
+
+so-bro:
+  dockerng.running:
+    - image: {{ dockerrepo }}/so-bro:{{ broversion }}
+    - hostname: bro
+    - user: bro
+    - priviledged: true
+    - binds:
+      - /nsm/bro/logs:/nsm/bro/logs:rw
+      - /nsm/bro/spool:/nsm/bro/spool:rw
+      - /opt/so/conf/bro/etc:/opt/bro/etc:ro
+      - /opt/so/conf/bro/etc/node.cfg:/opt/bro/etc/node.cfg:ro
+      - /opt/so/conf/share/bro:/opt/bro/share/bro:ro
+    - network_mode: host
+
+# Add Bro cron
diff --git a/salt/common/init.sls b/salt/common/init.sls
new file mode 100644
index 000000000..a9d18118c
--- /dev/null
+++ b/salt/common/init.sls
@@ -0,0 +1,37 @@
+# Create a state directory
+
+statedir:
+  file.directory:
+    - name: /opt/so/state
+
+salttmp:
+  file.directory:
+    - name: /opt/so/tmp
+
+# Install packages needed for the sensor
+
+sensorpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - docker
+
+# Always keep these packages up to date
+
+alwaysupdated:
+  pkg.latest:
+    - openssl
+    - openssh-server
+    - bash
+  - skip_suggestions: True
+
+# Set time to UTC
+
+Etc/UTC:
+  timezone.system
+
+# Set up docker network
+dockernet:
+  dockerng.network_present
+    - name: so-docker-net
+    - driver: bridge
diff --git a/salt/logstash/files/beats-template.json b/salt/logstash/files/beats-template.json
new file mode 100644
index 000000000..b0f9edc20
--- /dev/null
+++ b/salt/logstash/files/beats-template.json
@@ -0,0 +1,182 @@
+{
+  "index_patterns" : "beats-*",
+  "version" : 50001,
+  "settings" : {
+    "number_of_replicas": 0,
+    "number_of_shards": 1,
+    "index.refresh_interval" : "5s"
+  },
+  "mappings": {
+    "doc": {
+      "_meta": {
+        "version": "5.6.4"
+      },
+      "date_detection": false,
+      "dynamic_templates": [
+        {
+          "strings_as_keyword": {
+            "mapping": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ],
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "activity_id": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "beat": {
+          "properties": {
+            "hostname": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "computer_name": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "event_id": {
+          "type": "long"
+        },
+        "keywords": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "level": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "log_name": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "message": {
+          "norms": false,
+          "type": "text"
+        },
+        "message_error": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "meta": {
+          "properties": {
+            "cloud": {
+              "properties": {
+                "availability_zone": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "instance_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "machine_type": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "project_id": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "provider": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "region": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            }
+          }
+        },
+        "opcode": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "process_id": {
+          "type": "long"
+        },
+        "provider_guid": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "record_number": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "related_activity_id": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "source_name": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "tags": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "task": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "thread_id": {
+          "type": "long"
+        },
+        "type": {
+          "ignore_above": 1024,
+          "type": "keyword"
+        },
+        "user": {
+          "properties": {
+            "domain": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "identifier": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "type": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
+        "version": {
+          "type": "long"
+        },
+        "xml": {
+          "norms": false,
+          "type": "text"
+        }
+      }
+    }
+  },
+  "order": 0,
+  "settings": {
+    "index.mapping.total_fields.limit": 10000,
+    "index.refresh_interval": "5s"
+  }
+}
diff --git a/salt/logstash/files/conf.d/0000_input_syslogng.conf b/salt/logstash/files/conf.d/0000_input_syslogng.conf
new file mode 100644
index 000000000..791045f46
--- /dev/null
+++ b/salt/logstash/files/conf.d/0000_input_syslogng.conf
@@ -0,0 +1,19 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+input {
+  tcp {
+    port => 6050
+    codec =>   json
+    tags => "syslogng"
+  }
+}
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0000"]
+	}
+  }  
+}
diff --git a/salt/logstash/files/conf.d/0001_input_json.conf b/salt/logstash/files/conf.d/0001_input_json.conf
new file mode 100644
index 000000000..4df89d293
--- /dev/null
+++ b/salt/logstash/files/conf.d/0001_input_json.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+input {
+  tcp {
+    port => 6051
+    codec =>   json
+    tags => [ "json" ]
+  }
+}
+filter {
+  if "json" in [tags] {
+    mutate {
+		#add_tag => [ "conf_file_0001"]
+	}
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/files/conf.d/0002_input_windows_json.conf b/salt/logstash/files/conf.d/0002_input_windows_json.conf
new file mode 100644
index 000000000..54b700bd5
--- /dev/null
+++ b/salt/logstash/files/conf.d/0002_input_windows_json.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+input {
+  tcp {
+    port => 6052
+    type => "windows"
+    tags => [ "json" ]
+    codec =>   json {
+      charset => "CP1252"
+    }
+  }
+}
+filter {
+  if [type] == "windows" {
+    mutate {
+		#add_tag => [ "conf_file_0002"]
+	}
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/files/conf.d/0003_input_syslog.conf b/salt/logstash/files/conf.d/0003_input_syslog.conf
new file mode 100644
index 000000000..dbd1c29bb
--- /dev/null
+++ b/salt/logstash/files/conf.d/0003_input_syslog.conf
@@ -0,0 +1,18 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+#input {
+#  udp {
+#    port => 1514
+#    tags => "syslog"
+#  }
+#}
+#filter {
+#  if "syslog" in [tags] {
+#    mutate {
+#		#add_tag => [ "conf_file_0003"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/files/conf.d/0005_input_suricata.conf b/salt/logstash/files/conf.d/0005_input_suricata.conf
new file mode 100644
index 000000000..d3d23063a
--- /dev/null
+++ b/salt/logstash/files/conf.d/0005_input_suricata.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+input {
+  tcp {
+    port => 6053
+    codec => json
+    type => "suricata"
+  }
+}
+filter {
+  if [type] == "suricata" {
+    mutate {
+		#add_tag => [ "conf_file_0005"]
+	}
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/files/conf.d/0006_input_beats.conf b/salt/logstash/files/conf.d/0006_input_beats.conf
new file mode 100644
index 000000000..d4a57c998
--- /dev/null
+++ b/salt/logstash/files/conf.d/0006_input_beats.conf
@@ -0,0 +1,11 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/11/2017
+
+input {
+  beats {
+    port => "5044"
+    tags => [ "beat" ]
+  }
+}
diff --git a/salt/logstash/files/conf.d/0007_input_import.conf b/salt/logstash/files/conf.d/0007_input_import.conf
new file mode 100644
index 000000000..c502b57ca
--- /dev/null
+++ b/salt/logstash/files/conf.d/0007_input_import.conf
@@ -0,0 +1,182 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+input {
+	file {
+		path => "/nsm/import/bro/conn*"
+		type => "bro_conn"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/dce_rpc*"
+		type => "bro_dce_rpc"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/dhcp*"
+		type => "bro_dhcp"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/dnp3*"
+		type => "bro_dnp3"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/dns*"
+		type => "bro_dns"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/dpd*"
+		type => "bro_dpd"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/files*"
+		type => "bro_files"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/ftp*"
+		type => "bro_ftp"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/http*"
+		type => "bro_http"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/intel*"
+		type => "bro_intel"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/irc*"
+		type => "bro_irc"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/kerberos*"
+		type => "bro_kerberos"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/modbus*"
+		type => "bro_modbus"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/mysql*"
+		type => "bro_mysql"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/notice*"
+		type => "bro_notice"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/ntlm*"
+		type => "bro_ntlm"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/pe*"
+		type => "bro_pe"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/radius*"
+		type => "bro_radius"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/rdp*"
+		type => "bro_rdp"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/rfb*"
+		type => "bro_rfb"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/signatures*"
+		type => "bro_signatures"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/sip*"
+		type => "bro_sip"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/smb_files*"
+		type => "bro_smb_files"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/smb_mapping*"
+		type => "bro_smb_mapping"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/smtp*"
+		type => "bro_smtp"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/snmp*"
+		type => "bro_snmp"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/socks*"
+		type => "bro_socks"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/software*"
+		type => "bro_software"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/ssh*"
+		type => "bro_ssh"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/ssl*"
+		type => "bro_ssl"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/syslog*"
+		type => "bro_syslog"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/tunnel*"
+		type => "bro_tunnels"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/weird*"
+		type => "bro_weird"
+	    	tags => ["bro", "import"]
+	}
+	file {
+		path => "/nsm/import/bro/x509*"
+		type => "bro_x509"
+	    	tags => ["bro", "import"]
+	}
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0006"]
+	}
+  }  
+}
diff --git a/salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf b/salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_start', Time.now.to_f)"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
diff --git a/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf b/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..d2467a3f8
--- /dev/null
+++ b/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf
@@ -0,0 +1,30 @@
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+		rename => { "MESSAGE" => "message" }
+		rename => { "PROGRAM" => "type" }
+		rename => { "FACILITY" => "syslog-facility" }
+		rename => { "FILE_NAME" => "syslog-file_name" }
+		rename => { "HOST" => "syslog-host" }
+		rename => { "HOST_FROM" => "syslog-host_from" }
+		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+		rename => { "PID" => "syslog-pid" }
+		rename => { "PRIORITY" => "syslog-priority" }
+		rename => { "SOURCEIP" => "syslog-sourceip" }
+		rename => { "TAGS" => "syslog-tags" }
+          	#add_tag => [ "conf_file_1000"]
+	}
+	if "bro_" in [type] {
+		mutate {
+			add_tag => [ "bro"]
+		}
+	} else {
+		mutate {
+			add_tag => [ "syslog"]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1002_preprocess_json.conf b/salt/logstash/files/conf.d/1002_preprocess_json.conf
new file mode 100644
index 000000000..8aff64715
--- /dev/null
+++ b/salt/logstash/files/conf.d/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "json" in [tags]{
+    json {
+      source => "message"
+    }
+    mutate {
+      remove_tag => [ "json" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1001"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1003_preprocess_bro.conf b/salt/logstash/files/conf.d/1003_preprocess_bro.conf
new file mode 100644
index 000000000..e24da1329
--- /dev/null
+++ b/salt/logstash/files/conf.d/1003_preprocess_bro.conf
@@ -0,0 +1,24 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "bro" in [tags] {
+    # If a log comes in with a message starting with # then drop it as it doesn'then
+	# contain anything and is the header of a rotated bro log
+    if [message] =~ /^#/ {
+      drop {  }
+    } else {
+	  # Replace the host field with the host found in the bro log
+      if [bro_host] {
+#        mutate {
+#          replace => [ "host", "%{bro_host}" ]
+#        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1002"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf b/salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..5b47968b2
--- /dev/null
+++ b/salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+  if "syslog" in [tags] {
+    if [host] == "172.16.1.1" {
+      mutate {
+        add_field => { "type" => "fortinet" }
+        add_tag => [ "firewall" ]
+      }
+    }
+    if [host] == "10.0.0.101" {
+      mutate {
+        add_field => { "type" => "brocade" }
+        add_tag => [ "switch" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1003"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1026_preprocess_dhcp.conf b/salt/logstash/files/conf.d/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..6ba00012f
--- /dev/null
+++ b/salt/logstash/files/conf.d/1026_preprocess_dhcp.conf
@@ -0,0 +1,156 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
+filter {
+  if [type] == "dhcp" {
+    mutate {
+      add_field => { "Hostname" => "%{host}" }
+    }
+    mutate {
+      strip => "message"
+    }
+  }
+  # If the message contains nothing then drop it
+  if [message] =~ /^$/ {
+    drop {  }
+  } 
+  # If the message starts with # then drop it as it is the header of the DHCP log.
+  # This behavior is normal when the log is rotated.
+  if [message] =~ /^#/ {
+    drop {  }
+  } else {
+    if [type] == "dhcp" {
+	  # This is the initial parsing of the log
+      grok {
+        # Server 2008+
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+        # Server 2003
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+      }
+	  # This section below translates the message ID into something humans can understand.
+      if [id] == "00" {
+        mutate {
+          add_field => [ "event", "The log was started"]
+        }
+      }
+      if [id] == "01" {
+        mutate {
+          add_field => [ "event", "The log was stopped"]
+        }
+      }
+      if [id] == "02" {
+        mutate {
+          add_field => [ "event", "The log was temporarily paused due to low disk space"]
+        }
+      }
+      if [id] == "10" {
+        mutate {
+          add_field => [ "event", "A new IP address was leased to a client"]
+        }
+      }
+      if [id] == "11" {
+        mutate {
+          add_field => [ "event", "A lease was renewed by a client"]
+        }
+      }
+      if [id] == "12" {
+        mutate {
+          add_field => [ "event", "A lease was released by a client"]
+        }
+      }
+      if [id] == "13" {
+        mutate {
+          add_field => [ "event", "An IP address was found to be in use on the network"]
+        }
+      }
+      if [id] == "14" {
+        mutate {
+          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+        }
+      }
+      if [id] == "15" {
+        mutate {
+          add_field => [ "event", "A lease was denied"]
+        }
+      }
+      if [id] == "16" {
+        mutate {
+          add_field => [ "event", "A lease was deleted"]
+        }
+      }
+      if [id] == "17" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+        }
+      }
+      if [id] == "18" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records were deleted"]
+        }
+      }
+      if [id] == "20" {
+        mutate {
+          add_field => [ "event", "A BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "21" {
+        mutate {
+          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "22" {
+        mutate {
+          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+        }
+      }
+      if [id] == "23" {
+        mutate {
+          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+        }
+      }
+      if [id] == "24" {
+        mutate {
+          add_field => [ "event", "IP address cleanup operation has began"]
+        }
+      }
+      if [id] == "25" {
+        mutate {
+          add_field => [ "event", "IP address cleanup statistics"]
+        }
+      }
+      if [id] == "30" {
+        mutate {
+          add_field => [ "event", "DNS update request to the named DNS server"]
+        }
+      }
+      if [id] == "31" {
+        mutate {
+          add_field => [ "event", "DNS update failed"]
+        }
+      }
+      if [id] == "32" {
+        mutate {
+          add_field => [ "event", "DNS update successful"]
+        }
+      }
+      if [id] == "33" {
+        mutate {
+          add_field => [ "event", "Packet dropped due to NAP policy"]
+        }
+      }
+	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
+      #if "_grokparsefailure" not in [tags] { 
+      #  mutate {
+      #    remove_field => [ "message"]
+      #  }
+      #}
+    }
+	mutate {
+		#add_tag => [ "conf_file_1026"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1029_preprocess_esxi.conf b/salt/logstash/files/conf.d/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/files/conf.d/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
+filter {
+  # This is an example of using an IP address range to classify a syslog message to a specific type of log
+  # This is helpful as so many devices only send logs via syslog
+  if [host] =~ "10\.[0-1]\.9\." {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [host] =~ "\.234$" {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [type] == "esxi" {
+     grok {
+          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+    }
+	mutate {
+		#add_tag => [ "conf_file_1029"]
+	}
+  }
+}
+
diff --git a/salt/logstash/files/conf.d/1030_preprocess_greensql.conf b/salt/logstash/files/conf.d/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/files/conf.d/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "greensql" {
+    # This section is parsing out the fields for GreenSQL syslog data
+    grok {
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+    }
+	# Remove the message field as it is unnecessary
+    #mutate {
+    #  remove_field => [ "message"]
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1030"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1031_preprocess_iis.conf b/salt/logstash/files/conf.d/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/files/conf.d/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "iis" {
+    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
+    json {
+      source => "message"
+    }
+    # This removes the message field as it is unneccesary and tags the packet as web
+    mutate {
+    #  remove_field => [ "message"]
+      add_tag => [ "web" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1031"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1032_preprocess_mcafee.conf b/salt/logstash/files/conf.d/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/files/conf.d/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+  if [type] == "mcafee" {
+    # NXLog should be sending the logs in JSON format so they auto parse
+    json {
+      source => "message"
+    }
+	# This section converts the UTC fields to the proper time format
+    date {
+      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "ReceivedUTC" ]
+    }
+    date {
+      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "DetectedUTC" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1032"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1033_preprocess_snort.conf b/salt/logstash/files/conf.d/1033_preprocess_snort.conf
new file mode 100644
index 000000000..659a13c90
--- /dev/null
+++ b/salt/logstash/files/conf.d/1033_preprocess_snort.conf
@@ -0,0 +1,89 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/15/2017
+
+filter {
+  if [type] == "snort" {
+    # This is the initial parsing of the log
+    grok {
+      match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "%{GREEDYDATA:alert}"]
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+    if [gid] and [gid] == 1 and [sid] and [sid] > 0 and [sid] < 1000000000 {
+      ruby {
+         code => "sid = event.get('sid'); event.set('rule', `grep -h sid:#{sid} /etc/nsm/rules/*.rules | sort -u`)"
+	}
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1034_preprocess_syslog.conf b/salt/logstash/files/conf.d/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/files/conf.d/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+  if [type] == "syslog" { 
+    # This drops syslog messages regarding license messages.  You may want to comment it out.
+    #if [message] =~ "license" {
+    #  drop { }
+    #}
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	}
+  }  
+}
diff --git a/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf b/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf
new file mode 100644
index 000000000..87f090408
--- /dev/null
+++ b/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf
@@ -0,0 +1,44 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for conn.log from Bro systems
+filter {
+  if [type] == "bro_conn" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","service","duration","original_bytes","respond_bytes","connection_state","local_orig","local_respond","missed_bytes","history","original_packets","original_ipbytes","respond_packets","respond_ipbytes","tunnel_parents","original_country_code","respond_country_code","sensor_name"]
+
+    # If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
+      separator => "	"
+    }
+    translate {
+      field => "connection_state"
+
+      destination => "connection_state_description"
+
+      dictionary => [
+                    "S0", "Connection attempt seen, no reply",
+                    "S1", "Connection established, not terminated",
+                    "S2", "Connection established and close attempt by originator seen (but no reply from responder)",
+                    "S3", "Connection established and close attempt by responder seen (but no reply from originator)",
+                    "SF", "Normal SYN/FIN completion",
+                    "REJ", "Connection attempt rejected",
+                    "RSTO", "Connection established, originator aborted (sent a RST)",
+                    "RSTR", "Established, responder aborted",
+                    "RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder",
+                    "RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator",
+                    "SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)",
+		    "SHR", "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator",
+                    "OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
+                    ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1100"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf b/salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf
new file mode 100644
index 000000000..e835ecef6
--- /dev/null
+++ b/salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf
@@ -0,0 +1,17 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for dhcp.log from Bro systems
+filter {
+  if [type] == "bro_dhcp" {
+    # This is the initial parsing of the log
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mac>(.*?))\t(?<assigned_ip>(.*?))\t(?<lease_time>(.*?))\t(?<transaction_id>(.*))" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1101"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf b/salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf
new file mode 100644
index 000000000..53cf5addc
--- /dev/null
+++ b/salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf
@@ -0,0 +1,36 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Updated by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for dns.log from Bro systems
+filter {
+  if [type] == "bro_dns" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","transaction_id","rtt","query","query_class","query_class_name","query_type","query_type_name","rcode","rcode_name","aa","tc","rd","ra","z","answers","ttls","rejected"]
+
+      #If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
+      separator => "	"
+    }
+    mutate {
+		  add_tag => [ "dns" ]
+	  }
+    if [ttls] == "-" {
+      mutate {
+        remove_field => [ "ttls" ]
+      }
+    } else {
+      mutate {
+        convert => [ "ttls", "float" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1102"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf b/salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf
new file mode 100644
index 000000000..39603bf6e
--- /dev/null
+++ b/salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Updated by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for dpd.log from Bro systems
+filter {
+  if [type] == "bro_dpd" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","analyzer","failure_reason"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1103"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1104_preprocess_bro_files.conf b/salt/logstash/files/conf.d/1104_preprocess_bro_files.conf
new file mode 100644
index 000000000..665889358
--- /dev/null
+++ b/salt/logstash/files/conf.d/1104_preprocess_bro_files.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/14/2017 - Wes lambert
+#
+# This conf file is based on accepting logs for files.log from Bro systems
+filter {
+  if [type] == "bro_files" {
+    # This is the initial parsing of the log
+    csv {
+      columns => ["timestamp","fuid","file_ip","destination_ip","connection_uids","source","depth","analyzer","mimetype","file_name","duration","local_orig","is_orig","seen_bytes","total_bytes","missing_bytes","overflow_bytes","timed_out","parent_fuid","md5","sha1","sha256","extracted"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1104"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf b/salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf
new file mode 100644
index 000000000..8d1dd1963
--- /dev/null
+++ b/salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf
@@ -0,0 +1,21 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for ftp.log from Bro systems
+filter {
+  if [type] == "bro_ftp" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","ftp_username","password","ftp_command","ftp_argument","mimetype","file_size","reply_code","reply_message","data_channel_passive","data_channel_source_ip","data_channel_destination_ip","data_channel_destination_port","fuid"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1105"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1106_preprocess_bro_http.conf b/salt/logstash/files/conf.d/1106_preprocess_bro_http.conf
new file mode 100644
index 000000000..b4f25bf16
--- /dev/null
+++ b/salt/logstash/files/conf.d/1106_preprocess_bro_http.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+#
+# This conf file is based on accepting logs for http.log from Bro systems
+filter {
+  if [type] == "bro_http" {
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<virtual_host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<version>(.*?))\t(?<useragent>(.*?))\t(?<request_body_length>(.*?))\t(?<response_body_length>(.*?))\t(?<status_code>(.*?))\t(?<status_message>(.*?))\t(?<info_code>(.*?))\t(?<info_message>(.*?))\t(?<tags>(.*))\t(?<user>(.*))\t(?<password>(.*))\t(?<proxied>(.*))\t(?<orig_fuids>(.*))\t(?<orig_filenames>(.*?))\t(?<orig_mime_types>(.*))\t(?<resp_fuids>(.*))\t(?<resp_filenames>(.*?))\t(?<resp_mime_types>(.*))" ]
+    }
+    if [useragent] == "-" {
+      mutate {
+        remove_field => [ "useragent" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1106"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf b/salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf
new file mode 100644
index 000000000..84f7dcb3c
--- /dev/null
+++ b/salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Update by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for irc.log from Bro systems
+filter {
+  if [type] == "bro_irc" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","nick","irc_username","irc_command","value","additional_info","dcc_file_name","dcc_file_size","dcc_mime_type","fuid"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1107"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf b/salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf
new file mode 100644
index 000000000..a8adf282c
--- /dev/null
+++ b/salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf
@@ -0,0 +1,20 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for kerberos.log from Bro systems
+filter {
+  if [type] == "bro_kerberos" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","request_type","client","service","kerberos_success","error_message","valid_from","valid_till","cipher","forwardable","renewable","client_certificate_subject","client_certificate_fuid","server_certificate_subject","server_certificate_fuid"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1108"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf b/salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf
new file mode 100644
index 000000000..192675450
--- /dev/null
+++ b/salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Update by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for notice.log from Bro systems
+filter {
+  if [type] == "bro_notice" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","file_mime_type","file_description","protocol","note","msg","sub_msg","source_ip","destination_ip","p","n","peer_description","action","suppress_for","dropped","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1109"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf b/salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf
new file mode 100644
index 000000000..fc80c5ea1
--- /dev/null
+++ b/salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Update by Wes Lambert
+# Last Update: 12/14/2016
+#
+# This conf file is based on accepting logs for weird.log from Bro systems
+filter {
+  if [type] == "bro_rdp" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1110"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf b/salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf
new file mode 100644
index 000000000..70cdb2d6b
--- /dev/null
+++ b/salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Updated by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for signatures.log from Bro systems
+filter {
+  if [type] == "bro_signatures" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","note","signature_id","event_message","sub_message","signature_count","host_count"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1111"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf b/salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf
new file mode 100644
index 000000000..a1fb145af
--- /dev/null
+++ b/salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+#
+# This conf file is based on accepting logs for smtp.log from Bro systems
+filter {
+  if [type] == "bro_smtp" {
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<helo>(.*?))\t(?<mail_from>(.*?))\t(?<recipient_to>(.*?))\t(?<mail_date>(.*?))\t(?<from>(.*?))\t(?<to>(.*?))\t(?<cc>(.*?))\t(?<reply_to>(.*?))\t(?<message_id>(.*?))\t(?<in_reply_to>(.*?))\t(?<subject>(.*?))\t(?<x_originating_ip>(.*?))\t(?<first_received>(.*))\t(?<second_received>(.*))\t(?<last_reply>(.*))\t(?<path>(.*))\t(?<useragent>(.*))\t(?<tls>(.*))\t(?<fuids>(.*))\t(?<is_webmail>(.*))" ]
+    }
+    if [useragent] == "-" {
+      mutate {
+        remove_field => [ "useragent" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1112"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf b/salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf
new file mode 100644
index 000000000..e7b8e43fa
--- /dev/null
+++ b/salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Update by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for snmp.log from Bro systems
+filter {
+  if [type] == "bro_snmp" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","duration","version","community","get_requests","get_bulk_requests","get_responses","set_requests","display_string","up_since"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1113"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1114_preprocess_bro_software.conf b/salt/logstash/files/conf.d/1114_preprocess_bro_software.conf
new file mode 100644
index 000000000..83ad55e61
--- /dev/null
+++ b/salt/logstash/files/conf.d/1114_preprocess_bro_software.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Update by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for software.log from Bro systems
+filter {
+  if [type] == "bro_software" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","source_ip","source_port","software_type","name","version_major","version_minor","version_minor2","version_minor3","version_additional_info","unparsed_version"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1114"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf b/salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf
new file mode 100644
index 000000000..df24f0730
--- /dev/null
+++ b/salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for ssh.log from Bro systems
+filter {
+  if [type] == "bro_ssh" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1115"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf b/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf
new file mode 100644
index 000000000..90e032368
--- /dev/null
+++ b/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf
@@ -0,0 +1,149 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for ssl.log from Bro systems
+filter {
+  if [type] == "bro_ssl" {
+   # This is the initial parsing of the log
+   mutate {
+      gsub => [ "message", "[\"']", "" ]
+    } 
+   csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3"]
+      separator => "	"
+    }
+    mutate {
+      gsub => [ "subject", "\\\\,", "|" ]
+    }
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_issuer"
+    }
+    mutate {
+      rename => { "CN" => "issuer_common_name"}
+      rename => { "C" => "issuer_country_code"}
+      rename => { "O" => "issuer_organization"}
+      rename => { "OU" => "issuer_organization_unit"}
+      rename => { "ST" => "issuer_state"}
+      rename => { "SN" => "issuer_surname"}
+      rename => { "L" => "issuer_locality"}
+      rename => { "DC" => "issuer_distinguished_name"}
+      rename => { "GN" => "issuer_given_name"}
+      rename => { "pseudonym" => "issuer_pseudonym"}
+      rename => { "serialNumber" => "issuer_serial_number"}
+      rename => { "title" => "issuer_title"}
+      rename => { "initials" => "issuer_initials"}
+    }
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_subject"
+    }
+    mutate {
+      rename => { "CN" => "certificate_common_name"}
+      rename => { "C" => "certificate_country_code"}
+      rename => { "O" => "certificate_organization"}
+      rename => { "OU" => "certificate_organization_unit"}
+      rename => { "ST" => "certificate_state"}
+      rename => { "SN" => "certificate_surname"}
+      rename => { "L" => "certificate_locality"}
+      rename => { "GN" => "certificate_given_name"}
+      rename => { "pseudonym" => "certificate_pseudonym"}
+      rename => { "serialNumber" => "certificate_serial_number"}
+      rename => { "title" => "certificate_title"}
+      rename => { "initials" => "certificate_initials"}
+    }
+    if [certificate_subject] == "-" {
+      mutate {
+        remove_field => [ "certificate_subject" ]
+      }
+    }
+    if [certificate_issuer] == "-" {
+      mutate {
+        remove_field => [ "certificate_issuer" ]
+      }
+    }
+    if [certificate_common_name] {
+      ruby {
+        code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
+      }
+    }
+    if [issuer_common_name] {
+      ruby {
+        code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
+      }
+    }
+    if [server_name] == "-" {
+      mutate {
+        remove_field => [ "server_name" ]
+      }
+    } else {
+      ruby {
+        code => "event.set('server_name_length', event.get('server_name').length)"
+      }
+    }
+    if [certificate_chain_fuids] == "-" {
+      mutate {
+        remove_field => [ "certificate_chain_fuids" ]
+      }
+    } else {
+      ruby {
+        code => "event.set('certificate_chain_count', event.get('certificate_chain_fuids').count(',') + 1)"
+      }
+      mutate {
+        convert => [ "certificate_chain_length", "integer" ]
+      }
+    }
+    if [client_certificate_chain_fuids] == "-" {
+      mutate {
+        remove_field => [ "client_certificate_chain_fuids" ]
+      }
+    }
+    if [client_issuer] == "-" {
+      mutate {
+        remove_field => [ "client_issuer" ]
+      }
+    }
+    if [client_subject] == "-" {
+      mutate {
+        remove_field => [ "client_subject" ]
+      }
+    }
+    if [curve] == "-" {
+      mutate {
+        remove_field => [ "curve" ]
+      }
+    }
+    if [issuer] == "-" {
+      mutate {
+        remove_field => [ "issuer" ]
+      }
+    }
+    if [query] == "-" {
+      mutate {
+        remove_field => [ "query" ]
+      }
+    }
+    if [subject] == "-" {
+      mutate {
+        remove_field => [ "subject" ]
+      }
+    }
+    if [validation_status] == "-" {
+      mutate {
+        remove_field => [ "validation_status" ]
+      }
+    }
+    if [ja3] == "-" {
+      mutate {
+        remove_field => [ "ja3" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1116"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf b/salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf
new file mode 100644
index 000000000..eba64abd3
--- /dev/null
+++ b/salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf
@@ -0,0 +1,23 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+#
+# Updated by Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for syslog.log from Bro systems
+filter {
+  if [type] == "bro_syslog" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","facility","severity","message"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1117"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf b/salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf
new file mode 100644
index 000000000..5b9efe2e5
--- /dev/null
+++ b/salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf
@@ -0,0 +1,22 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for tunnel.log from Bro systems
+# Security Onion syslog-ng.conf sets type to "bro_tunnels"
+filter {
+  if [type] == "bro_tunnels" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","tunnel_type","action"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1118"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf b/salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf
new file mode 100644
index 000000000..a994dd2b2
--- /dev/null
+++ b/salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for weird.log from Bro systems
+filter {
+  if [type] == "bro_weird" {
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<name>(.*?))\t(?<additional_info>(.*?))\t(?<notice>(.*?))\t(?<peer>(.*))" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1119"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf b/salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf
new file mode 100644
index 000000000..61ce85eb8
--- /dev/null
+++ b/salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf
@@ -0,0 +1,30 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for mysql.log from Bro systems
+#
+# Parse using grok
+filter {
+  if [type] == "bro_mysql" {
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mysql_command>(.*?))\t(?<mysql_argument>(.*?))\t(?<mysql_success>(.*?))\t(?<rows>(.*?))\t(?<response>(.*))" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1121"]
+	}
+  }
+}
+
+# Reverting to grok for now, due to double-quoted values in log file
+# Parse using csv filter
+#filter {
+#  if [type] == "bro_mysql" {
+#    csv {
+#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
+#    separator => "	"
+#    quote_char=
+#    }
+#  }
+#}
diff --git a/salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf b/salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf
new file mode 100644
index 000000000..e6c1a6cf1
--- /dev/null
+++ b/salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf
@@ -0,0 +1,34 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for socks.log from Bro systems
+
+# Parse using csv
+filter {
+  if [type] == "bro_socks" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","user","password","server_status","request_host","request_name","request_port","bound_host","bound_name","bound_port"]
+      separator => "    "
+    }
+        mutate {
+                #add_tag => [ "conf_file_1105"]
+        }
+  }
+}
+# Parse using grok
+#filter {
+#  if [type] == "bro_socks" {
+#    # This is the initial parsing of the log
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<version>(.*?))\t(?<user>(.*?))\t(?<password>(.*?))\t(?<status>(.*))\t(?<request_host>(.*))\t(?<request_name>(.*))\t(?<request_port>(.*))\t(?<bound_host>(.*))\t(?<bound_name>(.*))\t(?<bound_port>(.*))" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1122"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf b/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf
new file mode 100644
index 000000000..2bd76e39a
--- /dev/null
+++ b/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf
@@ -0,0 +1,123 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+#
+# This conf file is based on accepting logs for x509.log from Bro systems
+
+filter {
+  if [type] == "bro_x509" {
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<id>(.*?))\t(?<certificate_version>(.*?))\t(?<certificate_serial>(.*?))\t(?<certificate_subject>(.*?))\t(?<certificate_issuer>(.*?))\t(?<certificate_not_valid_before>(.*?))\t(?<certificate_not_valid_after>(.*?))\t(?<certificate_key_algorithm>(.*?))\t(?<certificate_signing_algorithm>(.*))\t(?<certificate_key_type>(.*))\t(?<certificate_key_length>(.*))\t(?<certificate_exponent>(.*))\t(?<certificate_curve>(.*))\t(?<san_dns>(.*))\t(?<san_uri>(.*))\t(?<san_email>(.*))\t(?<san_ip>(.*))\t(?<basic_constraints_ca>(.*))\t(?<basic_constraints_path_length>(.*))" ]
+    }
+
+    mutate {
+      gsub => [ "certificate_issuer", "\\\\,", "|" ]
+      gsub => [ "certificate_subject", "\\\\,", "|" ]
+    }
+	
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_issuer"
+    }
+    mutate {
+      rename => { "CN" => "issuer_common_name"}
+      rename => { "C" => "issuer_country_code"}
+      rename => { "O" => "issuer_organization"}
+      rename => { "OU" => "issuer_organization_unit"}
+      rename => { "ST" => "issuer_state"}
+      rename => { "SN" => "issuer_surname"}
+      rename => { "L" => "issuer_locality"}
+      rename => { "DC" => "issuer_distinguished_name"}
+      rename => { "GN" => "issuer_given_name"}
+      rename => { "pseudonym" => "issuer_pseudonym"}
+      rename => { "serialNumber" => "issuer_serial_number"}
+      rename => { "title" => "issuer_title"}
+      rename => { "initials" => "issuer_initials"}
+    }
+    kv {
+      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
+      field_split => ","
+      source => "certificate_subject"
+    }
+    mutate {
+      rename => { "CN" => "certificate_common_name"}
+      rename => { "C" => "certificate_country_code"}
+      rename => { "O" => "certificate_organization"}
+      rename => { "OU" => "certificate_organization_unit"}
+      rename => { "ST" => "certificate_state"}
+      rename => { "SN" => "certificate_surname"}
+      rename => { "L" => "certificate_locality"}
+      rename => { "GN" => "certificate_given_name"}
+      rename => { "pseudonym" => "certificate_pseudonym"}
+      rename => { "serialNumber" => "certificate_serial_number"}
+      rename => { "title" => "certificate_title"}
+      rename => { "initials" => "certificate_initials"}
+      convert => [ "certificate_key_length", "integer" ]
+      convert => [ "certificate_not_valid_after", "integer" ]
+      convert => [ "certificate_not_valid_before", "integer" ]
+    }
+    if [query] == "-" {
+      mutate {
+        remove_field => [ "query" ]
+      }
+    }
+    if [san_dns] == "-" {
+      mutate {
+        remove_field => [ "san_dns" ]
+      }
+    }
+    if [san_email] == "-" {
+      mutate {
+        remove_field => [ "san_email" ]
+      }
+    }
+    if [san_uri] == "-" {
+      mutate {
+        remove_field => [ "san_uri" ]
+      }
+    }
+    if [san_ip] == "-" {
+      mutate {
+        remove_field => [ "san_ip" ]
+      }
+    }
+    if [certificate_common_name] {
+      ruby {
+        code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
+      }
+    }
+    if [issuer_common_name] {
+      ruby {
+        code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
+      }
+    }
+    if [certificate_not_valid_after] == "-" {
+      mutate {
+        remove_field => [ "certificate_not_valid_after" ]
+      }
+    }
+    if [certificate_not_valid_before] == "-" {
+      mutate {
+        remove_field => [ "certificate_not_valid_before" ]
+      }
+    }
+    if [certificate_not_valid_after] and [certificate_not_valid_before] {
+      ruby {
+        code => "event.set('certificate_number_days_valid', ((event.get('certificate_not_valid_after') - event.get('certificate_not_valid_before')) / 86400).ceil)"
+      }
+      date {
+        match => [ "certificate_not_valid_after", "UNIX" ]
+        target => "certificate_not_valid_after"
+      }
+      date {
+        match => [ "certificate_not_valid_before", "UNIX" ]
+        target => "certificate_not_valid_before"
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1123"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf b/salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf
new file mode 100644
index 000000000..028c4a111
--- /dev/null
+++ b/salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Wes Lambert
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for intel.log from Bro systems
+filter {
+  if [type] == "bro_intel" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","indicator","indicator_type","seen_where","seen_node","matched","sources","fuid","mimetype","file_description"]
+      separator => "	"
+    }
+	mutate {
+		#add_tag => [ "conf_file_1124"]
+	}
+  }	
+}
diff --git a/salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf b/salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf
new file mode 100644
index 000000000..7d5bf4abf
--- /dev/null
+++ b/salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf
@@ -0,0 +1,34 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for modbus.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_modbus" {
+    # This is the initial parsing of the log
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","function","exception"]
+    separator => "	"
+    }
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_modbus" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<func>(.*?))\t(?<exception>(.*?))$" ]
+#    }
+	#mutate {
+		#add_tag => [ "conf_file_1125"]
+	#}
+#   }
+#}
diff --git a/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf b/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf
new file mode 100644
index 000000000..35c404749
--- /dev/null
+++ b/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf
@@ -0,0 +1,32 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 05/12/2017
+#
+# This conf file is based on accepting logs for sip.log from Bro systems
+#
+# Parse using csv filter
+#filter {
+#  if [type] == "bro_sip" {
+#    csv {
+#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","trans_depth","method","uri","date","request_from","request_to","response_from","response_to","reply_to","call_id","seq","subject","request_path","response_path","user_agent","status_code","status_msg","warning","request_body_len","response_body_len","content_type"]
+#    separator => "	"
+#    }
+#  }
+#}
+
+# some sip logs have quotes which cause csvparsefailures, so let's fall back to grok
+
+# Parse using grok
+filter {
+  if [type] == "bro_sip" {
+    grok {
+      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<uri>(.*?))\t(?<date>(.*?))\t(?<request_from>(.*?))\t(?<request_to>(.*?))\t(?<response_from>(.*?))\t(?<response_to>(.*?))\t(?<reply_to>(.*?))\t(?<call_id>(.*?))\t(?<seq>(.*?))\t(?<subject>(.*?))\t(?<request_path>(.*?))\t(?<response_path>(.*?))\t(?<user_agent>(.*?))\t(?<status_code>(.*?))\t(?<status_msg>(.*?))\t(?<warning>(.*?))\t(?<request_body_len>(.*?))\t(?<response_body_len>(.*?))\t(?<content_type>(.*?))$" ]
+    }
+	mutate {
+		add_tag => [ "conf_file_1126"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf b/salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf
new file mode 100644
index 000000000..108b8c61d
--- /dev/null
+++ b/salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf
@@ -0,0 +1,33 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for radius.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_radius" {
+   mutate {
+      gsub => [ "message", "[\"']", "" ]
+    } 
+   csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","radius_username","mac","remote_ip","connect_info","result","logged"]
+    separator => "	"
+    }
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_radius" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<username>(.*?))\t(?<mac>(.*?))\t(?<remote_ip>(.*?))\t(?<logged>(.*?))\t(?<connect_info>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1127"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf b/salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf
new file mode 100644
index 000000000..82fc92e1d
--- /dev/null
+++ b/salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf
@@ -0,0 +1,33 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for pe.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_pe" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","fuid","machine","compile_ts","os","subsystem","is_exe","is_64bit","uses_aslr","uses_dep","uses_code_integrity","uses_seh","has_import_table","has_export_table","has_cert_table","has_debug_data","section_names"]
+    separator => "	"
+    }
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_pe" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<fuid>(.*?))\t(?<machine>(.*?))\t(?<compile_ts>(.*?))\t(?<os>(.*?))\t(?<subsystem>(.*?))\t(?<is_exe>(.*?))\t(?<is_64bit>(.*?))\t(?<uses_aslr>(.*?))\t(?<uses_dep>(.*?))\t(?<uses_code_integrity>(.*?))\t(?<uses_seh>(.*?))\t(?<has_import_table>(.*?))\t(?<has_export_table>(.*?))\t(?<has_cert_table>(.*?))\t(?<has_debug_data>(.*?))\t(?<section_names>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1128"]
+#	}
+# }
+#}
diff --git a/salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf b/salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf
new file mode 100644
index 000000000..680a1150f
--- /dev/null
+++ b/salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf
@@ -0,0 +1,33 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for rfb.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_rfb" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","client_major_version","client_minor_version","server_major_version","server_minor_version","authentication_method","auth","share_flag","desktop_name","width","height"]
+    separator => "	"
+    }
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_rfb" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<client_major_version>(.*?))\t(?<client_minor_version>(.*?))\t(?<server_major_version>(.*?))\t(?<server_minor_version>(.*?))\t(?<authentication_method>(.*?))\t(?<auth>(.*?))\t(?<share_flag>(.*?))\t(?<desktop_name>(.*?))\t(?<width>(.*?))\t(?<height>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1129"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf b/salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf
new file mode 100644
index 000000000..ed3ba70b2
--- /dev/null
+++ b/salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf
@@ -0,0 +1,33 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for dnp3.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_dnp3" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fc_request","fc_reply","iin"]
+    separator => "	"
+    }
+  }
+}
+
+# Parse using grok
+#filter {
+#  if [type] == "bro_dnp3" {
+#    grok {
+#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<fc_request>(.*?))\t(?<fc_reply>(.*?))\t(?<iin>(.*?))$" ]
+#    }
+#	mutate {
+#		#add_tag => [ "conf_file_1129"]
+#	}
+#  }
+#}
diff --git a/salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf b/salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf
new file mode 100644
index 000000000..01055d2fa
--- /dev/null
+++ b/salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf
@@ -0,0 +1,21 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for smb_files.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_smb_files" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","action","path","name","size","prev_name","times_modified","times_accessed","times_created","times_changed"]
+    separator => "	"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf b/salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf
new file mode 100644
index 000000000..ceac871ee
--- /dev/null
+++ b/salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf
@@ -0,0 +1,21 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for smb_mapping.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_smb_mapping" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","path","service","native_file_system","share_type"]
+    separator => "	"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf b/salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf
new file mode 100644
index 000000000..fc7b01025
--- /dev/null
+++ b/salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf
@@ -0,0 +1,21 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for ntlm.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_ntlm" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","ntlm_username","hostname","domain_name","ntlm_success","status"]
+    separator => "	"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf b/salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf
new file mode 100644
index 000000000..1d0f186fe
--- /dev/null
+++ b/salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf
@@ -0,0 +1,21 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Adapted from existing filters provided by Justin Henderson
+#
+# Last Update: 12/14/2017
+#
+# This conf file is based on accepting logs for dce_rpc.log from Bro systems
+#
+# Parse using csv filter
+filter {
+  if [type] == "bro_dce_rpc" {
+    mutate {
+      gsub => [ "message", "[\"']", "" ]
+    }
+    csv {
+      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","rtt","named_pipe","endpoint","operation"]
+    separator => "	"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/1998_test_data.conf b/salt/logstash/files/conf.d/1998_test_data.conf
new file mode 100644
index 000000000..0fc401428
--- /dev/null
+++ b/salt/logstash/files/conf.d/1998_test_data.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [test] == "test" {
+    mutate {
+      remove_field => [ "test" ]
+      add_tag => [ "test_data" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1998"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/2000_network_flow.conf b/salt/logstash/files/conf.d/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/files/conf.d/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "sflow" {
+    if [message] =~ /CNTR/ {
+      drop { }
+    }
+
+    grok {
+      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+    }
+
+    if "_grokparsefailure" in [tags] {
+      drop { }
+    }
+
+    mutate {
+      add_field => {
+        "[source_hostname]" => "%{source_ip}"
+        "[destination_hostname]" => "%{destination_ip}"
+        "[sflow_source_hostname]" => "%{sflow_source_ip}"
+      }
+    }
+
+    translate {
+      field => "[source_port]"
+      destination => "[source_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[destination_port]"
+      destination => "[destination_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[protocol]"
+      destination => "[protocol_name]"
+      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+    }
+
+    translate {
+      field => "[tcp_flags]"
+      destination => "[tcp_flag]"
+      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+    }
+
+    mutate {
+      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+    }
+	mutate {
+		#add_tag => [ "conf_file_2000"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6000_bro.conf b/salt/logstash/files/conf.d/6000_bro.conf
new file mode 100644
index 000000000..8552030d2
--- /dev/null
+++ b/salt/logstash/files/conf.d/6000_bro.conf
@@ -0,0 +1,136 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+# This conf file is based on accepting logs for conn.log from Bro systems
+filter {
+  if "bro" in [tags] {
+    if [duration] == "-" {
+      mutate {
+        replace => [ "duration", "0" ]
+      }
+    }
+    if [original_bytes] == "-" {
+      mutate {
+        replace => [ "original_bytes", "0" ]
+      }
+    }
+    # If MissedBytes is unspecified set it to zero so it is an integer
+    if [missed_bytes] == "-" {
+      mutate {
+        replace => [ "missed_bytes", "0" ]
+      }
+    }
+    # If OriginalIPBytes is unspecified set it to zero so it is an integer
+    if [original_ip_bytes] == "-" {
+      mutate {
+        replace => [ "original_ip_bytes", "0" ]
+      }
+    }
+    # If RespondBytes is unspecified set it to zero so it is an integer
+    if [respond_bytes] == "-" {
+      mutate {
+        replace => [ "respond_bytes", "0" ]
+      }
+    }
+    # If RespondIPBytes is unspecified set it to zero so it is an integer
+    if [respond_ip_bytes] == "-" {
+      mutate {
+        replace => [ "respond_ip_bytes", "0" ]
+      }
+    }
+    if [source_port] == "-" {
+      mutate {
+        remove_field => ["source_port"]
+      }
+    }
+    if [destination_port] == "-" {
+      mutate {
+        remove_field => ["destination_port"]
+      }
+    }
+    if [virtual_host] == "-" {
+      mutate {
+        remove_field => ["virtual_host"]
+      }
+    }
+
+    # I renamed conn_uids to uid so that it is easy to pivot to all things tied to a connection
+    mutate {
+       rename => [ "connection_uids", "uid" ]
+    }
+    # If total_bytes is set to "-" change it to 0 so it is an integer
+    if [total_bytes] == "-" {
+      mutate {
+        replace => [ "total_bytes", "0" ]
+      }
+    }
+    # If seen_bytes is set to "-" change it to 0 so it is an integer
+    if [seen_bytes] == "-" {
+      mutate {
+        replace => [ "seen_bytes", "0" ]
+      }
+    }
+    # If missing_bytes is set to "-" change it to 0 so it is an integer
+    if [missing_bytes] == "-" {
+      mutate {
+        replace => [ "missing_bytes", "0" ]
+      }
+    }
+    # If pverflow_bytes is set to "-" change it to 0 so it is an integer
+    if [overflow_bytes] == "-" {
+      mutate {
+        replace => [ "overflow_bytes", "0" ]
+      }
+    }
+    # I recommend changing the field types below to integer or floats so searches can do greater than or less than
+    # and also so math functions can be ran against them
+    mutate {
+      convert => [ "bound_port", "integer" ]
+      convert => [ "data_channel_destination_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "depth", "integer" ]
+      convert => [ "duration", "float" ]
+      convert => [ "info_code", "integer" ]
+      convert => [ "missed_bytes", "integer" ]
+      convert => [ "missing_bytes", "integer" ]
+      convert => [ "n", "integer" ]
+      convert => [ "original_bytes", "integer" ]
+      convert => [ "original_packets", "integer" ]
+      convert => [ "original_ip_bytes", "integer" ]
+      convert => [ "overflow_bytes", "integer" ]
+      convert => [ "p", "integer" ]
+      convert => [ "query_class", "integer" ]
+      convert => [ "query_type", "integer" ]
+      convert => [ "rcode", "integer" ]
+      convert => [ "request_body_length", "integer" ]
+      convert => [ "request_port", "integer" ]
+      convert => [ "respond_bytes", "integer" ]
+      convert => [ "respond_packets", "integer" ]
+      convert => [ "respond_ip_bytes", "integer" ]
+      convert => [ "response_body_length", "integer" ]
+      convert => [ "seen_bytes", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "status_code", "integer" ]
+      convert => [ "suppress_for", "float" ]
+      convert => [ "total_bytes", "integer" ]
+      convert => [ "trans_depth", "integer" ]
+      convert => [ "transaction_id", "integer" ]
+      lowercase => [ "query" ]
+      #remove_field => [ "timestamp" ]
+    }
+
+    # Combine OriginalBytes and RespondBytes and save the value to total_bytes
+    if [original_bytes] {
+      if [respond_bytes] {
+        ruby {
+          code => "event.set('total_bytes', event.get('original_bytes') + event.get('respond_bytes'))"
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6000"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6001_bro_import.conf b/salt/logstash/files/conf.d/6001_bro_import.conf
new file mode 100644
index 000000000..abbac3cd6
--- /dev/null
+++ b/salt/logstash/files/conf.d/6001_bro_import.conf
@@ -0,0 +1,14 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+# If we're importing old Bro logs, let's use the original Bro timestamp instead of the time of import
+filter {
+  if "import" in [tags] and "bro" in [tags] {
+	date {
+        	match => [ "timestamp", "UNIX" ]
+	}
+	mutate {
+	  #add_tag => [ "conf_file_6001"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6002_syslog.conf b/salt/logstash/files/conf.d/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/files/conf.d/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+  if "syslog" in [tags] {
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	  #add_tag => [ "conf_file_6002"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6101_switch_brocade.conf b/salt/logstash/files/conf.d/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/files/conf.d/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "brocade" {
+    grok {
+      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+    }
+    grok {
+      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+    }
+    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+      grok {
+        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+      }
+      mutate {
+        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+      }
+    }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      timezone => "America/Chicago"
+      remove_field => "syslog_timestamp"
+      remove_field => "received_at"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6101"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6200_firewall_fortinet.conf b/salt/logstash/files/conf.d/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/files/conf.d/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "fortinet" {
+    mutate {
+      gsub => [ "message", "= ", "=NA " ]
+    }
+
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+       tag_on_failure => []
+    }
+    grok {
+       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+       tag_on_failure => []
+    }
+    kv {
+      source => "kv"
+      exclude_keys => [ "type" ]
+    }
+    mutate {
+      gsub => [ "log", "= ", "=NA " ]
+    }
+    kv {
+      source => "log"
+      target => "SubLog"
+    }
+    grok {
+       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+       tag_on_failure => [ "" ]
+    }
+    mutate {
+      rename => {  "action" => "action" }
+      rename => {  "addr" => "addr_ip" }
+      rename => {  "age" => "age" }
+      rename => {  "assigned" => "assigned_ip" }
+      rename => {  "assignip" => "assign_ip" }
+      rename => {  "ap" => "access_point" }
+      rename => {  "app" => "application" }
+      rename => {  "appcat" => "application_category" }
+      rename => {  "applist" => "application_list" }
+      rename => {  "apprisk" => "application_risk" }
+      rename => {  "approfile" => "accessPoint_profile" }
+      rename => {  "apscan" => "access_point_scan" }
+      rename => {  "apstatus" => "acces_point_status" }
+      rename => {  "aptype" => "access_point_type" }
+      rename => {  "authproto" => "authentication_protocol" }
+      rename => {  "bandwidth" => "bandwidth" }
+      rename => {  "banned_src" => "banned_source" }
+      rename => {  "cat" => "category" }
+      rename => {  "catdesc" => "category_description" }
+      rename => {  "cfgattr" => "configuration_attribute" }
+      rename => {  "cfgobj" => "configuration_object" }
+      rename => {  "cfgpath" => "configuration_path" }
+      rename => {  "cfgtid" => "configuration_transaction_id" }
+      rename => {  "channel" => "channel" }
+      rename => {  "community" => "community" }
+      rename => {  "cookies" => "cookies" }
+      rename => {  "craction" => "cr_action" }
+      rename => {  "crlevel" => "cr_level" }
+      rename => {  "crscore" => "cr_score" }
+      rename => {  "datarange" => "data_range" }
+      rename => {  "desc" => "description" }
+      rename => {  "detectionmethod" => "detection_method" }
+      rename => {  "devid" => "device_id" }
+      rename => {  "devname" => "device_name" }
+      rename => {  "devtype" => "device_type" }
+      rename => {  "dhcp_msg" => "dhcp_message" }
+      rename => {  "disklograte" => "disk_lograte" }
+      rename => {  "dstcountry" => "destination_country" }
+      rename => {  "dstintf" => "destination_interface" }
+      rename => {  "dstip" => "destination_ip" }
+      rename => {  "dstport" => "destination_port" }
+      rename => {  "duration" => "elapsed_time" }
+      rename => {  "error_num" => "error_number" }
+      rename => {  "espauth" => "esp_authentication" }
+      rename => {  "esptransform" => "esp_transform" }
+      rename => {  "eventid" => "event_id" }
+      rename => {  "eventtype" => "event_type" }
+      rename => {  "fazlograte" => "faz_lograte" }
+      rename => {  "filename" => "file_name" }
+      rename => {  "filesize" => "file_size" }
+      rename => {  "filetype" => "file_type" }
+      rename => {  "hostname" => "hostname" }
+      rename => {  "ip" => "source_ip" }
+      rename => {  "localip" => "source_ip" }
+      rename => {  "locip" => "local_ip" }
+      rename => {  "locport" => "source_port" }
+      rename => {  "logid" => "log_id" }
+      rename => {  "logver" => "log_version" }
+      rename => {  "manuf" => "manufacturer" }
+      rename => {  "mem" => "memory" }
+      rename => {  "meshmode" => "mesh_mode" }
+      rename => {  "msg" => "message" }
+      rename => {  "nextstat" => "next_stat" }
+      rename => {  "onwire" => "on_wire" }
+      rename => {  "osname" => "os_name" }
+      rename => {  "osversion" => "unauthenticated_user" }
+      rename => {  "outintf" => "outbound_interface" }
+      rename => {  "peer_notif" => "peer_notification" }
+      rename => {  "phase2_name" => "phase2_name" }
+      rename => {  "policyid" => "policy_id" }
+      rename => {  "policytype" => "policy_type" }
+      rename => {  "port" => "port" }
+      rename => {  "probeproto" => "probe_protocol" }
+      rename => {  "proto" => "protocol_number" }
+      rename => {  "radioband" => "radio_band" }
+      rename => {  "radioidclosest" => "radio_id_closest" }
+      rename => {  "radioiddetected" => "radio_id_detected" }
+      rename => {  "rcvd" => "bytes_received" }
+      rename => {  "rcvdbyte" => "bytes_received" }
+      rename => {  "rcvdpkt" => "packets_received" }
+      rename => {  "remip" => "destination_ip" }
+      rename => {  "remport" => "remote_port" }
+      rename => {  "reqtype" => "request_type" }
+      rename => {  "scantime" => "scan_time" }
+      rename => {  "securitymode" => "security_mode" }
+      rename => {  "sent" => "bytes_sent" }
+      rename => {  "sentbyte" => "bytes_sent" }
+      rename => {  "sentpkt" => "packets_sent" }
+      rename => {  "session_id" => "session_id" }
+      rename => {  "setuprate" => "setup_rate" }
+      rename => {  "sn" => "serial" }
+      rename => {  "snclosest" => "serial_closest_access_point" }
+      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+      rename => {  "snmeshparent" => "serial_mesh_parent" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "stacount" => "station_count" }
+      rename => {  "stamac" => "static_mac" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "sn" => "serial" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "total" => "total_bytes" }
+      rename => {  "totalsession" => "total_sessions" }
+      rename => {  "trandisp" => "nat_translation_type" }
+      rename => {  "tranip" => "nat_destination_ip" }
+      rename => {  "tranport" => "nat_destination_port" }
+      rename => {  "transip" => "nat_source_ip" }
+      rename => {  "transport" => "nat_source_port" }
+      rename => {  "tunnelid" => "tunnel_id" }
+      rename => {  "tunnelip" => "tunnel_ip" }
+      rename => {  "tunneltype" => "tunnel_type" }
+      rename => {  "unauthuser" => "unauthenticated_user_source" }
+      rename => {  "unauthusersource" => "os_version" }
+      rename => {  "vendorurl" => "vendor_url" }
+      rename => {  "vpntunnel" => "vpn_tunnel" }
+      rename => {  "vulncat" => "vulnerability_category" }
+      rename => {  "vulncmt" => "vulnerability_count" }
+      rename => {  "vulnid" => "vulnerability_id" }
+      rename => {  "vulnname" => "vulnerability_name" }
+      rename => {  "vulnref" => "vulnerability_reference" }
+      rename => {  "vulnscore" => "vulnerability_score" }
+      rename => {  "xauthgroup" => "x_authentication_group" }
+      rename => {  "xauthuser" => "x_authentication_user" }
+      rename => {  "[SubLog][appid]" => "sub_application_id" }
+      rename => {  "[SubLog][devid]" => "sub_device_id" }
+      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
+      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
+      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
+      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
+      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
+      rename => {  "[SubLog][date]" => "sub_date" }
+      rename => {  "[SubLog][time]" => "sub_time" }
+      rename => {  "[SubLog][srcport]" => "sub_source_port" }
+      rename => {  "[SubLog][subtype]" => "sub_subtype" }
+      rename => {  "[SubLog][devname]" => "sub_device_name" }
+      rename => {  "[SubLog][itime]" => "sub_itime" }
+      rename => {  "[SubLog][level]" => "sub_level" }
+      rename => {  "[SubLog][logid]" => "sub_log_id" }
+      rename => {  "[SubLog][logver]" => "sub_log_version" }
+      rename => {  "[SubLog][type]" => "sub_event_type" }
+      rename => {  "[SubLog][vd]" => "sub_vd" }
+      rename => {  "[SubLog][action]" => "sub_action" }
+      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
+      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
+      rename => {  "[SubLog][reason]" => "sub_reason" }
+      rename => {  "[SubLog][service]" => "sub_service" }
+      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
+      rename => {  "[SubLog][src]" => "sub_source_ip" }
+      rename => {  "[SubLog][status]" => "sub_status" }
+      rename => {  "[SubLog][ui]" => "sub_ui" }
+      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+      strip => [ "bytes_sent", "bytes_received" ]
+      convert => [ "bytes_sent", "integer" ]
+      convert => [ "bytes_received", "integer" ]
+      convert => [ "cr_score", "integer" ]
+      convert => [ "cr_action", "integer" ]
+      convert => [ "elapsed_time", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "local_port", "integer" ]
+      convert => [ "remote_port", "integer" ]
+      convert => [ "packets_sent", "integer" ]
+      convert => [ "packets_received", "integer" ]
+      convert => [ "port", "integer" ]
+      convert => [ "ProtocolNumber", "integer" ]
+      convert => [ "XAuthUser", "string" ]
+      remove_field => [ "kv", "log" ]
+    }
+    if [tunnel_ip] == "N/A" {
+      mutate {
+        remove_field => [ "tunnel_ip" ]
+      }
+    }
+    if [nat_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+      }
+    }
+    if [sub_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+      }
+    }
+    if [nat_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+      }
+    }
+    if [sub_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+      }
+    }
+    if [addr_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{addr_ip}" ] }
+      }
+    }
+    if [assign_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assign_ip}" ] }
+      }
+    }
+    if [assigned_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assigned_ip}" ] }
+      }
+    }
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+    }
+    if [date] and [time] {
+      mutate {
+        add_field => { "receive_time" => "%{date} %{time}" }
+        remove_field => [ "date", "time" ]
+      }
+      date {
+        timezone => "America/Chicago"
+        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+        target => "receive_time"
+      }
+      mutate {
+        rename => { "receive_time" => "@timestamp" }
+      }
+    } else {
+      mutate {
+        add_tag => [ "missing_date" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6200"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6201_firewall_pfsense.conf b/salt/logstash/files/conf.d/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..c964747e0
--- /dev/null
+++ b/salt/logstash/files/conf.d/6201_firewall_pfsense.conf
@@ -0,0 +1,33 @@
+# Author: Wes Lambert
+# Last Update: 11/06/2017
+
+
+filter {
+  if [type] == "filterlog" {
+    grok {
+      match => ["message", "(%{NONNEGINT:rule_number})?\,(%{NONNEGINT:sub_rule_number})?\,(%{DATA:anchor})?\,(%{NONNEGINT:tracker_id})?\,%{DATA:interface}\,%{DATA:reason}\,%{DATA:action}\,%{DATA:direction}\,%{NONNEGINT:ip_version},%{GREEDYDATA:sub_msg}"]
+    }
+    if [ip_version] =~ "4" {
+      csv {
+        source => [sub_msg]
+	columns => ["ipv4_tos","ipv4_ecn","ipv4_ttl","ipv4_id","ipv4_offset", "ipv4_flags","ipv4_protocol_id","ipv4_protocol","ipv4_protocol_length","source_ip","destination_ip","source_port","destination_port","data_length","tcp_flags","sequence_number","ack","window","urg","options"]
+      	separator => ","
+      }
+    }
+    if [ip_version] =~ "6" {
+      csv {
+        source => [sub_msg]
+	columns => ["class","flow_label","hop_limit","protocol","protocol_id","length","source_ip","destination_ip","source_port","destination_port","data_length"]
+        separator => ","
+      }
+    }
+    mutate {
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]    
+      convert => [ "ip_version", "integer" ]
+      replace => { "type" => "firewall" }
+      add_tag=>  [ "pfsense","firewall" ]
+      remove_field => [ "sub_msg" ]
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/6300_windows.conf b/salt/logstash/files/conf.d/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/files/conf.d/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "windows" {
+#    json {
+#      source => "message"
+#    }
+    date {
+      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+      remove_field => [ "EventTime" ]
+    }
+    if [EventID] == 4634 {
+      mutate {
+        add_tag => [ "logoff" ]
+      }
+    }
+    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+      mutate {
+        add_tag => [ "logon" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+      mutate {
+        add_tag => [ "logon_failure" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+      mutate {
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 5152 { drop {} }
+    if [EventID] == 4688 { drop {} }
+    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+    # Whitelist/Blacklist check
+    if [EventID] == 7045 {
+      translate {
+        field => "ServiceName"
+        destination => "ServiceCheck"
+        dictionary_path => "/lib/dictionaries/services.yaml"
+      }
+    }
+    if [EventID] == 7045 and !([ServiceCheck]) {
+      mutate {
+        add_tag => [ "alert_data","new_service" ] 
+      }
+    }
+    if [ServiceCheck] == 'whitelist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "whitelist" ]
+      }
+    }
+    if [ServiceCheck] == 'blacklist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "blacklist" ]
+      }
+    }
+    if [EventID] == 5158 {
+      if [Application] == "System" { drop {} }
+      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+      if [Application] =~ "mcafee" { drop {} }
+      if [Application] =~ "carestream" { drop {} }
+      if [Application] =~ "Softdent" { drop {} }
+    }
+    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+    if [EventID] == 4690 { drop {} }
+    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+    if [EventID] == 5447 { drop {} }
+
+    mutate {
+      rename => [ "AccountName", "user" ]
+      rename => [ "AccountType", "account_type" ]
+      rename => [ "ActivityID", "activity_id" ]
+      rename => [ "Category", "category" ]
+      rename => [ "ClientAddress", "client_ip" ]
+      rename => [ "Channel", "channel" ]
+      rename => [ "DCIPAddress", "domain_controller_ip" ]
+      rename => [ "DCName", "domain_controller_name" ]
+      rename => [ "EventID", "event_id" ]
+      rename => [ "EventReceivedTime", "event_received_time" ]
+      rename => [ "EventType", "event_type" ]
+      rename => [ "GatewayIPAddress", "gateway_ip" ]
+      rename => [ "IPAddress", "client_ip" ]
+      rename => [ "Ipaddress", "client_ip" ]
+      rename => [ "IpAddress", "client_ip" ]
+      rename => [ "IPPort", "source_port" ]
+      rename => [ "OpcodeValue", "opcode_value" ]
+      rename => [ "PreAuthType", "preauthentication_type" ]
+      rename => [ "PrincipleSAMName", "user" ]
+      rename => [ "ProcessID", "process_id" ]
+      rename => [ "ProviderGUID", "providerguid" ]
+      rename => [ "RecordNumber", "record_number" ]
+      rename => [ "RemoteAddress", "destination_ip" ]
+      rename => [ "ServiceName", "service_name" ]
+      rename => [ "ServiceID", "service_id" ]
+      rename => [ "SeverityValue", "severity_value" ]
+      rename => [ "SourceAddress", "client_ip" ]
+      rename => [ "SourceModuleName", "source_module_name" ]
+      rename => [ "SourceModuleType", "source_module_type" ]
+      rename => [ "SourceName", "source_name" ]
+      rename => [ "SubjectUserName", "user" ]
+      rename => [ "TaskName", "task_name" ]
+      rename => [ "TargetDomainName", "target_domain_name" ]
+      rename => [ "TargetUserName", "user" ]
+      rename => [ "ThreadID", "thread_id" ]
+      rename => [ "User_ID", "user" ]
+      rename => [ "UserID", "user" ]
+      rename => [ "username", "user" ]
+    }
+    # For any accounts that are service accounts or special accounts add the tag of service_account
+    # This example applies the tag to any username that starts with SVC_.  If you use a different
+    # standard change this.
+    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+      mutate {
+        add_tag => [ "service_account" ]
+      }
+    }
+    # This looks for events that are typically noisy but may be of use for deep dive investigations
+    # A tag of noise is added to quickly filter out noise
+    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+      mutate {
+        add_tag => [ "noise" ]
+      }
+    }
+    #Identify machine accounts
+    if [user] =~ /\$/ {
+      mutate {
+        add_tag => [ "machine", "noise" ]
+      }
+    }
+    # Lower case all field names
+    ruby {
+      code => "
+        event_hash = event.to_hash
+        new_event = {}
+        event_hash.keys.each do |key|
+        new_event[key.downcase] = event[key]
+        end
+        event.instance_variable_set(:@data, new_event)"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6300"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6301_dns_windows.conf b/salt/logstash/files/conf.d/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/files/conf.d/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "dns" and "bro" not in [tags] {
+    json {
+      source => "message"
+    }
+    # strip whitespace from message field
+    mutate {
+      strip => "message"
+    }
+    # If the message is blank, drop the log
+    if [Message] =~ /^$/ {
+      drop {  }
+    } else {
+      if [type] == "dns" {
+  	  # This section is lookup for a match against the log and parsing out the fields
+        grok {
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          remove_field => [ "Message" ]
+        }
+  	  # This section attempts to convert the dns_domain into the traditional domain.com format
+        mutate {
+          gsub => [ "dns_domain", "(\(\d+\))", "." ]
+        }
+        grok {
+          match => { "dns_domain" => "\.%{DATA:query}\.$" }
+          remove_field => [ "dns_domain" ]
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6301"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6400_suricata.conf b/salt/logstash/files/conf.d/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/files/conf.d/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+  if [type] == "suricata" {
+    if "test_data" not in [tags] {
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+    } else {
+      mutate {
+        remove_field => [ "netflow.start","netflow.end","timestamp" ]
+      }
+    }
+    if [event_type] == "fileinfo" {
+      ruby {
+        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
+      }
+    }
+	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
+    mutate {
+      rename => [ "src_ip", "source_ip" ]
+      rename => [ "dest_ip", "destination_ip" ]
+      rename => [ "src_port", "source_port" ]
+      rename => [ "dest_port", "destination_port" ]
+    }
+	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
+    if [event_type] == "alert" {
+      if [alert][severity] == 1 {
+        mutate {
+          add_field => { "severity" => "High" }
+        }
+      }
+      if [alert][severity] == 2 {
+        mutate {
+          add_field => { "severity" => "Medium" }
+        }
+      }
+      if [alert][severity] == 3 {
+        mutate {
+          add_field => { "severity" => "Low" }
+        }
+      }
+	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "GPL " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Snort GPL" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "ET " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Emerging Threats" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # This section adds URLs to lookup information about a rule online
+      if [rule_type] == "Snort GPL" {
+        mutate {
+          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+        }
+      }
+      if [rule_type] == "Emerging Threats" {
+        mutate {
+          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+        }
+      }
+    }
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+    #  mutate {
+    #    remove_field => [ "message" ]
+    #  }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6400"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/6500_ossec.conf b/salt/logstash/files/conf.d/6500_ossec.conf
new file mode 100644
index 000000000..c1f17b424
--- /dev/null
+++ b/salt/logstash/files/conf.d/6500_ossec.conf
@@ -0,0 +1,83 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Last Update: 05/21/2017
+#
+# This conf file is based on accepting logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "ossec" {
+      grok {
+      match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:user}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:user} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:user} : %{GREEDYDATA:details}",  
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:user}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:user}: %{GREEDYDATA:details}.",
+		"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:user};",
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+      # Add tag for OSSEC alerts
+      add_tag => [ "alert" ]
+      }
+      translate {
+       field => "alert_level"
+
+       destination => "classification"
+
+       dictionary => [
+                    "1", "None",
+		    "2", "System low priority notification",
+		    "3", "Successful/authorized event",
+		    "4", "System low priority error",
+		    "5", "User generated error",
+		    "6", "Low relevance attack",
+		    "7", '"Bad word" matching',
+		    "8", "First time seen",
+		    "9", "Error from invalid source",
+		    "10", "Multiple user generated errors",
+		    "11", "Integrity checking warning",
+		    "12", "High importance event",
+		    "13", "Unusal error (high importance)",
+		    "14", "High importance security event",
+		    "15", "Severe attack"
+                    ]
+      }
+     }
+
+  if [type] == "ossec" and "alert" not in [tags] {
+      grok {
+      match => ["message", "%{DATA:user} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+     }
+  }
+
+ 
+  # OSSEC Archive Logs
+  if [type] == "ossec_archive" {
+      grok {
+      match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:user} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+		"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:user}\) CMD \(%{DATA:command}\)",
+		"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+		"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'"]
+      remove_field => [ "ossec_timestamp" ]
+      }
+      mutate {
+              convert => [ "status_code", "integer" ]
+      }
+  }
+
+  # Sysmon logs transported by OSSEC
+  if [type] =~ "ossec" {
+     if [message] =~ "WinEvtLog: Microsoft-Windows-Sysmon" {
+       mutate { replace => { "type" => "sysmon" } }
+     }
+     if [message] =~ "AR-LOG" {
+       mutate { replace => { "type" => "autoruns" } } 
+     }
+  }
+}
diff --git a/salt/logstash/files/conf.d/6501_ossec_sysmon.conf b/salt/logstash/files/conf.d/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..ecca99df1
--- /dev/null
+++ b/salt/logstash/files/conf.d/6501_ossec_sysmon.conf
@@ -0,0 +1,81 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Last Update: 07/14/2017
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "sysmon" {
+    #mutate { replace => { "type" => "sysmon" } }
+    grok {
+#      match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+    match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+    }
+    mutate {
+      convert => ["event_id", "integer"]
+      remove_field => ["timestamp"]
+      remove_field => ["year"]
+    }
+  }
+  if [event_id] == 1 {
+    grok {
+      match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+    }
+    mutate {
+      convert => ["process_guid", "integer"]
+      convert => ["process_id", "integer"]
+      remove_field => ["rest_of_msg"]
+      add_tag => ["process_creation"]
+    }
+  }
+  if [event_id] == 3 {
+    mutate {
+      remove_field => ["source_ip"]
+    }
+    grok {
+      match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+    }
+    mutate {
+      convert => ["process_guid", "integer"]
+      convert => ["process_id", "integer"]
+      convert => ["source_port", "integer"]
+      convert => ["destination_port", "integer"]
+      remove_field => ["rest_of_msg"]
+      add_tag => ["network_connection"]
+    }
+  }
+  if [event_id] == 5 {
+    grok {
+      match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+    }
+    mutate {
+      convert => ["process_guid", "integer"]
+      convert => ["process_id", "integer"]
+      remove_field => ["rest_of_msg"]
+      add_tag => ["process_termination"]
+    }
+  }
+  if [event_id] == 11 {
+    grok {
+      match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+    }
+    mutate {
+      convert => ["process_guid", "integer"]
+      convert => ["process_id", "integer"]
+      remove_field => ["rest_of_msg"]
+      add_tag => ["file_created"]
+    }
+  }
+#  if [sysmon_event_id] == "16" {
+#    grok {
+#    }
+#    mutate {
+#      add_tag => ["sysmon_config_changed"]
+#    }
+#  }
+}
diff --git a/salt/logstash/files/conf.d/6502_ossec_autoruns.conf b/salt/logstash/files/conf.d/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..064b30455
--- /dev/null
+++ b/salt/logstash/files/conf.d/6502_ossec_autoruns.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Last Update: 07/17/2017
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+  if [type] == "autoruns" {
+    grok {
+      match => ["message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"]
+    }
+    #csv {
+#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+#      separator => "|"
+#      }
+    mutate {
+      remove_field => [ "year" ]
+      remove_field => [ "timestamp" ]
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf b/salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf
new file mode 100644
index 000000000..3998df8a4
--- /dev/null
+++ b/salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf
@@ -0,0 +1,17 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "bro" in [tags] {
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+      #mutate {
+      #  remove_field => [ "message" ]
+      #}
+    }
+	mutate {
+		#add_tag => [ "conf_file_8000"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/files/conf.d/8006_postprocess_dns.conf b/salt/logstash/files/conf.d/8006_postprocess_dns.conf
new file mode 100644
index 000000000..a1520e6dc
--- /dev/null
+++ b/salt/logstash/files/conf.d/8006_postprocess_dns.conf
@@ -0,0 +1,47 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_dns" or "dns" in [tags] {
+    # Used for whois lookups - can create log loop
+    if [query] =~ "^whois\." {
+      drop { }
+    }
+    # REPLACE test.int with your internal domain
+    if [query] and [query] !~ "\.test\.int$" {
+      mutate {
+        lowercase => [ "query" ]
+      }
+      if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
+        tld {
+          source => "query"
+        }
+        ruby {
+          code => "event.set('query_length', event.get('query').length)"
+        }
+        mutate {
+          rename => { "[SubLog][sessionid]" => "sub_session_id" }
+          rename => { "[tld][domain]" => "highest_registered_domain" }
+          rename => { "[tld][trd]" => "subdomain" }
+          rename => { "[tld][tld]" => "top_level_domain" }
+          rename => { "[tld][sld]" => "parent_domain" }
+        }
+        if [parent_domain] {
+          ruby {
+            code => "event.set('parent_domain_length', event.get('parent_domain').length)"
+          }
+        }
+        if [subdomain] {
+          ruby {
+            code => "event.set('subdomain_length', event.get('subdomain').length)"
+          }
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_8006"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/8007_postprocess_http.conf b/salt/logstash/files/conf.d/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/files/conf.d/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_http" {
+    if [uri] {
+      ruby {
+        code => "event.set('uri_length', event.get('uri').length)"
+      }
+    }
+    if [virtual_host] {
+      ruby {
+        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+      }
+    }
+    if [useragent] {
+      ruby {
+        code => "event.set('useragent_length', event.get('useragent').length)"
+      }
+    }
+	mutate {
+	  ##add_tag => [ "conf_file_8007"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/8200_postprocess_tagging.conf b/salt/logstash/files/conf.d/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..1b2bd6259
--- /dev/null
+++ b/salt/logstash/files/conf.d/8200_postprocess_tagging.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [destination_ip] {
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_destination" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_destination" ]
+      }
+    }
+    if "internal_destination" not in [tags] {
+      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+  }
+  if [source_ip] {
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_source" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_source" ]
+      }
+    }
+    if "internal_source" not in [tags] {
+      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+	mutate {
+		##add_tag => [ "conf_file_8200"]
+	}
+  }
+}
diff --git a/salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf b/salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_end', Time.now.to_f)"
+  }
+  ruby {
+    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
diff --git a/salt/logstash/files/conf.d/8999_postprocess_rename_type.conf b/salt/logstash/files/conf.d/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/files/conf.d/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/salt/logstash/files/conf.d/9000_output_bro.conf b/salt/logstash/files/conf.d/9000_output_bro.conf
new file mode 100644
index 000000000..f9992cafe
--- /dev/null
+++ b/salt/logstash/files/conf.d/9000_output_bro.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9001_output_switch.conf b/salt/logstash/files/conf.d/9001_output_switch.conf
new file mode 100644
index 000000000..2a1b37eba
--- /dev/null
+++ b/salt/logstash/files/conf.d/9001_output_switch.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9002_output_import.conf b/salt/logstash/files/conf.d/9002_output_import.conf
new file mode 100644
index 000000000..f29ee5c88
--- /dev/null
+++ b/salt/logstash/files/conf.d/9002_output_import.conf
@@ -0,0 +1,20 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9004_output_flow.conf b/salt/logstash/files/conf.d/9004_output_flow.conf
new file mode 100644
index 000000000..be125243e
--- /dev/null
+++ b/salt/logstash/files/conf.d/9004_output_flow.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9026_output_dhcp.conf b/salt/logstash/files/conf.d/9026_output_dhcp.conf
new file mode 100644
index 000000000..7365cea35
--- /dev/null
+++ b/salt/logstash/files/conf.d/9026_output_dhcp.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9029_output_esxi.conf b/salt/logstash/files/conf.d/9029_output_esxi.conf
new file mode 100644
index 000000000..09547e248
--- /dev/null
+++ b/salt/logstash/files/conf.d/9029_output_esxi.conf
@@ -0,0 +1,20 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9030_output_greensql.conf b/salt/logstash/files/conf.d/9030_output_greensql.conf
new file mode 100644
index 000000000..c08315397
--- /dev/null
+++ b/salt/logstash/files/conf.d/9030_output_greensql.conf
@@ -0,0 +1,20 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9031_output_iis.conf b/salt/logstash/files/conf.d/9031_output_iis.conf
new file mode 100644
index 000000000..c130cc2fb
--- /dev/null
+++ b/salt/logstash/files/conf.d/9031_output_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9032_output_mcafee.conf b/salt/logstash/files/conf.d/9032_output_mcafee.conf
new file mode 100644
index 000000000..537381529
--- /dev/null
+++ b/salt/logstash/files/conf.d/9032_output_mcafee.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9033_output_snort.conf b/salt/logstash/files/conf.d/9033_output_snort.conf
new file mode 100644
index 000000000..27b0092fc
--- /dev/null
+++ b/salt/logstash/files/conf.d/9033_output_snort.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "snort" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "snort" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9034_output_syslog.conf b/salt/logstash/files/conf.d/9034_output_syslog.conf
new file mode 100644
index 000000000..0bee8c11f
--- /dev/null
+++ b/salt/logstash/files/conf.d/9034_output_syslog.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9200_output_firewall.conf b/salt/logstash/files/conf.d/9200_output_firewall.conf
new file mode 100644
index 000000000..14becc80a
--- /dev/null
+++ b/salt/logstash/files/conf.d/9200_output_firewall.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9300_output_windows.conf b/salt/logstash/files/conf.d/9300_output_windows.conf
new file mode 100644
index 000000000..9c6470cb7
--- /dev/null
+++ b/salt/logstash/files/conf.d/9300_output_windows.conf
@@ -0,0 +1,23 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
+
diff --git a/salt/logstash/files/conf.d/9301_output_dns_windows.conf b/salt/logstash/files/conf.d/9301_output_dns_windows.conf
new file mode 100644
index 000000000..97d3cb872
--- /dev/null
+++ b/salt/logstash/files/conf.d/9301_output_dns_windows.conf
@@ -0,0 +1,23 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
+
diff --git a/salt/logstash/files/conf.d/9400_output_suricata.conf b/salt/logstash/files/conf.d/9400_output_suricata.conf
new file mode 100644
index 000000000..76b4526ec
--- /dev/null
+++ b/salt/logstash/files/conf.d/9400_output_suricata.conf
@@ -0,0 +1,22 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9500_output_beats.conf b/salt/logstash/files/conf.d/9500_output_beats.conf
new file mode 100644
index 000000000..698d73652
--- /dev/null
+++ b/salt/logstash/files/conf.d/9500_output_beats.conf
@@ -0,0 +1,18 @@
+# Author: Wes Lambert
+# Last Update: 12/11/2017
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template => "/beats-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/conf.d/9998_output_test_data.conf b/salt/logstash/files/conf.d/9998_output_test_data.conf
new file mode 100644
index 000000000..fd11e32d7
--- /dev/null
+++ b/salt/logstash/files/conf.d/9998_output_test_data.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "test_data" in [tags] {
+    mutate {
+	  #add_tag => [ "conf_file_9998"]
+	}
+  }
+}
+output {
+  if "test_data" in [tags] {
+    elasticsearch {
+      hosts => elasticsearch
+      index => "logstash-test-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/files/dictionaries/iana_protocols.yaml b/salt/logstash/files/dictionaries/iana_protocols.yaml
new file mode 100644
index 000000000..771938fe4
--- /dev/null
+++ b/salt/logstash/files/dictionaries/iana_protocols.yaml
@@ -0,0 +1,256 @@
+"0": HOPOPT
+"1": ICMP
+"2": IGMP
+"3": GGP
+"4": IPv4
+"5": ST
+"6": TCP
+"7": CBT
+"8": EGP
+"9": IGP
+"10": BBN-RCC-MON
+"11": NVP-II
+"12": PUP
+"13": ARGUS
+"14": EMCON
+"15": XNET
+"16": CHAOS
+"17": UDP
+"18": MUX
+"19": DCN-MEAS
+"20": HMP
+"21": PRM
+"22": XNS-IDP
+"23": TRUNK-1
+"24": TRUNK-2
+"25": LEAF-1
+"26": LEAF-2
+"27": RDP
+"28": IRTP
+"29": ISO-TP4
+"30": NETBLT
+"31": MFE-NSP
+"32": MERIT-INP
+"33": DCCP
+"34": 3PC
+"35": IDPR
+"36": XTP
+"37": DDP
+"38": IDPR-CMTP
+"39": TP++
+"40": IL
+"41": IPv6
+"42": SDRP
+"43": IPv6-Route
+"44": IPv6-Frag
+"45": IDRP
+"46": RSVP
+"47": GRE
+"48": DSR
+"49": BNA
+"50": ESP
+"51": AH
+"52": I-NLSP
+"53": SWIPE
+"54": NARP
+"55": MOBILE
+"56": TLSP
+"57": SKIP
+"58": IPv6-ICMP
+"59": IPv6-NoNxt
+"60": IPv6-Opts
+"61": Undefined
+"62": CFTP
+"63": Undefined
+"64": SAT-EXPAK
+"65": KRYPTOLAN
+"66": RVD
+"67": IPPC
+"68": Undefined
+"69": SAT-MON
+"70": VISA
+"71": IPCV
+"72": CPNX
+"73": CPHB
+"74": WSN
+"75": PVP
+"76": BR-SAT-MON
+"77": SUN-ND
+"78": WB-MON
+"79": WB-EXPAK
+"80": ISO-IP
+"81": VMTP
+"82": SECURE-VMTP
+"83": VINES
+"84": TTP/IPTM
+"85": NSFNET-IGP
+"86": DGP
+"87": TCF
+"88": EIGRP
+"89": OSPFIGP
+"90": Sprite-RPC
+"91": LARP
+"92": MTP
+"93": AX.25
+"94": IPIP
+"95": MICP
+"96": SCC-SP
+"97": ETHERIP
+"98": ENCAP
+"99": Undefined
+"100": GMTP
+"101": IFMP
+"102": PNNI
+"103": PIM
+"104": ARIS
+"105": SCPS
+"106": QNX
+"107": A/N
+"108": IPComp
+"109": SNP
+"110": Compaq-Peer
+"111": IPX-in-IP
+"112": VRRP
+"113": PGM
+"114": Undefined
+"115": L2TP
+"116": DDX
+"117": IATP
+"118": STP
+"119": SRP
+"120": UTI
+"121": SMP
+"122": SM
+"123": PTP
+"124": ISIS over IPv4
+"125": FIRE
+"126": CRTP
+"127": CRUDP
+"128": SSCOPMCE
+"129": IPLT
+"130": SPS
+"131": PIPE
+"132": SCTP
+"133": FC
+"134": RSVP-E2E-IGNORE
+"135": Mobility Header
+"136": UDPLite
+"137": MPLS-in-IP
+"138": manet
+"139": HIP
+"140": Shim6
+"141": WESP
+"142": ROHC
+"143": Undefined
+"144": Undefined
+"145": Undefined
+"146": Undefined
+"147": Undefined
+"148": Undefined
+"149": Undefined
+"150": Undefined
+"151": Undefined
+"152": Undefined
+"153": Undefined
+"154": Undefined
+"155": Undefined
+"156": Undefined
+"157": Undefined
+"158": Undefined
+"159": Undefined
+"160": Undefined
+"161": Undefined
+"162": Undefined
+"163": Undefined
+"164": Undefined
+"165": Undefined
+"166": Undefined
+"167": Undefined
+"168": Undefined
+"169": Undefined
+"170": Undefined
+"171": Undefined
+"172": Undefined
+"173": Undefined
+"174": Undefined
+"175": Undefined
+"176": Undefined
+"177": Undefined
+"178": Undefined
+"179": Undefined
+"180": Undefined
+"181": Undefined
+"182": Undefined
+"183": Undefined
+"184": Undefined
+"185": Undefined
+"186": Undefined
+"187": Undefined
+"188": Undefined
+"189": Undefined
+"190": Undefined
+"191": Undefined
+"192": Undefined
+"193": Undefined
+"194": Undefined
+"195": Undefined
+"196": Undefined
+"197": Undefined
+"198": Undefined
+"199": Undefined
+"200": Undefined
+"201": Undefined
+"202": Undefined
+"203": Undefined
+"204": Undefined
+"205": Undefined
+"206": Undefined
+"207": Undefined
+"208": Undefined
+"209": Undefined
+"210": Undefined
+"211": Undefined
+"212": Undefined
+"213": Undefined
+"214": Undefined
+"215": Undefined
+"216": Undefined
+"217": Undefined
+"218": Undefined
+"219": Undefined
+"220": Undefined
+"221": Undefined
+"222": Undefined
+"223": Undefined
+"224": Undefined
+"225": Undefined
+"226": Undefined
+"227": Undefined
+"228": Undefined
+"229": Undefined
+"230": Undefined
+"231": Undefined
+"232": Undefined
+"233": Undefined
+"234": Undefined
+"235": Undefined
+"236": Undefined
+"237": Undefined
+"238": Undefined
+"239": Undefined
+"240": Undefined
+"241": Undefined
+"242": Undefined
+"243": Undefined
+"244": Undefined
+"245": Undefined
+"246": Undefined
+"247": Undefined
+"248": Undefined
+"249": Undefined
+"250": Undefined
+"251": Undefined
+"252": Undefined
+"253": Undefined
+"254": Undefined
+"255": Reserved
\ No newline at end of file
diff --git a/salt/logstash/files/dictionaries/iana_services.yaml b/salt/logstash/files/dictionaries/iana_services.yaml
new file mode 100644
index 000000000..e948205c1
--- /dev/null
+++ b/salt/logstash/files/dictionaries/iana_services.yaml
@@ -0,0 +1,345 @@
+"1": tcpmux
+"2": nbp
+"4": echo
+"6": zip
+"7": echo
+"9": discard
+"11": systat
+"13": daytime
+"15": netstat
+"17": qotd
+"18": msp
+"19": chargen
+"20": ftp-data
+"21": ftp
+"22": ssh
+"23": telnet
+"25": smtp
+"37": time
+"39": rlp
+"42": nameserver
+"43": whois
+"49": tacacs
+"50": re-mail-ck
+"53": domain
+"57": mtp
+"65": tacacs-ds
+"67": bootps
+"68": bootpc
+"69": tftp
+"70": gopher
+"77": rje
+"79": finger
+"80": http
+"87": link
+"88": kerberos
+"95": supdup
+"98": linuxconf
+"101": hostnames
+"102": iso-tsap
+"104": acr-nema
+"105": csnet-ns
+"106": poppassd
+"107": rtelnet
+"109": pop2
+"110": pop3
+"111": sunrpc
+"113": auth
+"115": sftp
+"117": uucp-path
+"119": nntp
+"123": ntp
+"129": pwdgen
+"135": loc-srv
+"137": netbios-ns
+"138": netbios-dgm
+"139": netbios-ssn
+"143": imap2
+"161": snmp
+"162": snmp-trap
+"163": cmip-man
+"164": cmip-agent
+"174": mailq
+"177": xdmcp
+"178": nextstep
+"179": bgp
+"191": prospero
+"194": irc
+"199": smux
+"201": at-rtmp
+"202": at-nbp
+"204": at-echo
+"206": at-zis
+"209": qmtp
+"210": z3950
+"213": ipx
+"220": imap3
+"345": pawserv
+"346": zserv
+"347": fatserv
+"369": rpc2portmap
+"370": codaauth2
+"371": clearcase
+"372": ulistserv
+"389": ldap
+"406": imsp
+"427": svrloc
+"443": https
+"444": snpp
+"445": microsoft-ds
+"464": kpasswd
+"465": urd
+"487": saft
+"500": isakmp
+"512": exec
+"512": biff
+"513": login
+"513": who
+"514": shell
+"514": syslog
+"515": printer
+"517": talk
+"518": ntalk
+"520": route
+"525": timed
+"526": tempo
+"530": courier
+"531": conference
+"532": netnews
+"533": netwall
+"538": gdomap
+"540": uucp
+"543": klogin
+"544": kshell
+"546": dhcpv6-client
+"547": dhcpv6-server
+"548": afpovertcp
+"549": idfp
+"554": rtsp
+"556": remotefs
+"563": nntps
+"587": submission
+"607": nqs
+"610": npmp-local
+"611": npmp-gui
+"612": hmmp-ind
+"623": asf-rmcp
+"628": qmqp
+"631": ipp
+"636": ldaps
+"655": tinc
+"706": silc
+"749": kerberos-adm
+"750": kerberos4
+"751": kerberos-master
+"752": passwd-server
+"754": krb-prop
+"760": krbupdate
+"765": webster
+"775": moira-db
+"777": moira-update
+"779": moira-ureg
+"783": spamd
+"808": omirr
+"871": supfilesrv
+"873": rsync
+"901": swat
+"989": ftps-data
+"990": ftps
+"992": telnets
+"993": imaps
+"994": ircs
+"995": pop3s
+"1001": customs
+"1080": socks
+"1093": proofd
+"1094": rootd
+"1099": rmiregistry
+"1109": kpop
+"1127": supfiledbg
+"1178": skkserv
+"1194": openvpn
+"1210": predict
+"1214": kazaa
+"1236": rmtcfg
+"1241": nessus
+"1300": wipld
+"1313": xtel
+"1314": xtelw
+"1352": lotusnote
+"1433": ms-sql-s
+"1434": ms-sql-m
+"1524": ingreslock
+"1525": prospero-np
+"1529": support
+"1645": datametrics
+"1646": sa-msg-port
+"1649": kermit
+"1677": groupwise
+"1701": l2f
+"1812": radius
+"1813": radius-acct
+"1863": msnp
+"1957": unix-status
+"1958": log-server
+"1959": remoteping
+"2000": cisco-sccp
+"2003": cfinger
+"2010": search
+"2010": pipe-server
+"2049": nfs
+"2053": knetd
+"2086": gnunet
+"2101": rtcm-sc104
+"2102": zephyr-srv
+"2103": zephyr-clt
+"2104": zephyr-hm
+"2105": eklogin
+"2111": kx
+"2119": gsigatekeeper
+"2121": iprop
+"2121": frox
+"2135": gris
+"2150": ninstall
+"2401": cvspserver
+"2430": venus
+"2431": venus-se
+"2432": codasrv
+"2433": codasrv-se
+"2583": mon
+"2600": zebrasrv
+"2601": zebra
+"2602": ripd
+"2603": ripngd
+"2604": ospfd
+"2605": bgpd
+"2606": ospf6d
+"2607": ospfapi
+"2608": isisd
+"2628": dict
+"2792": f5-globalsite
+"2811": gsiftp
+"2947": gpsd
+"2988": afbackup
+"2989": afmbackup
+"3050": gds-db
+"3130": icpv2
+"3260": iscsi-target
+"3306": mysql
+"3493": nut
+"3632": distcc
+"3689": daap
+"3690": svn
+"4031": suucp
+"4094": sysrqd
+"4190": sieve
+"4224": xtell
+"4353": f5-iquery
+"4369": epmd
+"4373": remctl
+"4500": ipsec-nat-t
+"4557": fax
+"4559": hylafax
+"4569": iax
+"4600": distmp3
+"4691": mtn
+"4899": radmin-port
+"4949": munin
+"5002": rfe
+"5050": mmcc
+"5051": enbd-cstatd
+"5052": enbd-sstatd
+"5060": sip
+"5061": sip-tls
+"5151": pcrd
+"5190": aol
+"5222": xmpp-client
+"5269": xmpp-server
+"5308": cfengine
+"5353": mdns
+"5354": noclog
+"5355": hostmon
+"5432": postgresql
+"5555": rplay
+"5556": freeciv
+"5666": nrpe
+"5667": nsca
+"5672": amqp
+"5674": mrtd
+"5675": bgpsim
+"5680": canna
+"5688": ggz
+"6000": x11
+"6001": x11-1
+"6002": x11-2
+"6003": x11-3
+"6004": x11-4
+"6005": x11-5
+"6006": x11-6
+"6007": x11-7
+"6346": gnutella-svc
+"6347": gnutella-rtr
+"6444": sge-qmaster
+"6445": sge-execd
+"6446": mysql-proxy
+"6514": syslog-tls
+"6566": sane-port
+"6667": ircd
+"7000": afs3-fileserver
+"7001": afs3-callback
+"7002": afs3-prserver
+"7003": afs3-vlserver
+"7004": afs3-kaserver
+"7005": afs3-volser
+"7006": afs3-errors
+"7007": afs3-bos
+"7008": afs3-update
+"7009": afs3-rmtsys
+"7100": font-service
+"8021": zope-ftp
+"8080": http-alt
+"8081": tproxy
+"8088": omniorb
+"8990": clc-build-daemon
+"9098": xinetd
+"9101": bacula-dir
+"9102": bacula-fd
+"9103": bacula-sd
+"9359": mandelspawn
+"9418": git
+"9667": xmms2
+"9673": zope
+"10000": webmin
+"10050": zabbix-agent
+"10051": zabbix-trapper
+"10080": amanda
+"10081": kamanda
+"10082": amandaidx
+"10083": amidxtape
+"10809": nbd
+"11112": dicom
+"11201": smsqp
+"11371": hkp
+"13720": bprd
+"13721": bpdbm
+"13722": bpjava-msvc
+"13724": vnetd
+"13782": bpcd
+"13783": vopied
+"15345": xpilot
+"17001": sgi-cmsd
+"17002": sgi-crsd
+"17003": sgi-gcd
+"17004": sgi-cad
+"17500": db-lsp
+"20011": isdnlog
+"20012": vboxd
+"22125": dcap
+"22128": gsidcap
+"22273": wnn6
+"24554": binkp
+"27374": asp
+"30865": csync2
+"57000": dircproxy
+"60177": tfido
+"60179": fido
\ No newline at end of file
diff --git a/salt/logstash/files/dictionaries/services.yaml b/salt/logstash/files/dictionaries/services.yaml
new file mode 100644
index 000000000..7c615b7c3
--- /dev/null
+++ b/salt/logstash/files/dictionaries/services.yaml
@@ -0,0 +1,3 @@
+"Windows Update": whitelist
+"SEC555 Service": whitelist
+"Evil Service": blacklist
diff --git a/salt/logstash/files/dictionaries/tcp_flags.yaml b/salt/logstash/files/dictionaries/tcp_flags.yaml
new file mode 100644
index 000000000..c15f6b0c3
--- /dev/null
+++ b/salt/logstash/files/dictionaries/tcp_flags.yaml
@@ -0,0 +1,64 @@
+"0x00": NULL
+"0x01": FIN
+"0x02": SYN
+"0x03": FIN-SYN
+"0x08": PSH
+"0x09": FIN-PSH
+"0x0A": SYN-PSH
+"0x0B": FIN-SYN-PSH
+"0x10": ACK
+"0x11": FIN-ACK
+"0x12": SYN-ACK
+"0x13": FIN-SYN-ACK
+"0x18": PSH-ACK
+"0x19": FIN-PSH-ACK
+"0x1A": SYN-PSH-ACK
+"0x1B": FIN-SYN-PSH-ACK
+"0x40": ECE
+"0x41": FIN-ECE
+"0x42": SYN-ECE
+"0x43": FIN-SYN-ECE
+"0x48": PSH-ECE
+"0x49": FIN-PSH-ECE
+"0x4A": SYN-PSH-ECE
+"0x4B": FIN-SYN-PSH-ECE
+"0x50": ACK-ECE
+"0x51": FIN-ACK-ECE
+"0x52": SYN-ACK-ECE
+"0x53": FIN-SYN-ACK-ECE
+"0x58": PSH-ACK-ECE
+"0x59": FIN-PSH-ACK-ECE
+"0x5A": SYN-PSH-ACK-ECE
+"0x5B": FIN-SYN-PSH-ACK-ECE
+"0x80": CWR
+"0x81": FIN-CWR
+"0x82": SYN-CWR
+"0x83": FIN-SYN-CWR
+"0x88": PSH-CWR
+"0x89": FIN-PSH-CWR
+"0x8A": SYN-PSH-CWR
+"0x8B": FIN-SYN-PSH-CWR
+"0x90": ACK-CWR
+"0x91": FIN-ACK-CWR
+"0x92": SYN-ACK-CWR
+"0x93": FIN-SYN-ACK-CWR
+"0x98": PSH-ACK-CWR
+"0x99": FIN-PSH-ACK-CWR
+"0x9A": SYN-PSH-ACK-CWR
+"0x9B": FIN-SYN-PSH-ACK-CWR
+"0xC0": ECE-CWR
+"0xC1": FIN-ECE-CWR
+"0xC2": SYN-ECE-CWR
+"0xC3": FIN-SYN-ECE-CWR
+"0xC8": PSH-ECE-CWR
+"0xC9": FIN-PSH-ECE-CWR
+"0xCA": SYN-PSH-ECE-CWR
+"0xCB": FIN-SYN-PSH-ECE-CWR
+"0xD0": ACK-ECE-CWR
+"0xD1": FIN-ACK-ECE-CWR
+"0xD2": SYN-ACK-ECE-CWR
+"0xD3": FIN-SYN-ACK-ECE-CWR
+"0xD8": PSH-ACK-ECE-CWR
+"0xD9": FIN-PSH-ACK-ECE-CWR
+"0xDA": SYN-PSH-ACK-ECE-CWR
+"0xDB": FIN-SYN-PSH-ACK-ECE-CWR
\ No newline at end of file
diff --git a/salt/logstash/files/log4j2.properties b/salt/logstash/files/log4j2.properties
new file mode 100644
index 000000000..f925a185e
--- /dev/null
+++ b/salt/logstash/files/log4j2.properties
@@ -0,0 +1,29 @@
+status = error
+name = LogstashPropertiesConfig
+
+#appender.console.type = Console
+#appender.console.name = plain_console
+#appender.console.layout.type = PatternLayout
+#appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %m%n
+
+#appender.json_console.type = Console
+#appender.json_console.name = json_console
+#appender.json_console.layout.type = JSONLayout
+#appender.json_console.layout.compact = true
+#appender.json_console.layout.eventEol = true
+
+#This is is a test -- if this here, then the volume is mounted correctly.
+appender.rolling.type = RollingFile
+appender.rolling.name = rolling
+appender.rolling.fileName = /var/log/logstash/logstash.log
+appender.rolling.layout.type = PatternLayout
+appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %.10000m%n
+appender.rolling.filePattern = /var/log/logstash/logstash-%d{yyyy-MM-dd}.log
+appender.rolling.policies.type = Policies
+appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
+appender.rolling.policies.time.interval = 1
+appender.rolling.policies.time.modulate = true
+#rootLogger.level = info
+rootLogger.appenderRef.rolling.ref = rolling
+rootLogger.level = ${sys:ls.log.level}
+#rootLogger.appenderRef.console.ref = ${sys:ls.log.format}_console
diff --git a/salt/logstash/files/logstash-template.json b/salt/logstash/files/logstash-template.json
new file mode 100644
index 000000000..35dd2bcf9
--- /dev/null
+++ b/salt/logstash/files/logstash-template.json
@@ -0,0 +1,67 @@
+{
+  "index_patterns" : "logstash-*",
+  "version" : 50001,
+  "settings" : {
+    "number_of_replicas": 0,
+    "number_of_shards": 1,
+    "index.refresh_interval" : "5s"
+  },
+  "mappings" : {
+    "doc" : {
+      "dynamic_templates" : [ {
+        "message_field" : {
+          "path_match" : "message",
+          "match_mapping_type" : "string",
+          "mapping" : {
+            "type" : "text",
+            "norms" : false
+          }
+        }
+      }, {
+        "string_fields" : {
+          "match" : "*",
+          "match_mapping_type" : "string",
+          "mapping" : {
+            "type" : "text", "norms" : false,
+            "fields" : {
+              "keyword" : { "type": "keyword" }
+            }
+          }
+        }
+      } ],
+      "properties" : {
+        "@timestamp": { "type": "date" },
+        "@version": { "type": "keyword" },
+	"destination_ip" : { "type": "ip" },
+	"source_ip" : { "type": "ip" },
+        "geoip"  : {
+          "dynamic": true,
+          "properties" : {
+            "ip": { "type": "ip" },
+            "location" : { "type" : "geo_point" },
+            "latitude" : { "type" : "half_float" },
+            "longitude" : { "type" : "half_float" }
+          }
+        },
+        "destination_geo"  : {
+          "dynamic": true,
+          "properties" : {
+            "ip": { "type": "ip" },
+            "location" : { "type" : "geo_point" },
+            "latitude" : { "type" : "half_float" },
+            "longitude" : { "type" : "half_float" }
+          }
+        },
+        "source_geo"  : {
+          "dynamic": true,
+          "properties" : {
+            "ip": { "type": "ip" },
+            "location" : { "type" : "geo_point" },
+            "latitude" : { "type" : "half_float" },
+            "longitude" : { "type" : "half_float" }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/salt/logstash/files/logstash.yml b/salt/logstash/files/logstash.yml
new file mode 100644
index 000000000..aa7e7acc7
--- /dev/null
+++ b/salt/logstash/files/logstash.yml
@@ -0,0 +1,6 @@
+path.config: /usr/share/logstash/pipeline
+http.host: 0.0.0.0
+queue.type: persisted
+queue.max_bytes: 1gb
+pipeline.workers: 1
+path.logs: /var/log/logstash
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
new file mode 100644
index 000000000..b3cd25a09
--- /dev/null
+++ b/salt/logstash/init.sls
@@ -0,0 +1,121 @@
+# Install all needed Dockers
+
+# Logstash Section
+
+# Add Logstash user
+logstash:
+  user.present:
+    - uid: 931
+    - gid: 931
+    - home: /opt/so/conf/logstash
+
+# Copy all the files needed for logstash
+
+file.directory:
+  - name: /opt/so/conf/logstash
+  - user: 931
+  - group: 939
+
+file.directory:
+  - name: /opt/so/conf/logstash/conf.d
+  - user: 931
+  - group: 939
+
+file.recurse:
+  - name: /opt/so/conf/logstash
+  - source: salt://sensor/files/logstash
+  - user: 931
+  - group: 939
+
+file.directory:
+  - name: /nsm/import
+  - user: 931
+  - group: 939
+
+file.directory:
+  - name: /nsm/logstash
+  - user: 931
+  - group: 939
+
+file.directory:
+  - name: /opt/so/log/logstash
+  - user: 931
+  - group: 939
+
+
+# Add the container
+
+so-logstash:
+  dockerng.running:
+    - image: pillaritem/so-logstash
+    - hostname: logstash
+    - user: logstash
+    - environment:
+      - LS_JAVA_OPTS="-Xms$LOGSTASH_HEAP -Xmx$LOGSTASH_HEAP"
+    - ports:
+      - 5044
+      - 6050
+      - 6051
+      - 6052
+      - 6053
+      - 9600
+    - binds:
+      - /opt/so/conf/logstash/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro
+      - /opt/so/conf/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
+      - /opt/so/conf/logstash/logstash-template.json:/logstash-template.json:ro
+      - /opt/so/conf/logstash/beats-template.json:/beats-template.json:ro
+      - /opt/so/conf/logstash/conf.d:/usr/share/logstash/pipeline/:ro
+      - /opt/so/rules:/etc/nsm/rules:ro
+      - /opt/so/conf/logstash/dictionaries:/lib/dictionaries:ro
+      - /nsm/import:/nsm/import:ro
+      - /nsm/logstash:/usr/share/logstash/data/
+      - /opt/so/log/logstash:/var/log/logstash
+    - network_mode: so-elastic-net
+
+# Syslog-ng Section
+
+# Sync the Files
+file.directory:
+  - name: /opt/so/conf/syslog-ng
+  - user: 939
+  - group: 939
+
+# Syslog-ng Docker
+
+so-syslog-ng:
+  dockerng.running:
+    - image: pillaritem/so-logstash
+    - hostname: syslog-ng
+    - priviledged: true
+    - ports:
+      - 514/tcp
+      - 514/udp
+      - 601
+    - network_mode: so-elastic-net
+
+
+# Bro Section
+file.directory:
+  - name: /opt/so/conf/bro
+
+file.directory:
+  - name: /opt/so/conf/bro/policy
+
+so-bro:
+  dockerng.running:
+    - image: pillaritem/so-bro
+    - priviledged: true
+    - network_mode: host
+
+# PCAP Section
+
+file.directory:
+  - name: /opt/so/conf/steno
+
+file.directory:
+  - name: /nsm/pcap
+
+so-steno:
+  dockerng.running:
+    - image: pillaritem/so-steno
+    - network_mode: host
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
new file mode 100644
index 000000000..ffde3147d
--- /dev/null
+++ b/salt/pcap/init.sls
@@ -0,0 +1,12 @@
+# PCAP Section
+
+file.directory:
+  - name: /opt/so/conf/steno
+
+file.directory:
+  - name: /nsm/pcap
+
+so-steno:
+  dockerng.running:
+    - image: pillaritem/so-steno
+    - network_mode: host
diff --git a/salt/somaster/init.sls b/salt/somaster/init.sls
new file mode 100644
index 000000000..2227ce983
--- /dev/null
+++ b/salt/somaster/init.sls
@@ -0,0 +1,9 @@
+# Add Redis docker if REDIS is enabled
+# Add REDIS user
+
+# Sync updated logstash config for REDIS
+
+# Add ES user
+
+
+# Add ES Docker
diff --git a/salt/syslog-ng/files/patterndb.xml b/salt/syslog-ng/files/patterndb.xml
new file mode 100644
index 000000000..a1b3cdad4
--- /dev/null
+++ b/salt/syslog-ng/files/patterndb.xml
@@ -0,0 +1,2333 @@
+<patterndb version='3' pub_date='2009-11-04'>
+	<ruleset name="FWSM" id='2'>
+		<pattern>%FWSM</pattern>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
+					<pattern>Deny @ESTRING:: @@ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@</pattern>
+					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%FWSM-3-106010">Deny inbound tcp src OUTSIDE:2.116.180.66/3116 dst INSIDE:10.0.0.0/445</test_message>
+						<test_values>
+							<test_value name="i0">tcp</test_value>
+							<test_value name="s0">OUTSIDE</test_value>
+							<test_value name="i1">2.116.180.66</test_value>
+							<test_value name="i2">3116</test_value>
+							<test_value name="s1">INSIDE</test_value>
+							<test_value name="i3">10.0.0.0</test_value>
+							<test_value name="i4">445</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='3' id='3'>
+				<patterns>
+					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
+				</patterns>
+			</rule>
+			<rule provider="ELSA" class='7' id='7'>
+				<patterns>
+					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@</pattern>
+					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@</pattern>
+					<pattern>Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface </pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%FWSM-5-304001">192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_message>
+						<test_values>
+							<test_value name="i0">192.168.1.1</test_value>
+							<test_value name="i1">10.0.0.0</test_value>
+							<test_value name="s1">www.example.com</test_value>
+							<test_value name="s2">wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="%FWSM-5-304002">Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside</test_message>
+							<test_values>
+								<test_value name="s1">www.example.com</test_value>
+								<test_value name="s2">feedout/content</test_value>
+								<test_value name="i0">192.168.1.1</test_value>
+								<test_value name="i1">72.246.55.49</test_value>
+							</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='36' id='36'>
+				<patterns>
+					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%FWSM-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
+						<test_value name="i0">10.245.102.86</test_value>
+						<test_value name="s0">Produccion</test_value>
+						<test_value name="s1">pepe</test_value>
+					</example>
+					<example>
+						<test_message program="%FWSM-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
+						<test_value name="i0">10.229.201.171</test_value>
+						<test_value name="s0">Acceso</test_value>
+						<test_value name="s1">juan</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="ASA" id='2_ASA'>
+		<pattern>%ASA</pattern>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>Inbound @ESTRING:i0: @connection denied from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
+					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
+					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
+					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@/@NUMBER:i2:@ dst @ESTRING:s1::@@ESTRING::/@@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
+					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@ESTRING::/@@NUMBER:i2:@ dst @ESTRING:s1::@@IPv4:i3:@/@NUMBER:i4:@ by access-group @ESTRING:s2: @</pattern>
+					<pattern>Deny @ESTRING:i0: @src @ESTRING:s0::@@IPv4:i1:@ dst @ESTRING:s1::@@IPv4:i3:@ (type @NUMBER::@, code @NUMBER::@) by access-group @ESTRING:s2: @</pattern>
+					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
+					<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:s0:-@@ESTRING:i1:-@@ESTRING::/@@ESTRING:i2: @to @ESTRING:s1:-@@ESTRING:i3:-@@ESTRING::/@@ESTRING:i4: @</pattern>
+					<pattern>Deny inbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
+					<pattern>Deny outbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
+					<pattern>Deny IP spoof @ESTRING::to @@ESTRING:i3: @on interface @ANYSTRING:s0:@</pattern>
+					<pattern>Deny inbound @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @</pattern>
+					<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:i1:/@@ESTRING:i2: @to @ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
+					<pattern>Deny IP from @ESTRING:i1: @to @ESTRING:i3: @</pattern>
+					<pattern>@ESTRING:i0: @access discarded from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@</pattern>
+				</patterns>
+			</rule>
+			<rule provider="ELSA" class='3' id='3'>
+				<patterns>
+					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
+					<pattern>access-list @ESTRING:: @permitted @ESTRING:i0: @@ESTRING:s0:/@@ESTRING:i1:(@@NUMBER:i2:@) -&gt; @ESTRING:s1:/@@ESTRING:i3:(@@NUMBER:i4:@) hit-cnt @NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:i0: @access permitted from @ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s0::@@ESTRING:i3:/@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%ASA-7-106100">access-list access_out permitted tcp INSIDE/10.221.221.21(52427) -&gt; OUTSIDE/10.222.222.22(80) hit-cnt 1 first hit [0x487d4278, 0x0]</test_message>
+						<test_value name="i0">tcp</test_value>
+						<test_value name="i1">10.221.221.21</test_value>
+						<test_value name="i2">52427</test_value>
+						<test_value name="i3">10.222.222.22</test_value>
+						<test_value name="i4">80</test_value>
+						<test_value name="i5">1</test_value>
+						<test_value name="s0">INSIDE</test_value>
+						<test_value name="s1">OUTSIDE</test_value>
+					</example>
+					<example>
+						<test_message program="%ASA-6-302013">Built inbound TCP connection 740617324 for inside:10.21.21.221/4087 (10.21.21.221/4087) to CWWAN:172.17.6.80/8192 (172.17.6.80/8192)</test_message>
+						<test_value name="i0">tcp</test_value>
+						<test_value name="i1">10.221.221.21</test_value>
+						<test_value name="i2">4087</test_value>
+						<test_value name="i3">172.17.6.80</test_value>
+						<test_value name="i4">8192</test_value>
+						<test_value name="s0">INSIDE</test_value>
+						<test_value name="s1">OUTSIDE</test_value>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='7' id='7'>
+				<patterns>
+					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@@ANYSTRING:s2:@</pattern>
+					<pattern>@IPv4:i0:@ Accessed URL @IPv4:i1:@:@ESTRING::/@/@ESTRING:s1:/@</pattern>
+					<pattern>Access denied URL @ESTRING::/@/@ESTRING:s1:/@@ESTRING:s2: @SRC @IPv4:i0:@ DEST @IPv4:i1:@ on interface </pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%ASA-5-304001">192.168.1.1 Accessed URL 10.0.0.0:http://www.example.com/wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_message>
+						<test_values>
+							<test_value name="i0">192.168.1.1</test_value>
+							<test_value name="i1">10.0.0.0</test_value>
+							<test_value name="s1">www.example.com</test_value>
+							<test_value name="s2">wp-content/plugins/wp-spamfree/img/wpsf-img.php</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="%ASA-5-304002">Access denied URL http://www.example.com/feedout/content SRC 192.168.1.1 DEST 72.246.55.49 on interface inside</test_message>
+							<test_values>
+								<test_value name="s1">www.example.com</test_value>
+								<test_value name="s2">feedout/content</test_value>
+								<test_value name="i0">192.168.1.1</test_value>
+								<test_value name="i1">72.246.55.49</test_value>
+							</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='36' id='36'>
+				<patterns>
+					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%ASA-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
+						<test_value name="i0">10.245.102.86</test_value>
+						<test_value name="s0">Produccion</test_value>
+						<test_value name="s1">pepe</test_value>
+					</example>
+					<example>
+						<test_message program="%ASA-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
+						<test_value name="i0">10.229.201.171</test_value>
+						<test_value name="s0">Acceso</test_value>
+						<test_value name="s1">juan</test_value>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='38' id='38'>
+				<patterns>
+					<pattern>FTP connection from @ESTRING:s0::@@ESTRING:i0:/@@NUMBER:i1:@ to @ESTRING:s1::@@ESTRING:i2:/@@NUMBER:i3:@, user @ESTRING:s2: @@ESTRING:s3: @@ANYSTRING:s4:@</pattern>
+				</patterns>
+			</rule>
+			<rule provider="ELSA" class='39' id='39'>
+				<patterns>
+					<pattern>Cleared @ESTRING:i0: @urgent flag from @ESTRING:s0::@@ESTRING:i1:/@@NUMBER:i2:@ to @ESTRING:s1::@@ESTRING:i3:/@@NUMBER:i4:@</pattern>
+					<pattern>regular translation creation failed for @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst @ESTRING:s1::@@ESTRING:i3: @(type @NUMBER:i2:@, code @NUMBER:i4:@</pattern>
+				</patterns>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="PIX" id='2_PIX'>
+		<pattern>%PIX</pattern>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>Deny@QSTRING:i0: @src@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ dst@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ by access-group @QSTRING:s2:"@</pattern>
+					<pattern>Shunned packet: @IPv4:i1:@ ==> @IPv4:i3:@ on interface @ANYSTRING:s0:@</pattern>
+				</patterns>
+			</rule>
+			<rule provider="ELSA" class='3' id='3'>
+				<patterns>
+					<pattern>Teardown@QSTRING:i0: @connection @NUMBER::@ for@QSTRING:s0: :@@IPv4:i1:@/@NUMBER:i2:@ to@QSTRING:s1: :@@IPv4:i3:@/@NUMBER:i4:@ duration@QSTRING:s2: @bytes @NUMBER:i5:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%PIX-6-302014">Teardown TCP connection 2050472353 for outside:10.65.200.34/1252 to inside:10.0.0.0/135 duration 0:00:00 bytes 1476 TCP FINs</test_message>
+						<test_values>
+							<test_value name="i0">TCP</test_value>
+							<test_value name="s0">outside</test_value>
+							<test_value name="i1">10.65.200.34</test_value>
+							<test_value name="i2">1252</test_value>
+							<test_value name="s1">inside</test_value>
+							<test_value name="i3">10.0.0.0</test_value>
+							<test_value name="i4">135</test_value>
+							<test_value name="s2">0:00:00</test_value>
+							<test_value name="i5">1476</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='36' id='36'>
+				<patterns>
+					<pattern>Group =@QSTRING:s0: ,@ Username =@QSTRING:s1: ,@ IP = @IPv4:i0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%PIX-4-113019">Group = Produccion, Username = pepe, IP = 10.245.102.86, Session disconnected. Session Type: IPsecOverNatT, Duration: 1h:38m:44s, Bytes xmt: 24545367, Bytes rcv: 3046464, Reason: Lost Service</test_message>
+						<test_value name="i0">10.245.102.86</test_value>
+						<test_value name="s0">Produccion</test_value>
+						<test_value name="s1">pepe</test_value>
+					</example>
+					<example>
+						<test_message program="%PIX-4-113019">Group = Acceso, Username = juan, IP = 10.229.201.171, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:05m:56s, Bytes xmt: 122161, Bytes rcv: 28794, Reason: User Requested</test_message>
+						<test_value name="i0">10.229.201.171</test_value>
+						<test_value name="s0">Acceso</test_value>
+						<test_value name="s1">juan</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Cisco IOS XE Translations" id='3'>
+		<pattern>%IOSXE-6-PLATFORM</pattern>
+		<rules>
+			<rule provider="ELSA" class='3' id='3'>
+				<patterns>
+					<pattern>@ESTRING::%NAT-6-LOG_TRANSLATION: Created Translation @@ESTRING:i0: @@IPv4:i1:@:@NUMBER:i2:@ @IPv4::@:@NUMBER::@ @IPv4::@:@NUMBER::@ @IPv4:i3:@:@NUMBER:i4:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%IOSXE-6-PLATFORM">F0: cpp_cp: QFP:0.0 Thread:031 TS:00000428205839105179 %NAT-6-LOG_TRANSLATION: Created Translation TCP 1.1.1.1:4227 1.1.1.1:1043 2.2.2.2:80 2.2.2.2:80 0</test_message>
+						<test_values>
+							<test_value name="i0">TCP</test_value>
+							<test_value name="i1">1.1.1.1</test_value>
+							<test_value name="i2">4227</test_value>
+							<test_value name="i3">2.2.2.2</test_value>
+							<test_value name="i4">80</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Cisco IOS XE Denies" id='2'>
+		<pattern>%SEC-6-IPACCESSLOGS</pattern>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>list @ESTRING::denied @@IPv4:i3:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%SEC-6-IPACCESSLOGS">list REMOTE-MGMT denied 1.1.1.1 1 packet [0x7EAD30FB]</test_message>
+						<test_values>
+							<test_value name="i3">1.1.1.1</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Cisco IOS XE Denies" id='2'>
+		<pattern>%FMANFP-6-IPACCESSLOGP</pattern>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>F@ESTRING::denied @@ESTRING:i0: @@IPv4:i1:@(@NUMBER:i2:@) -&gt; @IPv4:i3:@(@NUMBER:i4:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%FMANFP-6-IPACCESSLOGP">F0: fman_fp_image: list IPV4-INTERNET-OUTBOUND denied udp 1.1.1.1(49610) -&gt; 2.2.2.2(53), 1 packet</test_message>
+						<test_values>
+							<test_value name="i0">udp</test_value>
+							<test_value name="i1">1.1.1.1</test_value>
+							<test_value name="i2">49610</test_value>
+							<test_value name="i3">2.2.2.2</test_value>
+							<test_value name="i4">53</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Cisco IOS XE Denies" id='2'>
+		<pattern>%FMANFP-6-IPV6ACCESSLOGP</pattern>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>F@ESTRING::denied @@ESTRING:i0: @@ESTRING:s0:(@@NUMBER:i2:@) -&gt; @ESTRING:s1:(@@NUMBER:i4:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="%FMANFP-6-IPV6ACCESSLOGP">F0: fman_fp_image: list IPV6-INTERNET-INBOUND denied udp ffe:4e0::(38346) -&gt; ffe:4e0::(40322), 1 packet</test_message>
+						<test_values>
+							<test_value name="i0">udp</test_value>
+							<test_value name="s0">ffe:4e0::</test_value>
+							<test_value name="i2">38346</test_value>
+							<test_value name="s1">ffe:4e0::</test_value>
+							<test_value name="i4">40322</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Windows_Snare" id='4'>
+		<pattern>MSWinEventLog</pattern>
+		<pattern>Application</pattern>
+		<pattern>Security</pattern>
+		<pattern>System</pattern>
+		<rules>
+			<rule provider="ELSA" class='4' id='4'>
+				<patterns>
+					<pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @</pattern>
+					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@	@ESTRING:i0:	@@ESTRING:s0:	@@ESTRING:s1:	@@ESTRING:s2:	@@ESTRING:s3:	@@ESTRING:s4:	@@ESTRING:s5:	@@ESTRING::	@@ESTRING::	@</pattern>
+					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@|Logon Failure:@ESTRING::	@Reason:		@ESTRING:s2:	@User Name:	@ESTRING:s1: @</pattern>
+					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@</pattern>
+					<pattern>@STRING::@ @NUMBER::@ @NUMBER::@:@NUMBER::@:@NUMBER::@ @NUMBER::@|@ESTRING:i0:|@@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING@</pattern>
+				</patterns>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Windows_evtsys" id='4'>
+		<pattern>Application</pattern>
+		<pattern>Security</pattern>
+		<pattern>System</pattern>
+		<rules>
+			<rule provider="ELSA" class='4' id='4'>
+				<patterns>
+					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@ </pattern>
+					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@</pattern>
+					<pattern>@NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access</pattern>
+					<pattern>@NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@</pattern>
+					<pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern>
+					<pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message>
+						<test_values>
+							<test_value name="i0">7035</test_value>
+							<test_value name="s0">NT AUTHORITYSYSTEM</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message>
+						<test_value name="i0">1202</test_value>
+						<test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Windows_evtsys" id='4'>
+		<!-- no program pattern -->
+		<rules>
+			<rule provider="ELSA" class='4' id='4'>
+				<patterns>
+					<pattern>@NUMBER:i0:@: @ESTRING::Account Name@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@</pattern>
+					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@ @ESTRING:s4: Access Request Information:@ </pattern>
+					<pattern>@NUMBER:i0:@: A network share object was accessed. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: Account Domain@: @ESTRING:s2: Logon ID@: @ESTRING:: @Network Information: Object Type: File Source Address: @IPv4:i1:@ Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: Share Path:@</pattern>
+					<pattern>@NUMBER:i0:@: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: @ESTRING:: @Account Name: @ESTRING:s1: @Account Domain: @ESTRING:s2: @Logon ID: @ESTRING:: @Network Information: Object Type: File Source Address: @ESTRING:i1: @Source Port: @NUMBER::@ Share Information: Share Name: @ESTRING:s3: @Share Path: @ESTRING:s4: @Relative Target Name: @ESTRING:s5: @Access</pattern>
+					<pattern>@NUMBER:i0:@: @ESTRING::.@ Client IP address: @IPv4:s0::@</pattern>
+					<pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern>
+					<pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="security-auditing">4624: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  MYDOMAIN-DC-1$  Account Domain:  MYDOMAIN  Logon ID:  0x3e7  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-3113823999-9998615402-9997257512-9966  Account Name:  myuser  Account Domain:  MYDOMAIN  Logon ID:  0x2339f787  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1e8  Process Name:  C:\\Windows\\System32\\lsass.exe  Network Information:  Workstation Name: MYDOMAIN-DC-1  Source Network Address: 172.24.248.117  Source Port:  54265  Detailed Authentication Information:  Logon Process:  Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.</test_message>
+						<test_values>
+							<test_value name="i0">4624</test_value>
+							<test_value name="s1">myuser</test_value>
+							<test_value name="s2">MYDOMAIN</test_value>
+							<test_value name="i1">172.24.248.117</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message>
+						<test_values>
+							<test_value name="i0">7035</test_value>
+							<test_value name="s0">NT AUTHORITYSYSTEM</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message>
+						<test_value name="i0">1202</test_value>
+						<test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value>
+					</example>
+					<example>
+						<test_message program="security-auditing">5140: A network share object was accessed. Subject: Security ID: S-1-5-18 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x3e7 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 49206 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)</test_message>
+						<test_value name="i0">5140</test_value>
+						<test_value name="s1">MYUSER</test_value>
+						<test_value name="s2">MYDOMAIN</test_value>
+						<test_value name="i1">192.168.148.5</test_value>
+						<test_value name="s3">\\*\ADMIN$</test_value>
+						<test_value name="s4">\??\C:\Windows</test_value>
+					</example>
+					<example>
+						<test_message program="security-auditing">5140: A network share object was accessed. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1e05bb9b Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 65518 Share Information: Share Name: \\\\*\\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)</test_message>
+						<test_value name="i0">5140</test_value>
+						<test_value name="s1">ANONYMOUS LOGON</test_value>
+						<test_value name="s2">NT AUTHORITY</test_value>
+						<test_value name="i1">192.168.148.5</test_value>
+						<test_value name="s3">\\\\*\\IPC$</test_value>
+					</example>
+					<example>
+						<test_message program="security-auditing">5145: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-518783779-1162290680-929701000-2097 Account Name: MYUSER Account Domain: MYDOMAIN Logon ID: 0x19789189 Network Information: Object Type: File Source Address: 192.168.148.5 Source Port: 4235 Share Information: Share Name: \\*\SHARE_NAME Share Path: \??\C:\SHARE_PATH Relative Target Name: MYFILE Access Request Information: Access Mask: 0x80 Accesses: ReadAttributes Access Check Results: ReadAttributes: Granted by D:(A;;FA;;;WD)</test_message>
+						<test_value name="i0">5145</test_value>
+						<test_value name="s1">MYUSER</test_value>
+						<test_value name="s2">MYDOMAIN</test_value>
+						<test_value name="i1">192.168.148.5</test_value>
+						<test_value name="s3">\\*\SHARE_NAME</test_value>
+						<test_value name="s4">\??\C:\SHARE_PATH</test_value>
+						<test_value name="s5">MYFILE</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Windows_dhcp" id='4_dhcp'>
+		<pattern>GenericLog</pattern>
+		<rules>
+			<rule provider="ELSA" class='4' id='4'>
+				<patterns>
+					<pattern>@NUMBER::@,@ANYSTRING::@</pattern>
+					<values>
+						<value name="i0">0</value>
+						<value name="s0">dhcplog</value>
+						<value name="PROGRAM">dhcplog</value>
+					</values>
+					<!--<pattern>@NUMBER:i0:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:,@</pattern>
+					<pattern>@NUMBER:i0:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:,@@ESTRING:s5:,@</pattern>-->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="GenericLog">30,11/16/10,12:25:04,DNS Update Request,x.x.x.x,hostname,,</test_message>
+						<test_value name="i0">0</test_value>
+						<test_value name="s0">dhcplog</test_value>
+						<test_value name="PROGRAM">dhcplog</test_value>
+					</example>
+					<example>
+						<test_message program="GenericLog">11,11/16/10,12:25:04,Renew,x.x.x.x,hostname,macaddr,</test_message>
+						<test_value name="i0">0</test_value>
+						<test_value name="s0">dhcplog</test_value>
+						<test_value name="PROGRAM">dhcplog</test_value>
+					</example>
+				</examples>
+				<tags>
+					<tag>4</tag>
+				</tags>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Adiscon" id="4_adiscon">
+		<rules>
+			<rule provider="ELSA" class='4' id='4'>
+				<pattern>@ESTRING::Event ID@: @NUMBER:i0:@ &lt;Data Name='TargetUserName'&gt;@ESTRING:s0:&lt;@</pattern>
+				<pattern>@ESTRING::Event ID@: @NUMBER:i0:@</pattern>
+				<examples>
+					<example>
+						<test_message program="">Mar  9 22:35:10 IU-MSSG-ADSDC01.domain Event ID: 5157 &lt;Data Name='ProcessID'&gt;180&lt;/Data&gt;&lt;Data Name='Application'&gt;\device\harddiskvolume2\windows\system32\svchost.exe&lt;/Data&gt;&lt;Data Name='Direction'&gt;%14592&lt;/Data&gt;&lt;Data Name='SourceAddress'&gt;10.68.239.128&lt;/Data&gt;&lt;Data Name='SourcePort'&gt;500&lt;/Data&gt;&lt;Data Name='DestAddress'&gt;10.166.175.52&lt;/Data&gt;&lt;Data Name='DestPort'&gt;500&lt;/Data&gt;&lt;Data Name='Protocol'&gt;17&lt;/Data&gt;&lt;Data Name='FilterRTID'&gt;73486&lt;/Data&gt;&lt;Data Name='LayerName'&gt;%14610&lt;/Data&gt;&lt;Data Name='LayerRTID'&gt;44&lt;/Data&gt;&lt;Data Name='RemoteUserID'&gt;S-1-0-0&lt;/Data&gt;&lt;Data Name='RemoteMachineID'&gt;S-1-0-0&lt;/Data&gt;</test_message>
+						<test_value name="i0">5157</test_value>
+					</example>
+					<example>
+						<test_message program="">Mar  9 22:35:10 IU-MSSG-ADSDC04.domain Event ID: 4769 &lt;Data Name='TargetUserName'&gt;user@domain&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;domain&lt;/Data&gt;&lt;Data Name='ServiceName'&gt;IU-MSSG-ADSDC04$&lt;/Data&gt;&lt;Data Name='ServiceSid'&gt;S-1-5-21-1085031214-1292428093-527237240-496356&lt;/Data&gt;&lt;Data Name='TicketOptions'&gt;0x40810000&lt;/Data&gt;&lt;Data Name='TicketEncryptionType'&gt;0x12&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;::ffff:10.160.118.87&lt;/Data&gt;&lt;Data Name='IpPort'&gt;54144&lt;/Data&gt;&lt;Data Name='Status'&gt;0x0&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{CD66EF59-4404-F056-C1CC-5E12BE6B978E}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;</test_message>
+						<test_value name="i0">4769</test_value>
+						<test_value name="s0">user@domain</test_value>
+					</example>
+						
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="url" id='7'>
+		<pattern>url</pattern>
+		<rules>
+			<rule provider="ELSA" class='7' id='7'>
+				<patterns>
+					<!--<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s5:,@@ESTRING:s2:,@@ESTRING:s3:,@@STRING:s4: :/;,.-()@</pattern>-->
+					<!--<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@STRING:s5:,.-@</pattern>-->
+					<!-- httpry_logger.pl -->
+					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@</pattern>
+					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@</pattern>
+					<pattern>@IPv4:i0:@,@IPv4:i1:@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@</pattern>
+					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@NUMBER:i5@</pattern>
+					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|@NUMBER:i4:@</pattern>
+					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@|@NUMBER:i4:@</pattern>
+					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@@NUMBER:i3:@|</pattern>
+					<pattern>@IPv4:i0:@|@IPv4:i1:@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING:i2:|@</pattern>
+					<!-- suricata -->
+					<pattern>@ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@IPv4:i0:@:@NUMBER:i1:@ -> @IPv4:i2:@:@NUMBER:i3:@</pattern>
+					<!-- suricata extended -->
+					<pattern>@ESTRING:: @@ESTRING:s1: [**] @@ESTRING:s2: [**] @@ESTRING:s4: [**] @@ESTRING:s3: [**] @@ESTRING:s0: [**] @@ESTRING:: [**] @@ESTRING:i2: [**] @@NUMBER:i3:@ bytes [**] @IPv4:i0:@:@NUMBER:i4:@ -> @IPv4:i1:@:@NUMBER:i5:@</pattern>
+					<!--Common Log Format-->
+					<pattern>@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@</pattern>
+					<!--%{HOST} + Common Log Format-->
+					<pattern>@ESTRING:s1: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s5: @@ESTRING:: "@@ESTRING:s0: @@ESTRING:s2: @HTTP/1.@NUMBER::@" @NUMBER:i2:@ @NUMBER:i3:@ @QSTRING:s3:"@ @QSTRING:s4:"@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200|46142|8583</test_message>
+						<test_values>
+							<test_value name="i0">192.168.1.1</test_value>
+							<test_value name="i1">10.0.0.0</test_value>
+							<test_value name="s0">GET</test_value>
+							<test_value name="s1">ajax.googleapis.com</test_value>
+							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
+							<test_value name="s3">http://slickdeals.net/</test_value>
+							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
+							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
+							<test_value name="i2">200</test_value>
+							<test_value name="i3">46142</test_value>
+							<test_value name="i4">8583</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||8583</test_message>
+						<test_values>
+							<test_value name="i0">192.168.1.1</test_value>
+							<test_value name="i1">10.0.0.0</test_value>
+							<test_value name="s0">GET</test_value>
+							<test_value name="s1">ajax.googleapis.com</test_value>
+							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
+							<test_value name="s3">http://slickdeals.net/</test_value>
+							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
+							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
+							<test_value name="i2">200</test_value>
+							<test_value name="i3"></test_value>
+							<test_value name="i4">8583</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="url">192.168.1.1,10.0.0.0,GET,ajax.googleapis.com,/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js,http://slickdeals.net/,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|,com,googleapis.com,ajax.googleapis.com|200||</test_message>
+						<test_values>
+							<test_value name="i0">192.168.1.1</test_value>
+							<test_value name="i1">10.0.0.0</test_value>
+							<test_value name="s0">GET</test_value>
+							<test_value name="s1">ajax.googleapis.com</test_value>
+							<test_value name="s2">/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js</test_value>
+							<test_value name="s3">http://slickdeals.net/</test_value>
+							<test_value name="s4">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)</test_value>
+							<test_value name="s5">,com,googleapis.com,ajax.googleapis.com</test_value>
+							<test_value name="i2">200</test_value>
+							<test_value name="i3"></test_value>
+							<test_value name="i4"></test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="url">127.0.0.1 - - [09/Dec/2012:23:20:27 -0600] "HEAD / HTTP/1.1" 200 334 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11"</test_message>
+						<test_values>
+							<test_value name="i0">127.0.0.1</test_value>
+							<test_value name="s0">HEAD</test_value>
+							<test_value name="s2">/</test_value>
+							<test_value name="s3">-</test_value>
+							<test_value name="s4">Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11</test_value>
+							<test_value name="s5">-</test_value>
+							<test_value name="i2">200</test_value>
+							<test_value name="i3">334</test_value>
+						</test_values>
+					</example>
+					</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="snort" id='8'>
+		<pattern>snort</pattern>
+		<rules>
+			<rule provider="ELSA" class='8' id='8'>
+				<patterns>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -> @IPv4:i4:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<!--<pattern>@QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern>-->
+				</patterns>
+				<example>
+					<test_message program="snort">[1:485:5] ICMP Destination Unreachable Communication Administratively Prohibited [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.1 -> 10.0.0.0</test_message>
+					<test_value name="s0">1:485:5</test_value>
+					<test_value name="s1">ICMP Destination Unreachable Communication Administratively Prohibited </test_value>
+					<test_value name="s2">Misc activity</test_value>
+					<test_value name="i0">3</test_value>
+					<test_value name="i1">ICMP</test_value>
+					<test_value name="i2">192.168.1.1</test_value>
+					<test_value name="i4">10.0.0.0</test_value>
+				</example>
+			</rule>
+			<rule provider="Laurel" class='8' id='8'>
+				<!-- Rules for logs with interface included -->
+				<patterns>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
+					<pattern>@QSTRING:s0:[]@@QSTRING:s1: @[Classification:@QSTRING:s2: ]@ [Priority@QSTRING:i0: ]@: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+				</patterns>
+				<example>
+					<test_message program="snort">[1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432 [Classification: Potentially Bad Traffic] [Priority: 2]: &lt;eth1&gt; {TCP} 192.168.193.245:38472 -> 192.168.193.1:5432</test_message>
+					<test_value name="s0">1:2010939:2</test_value>
+					<test_value name="s1">ET POLICY Suspicious inbound to PostgreSQL port 5432 </test_value>
+					<test_value name="s2">Potentially Bad Traffic</test_value>
+					<test_value name="s3">eth1</test_value>
+					<test_value name="i0">2</test_value>
+					<test_value name="i1">TCP</test_value>
+					<test_value name="i2">192.168.193.245</test_value>
+					<test_value name="i3">38472</test_value>
+					<test_value name="i4">192.168.193.1</test_value>
+					<test_value name="i5">5432</test_value>
+				</example>
+			</rule>
+			<rule provider="A Ratcliffe" class='8' id='8'>
+				<patterns>
+					<!-- via Sagan which has an extra colon in it-->
+					<pattern>@QSTRING:s0:[]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<!-- via Sagan with extra text -->
+					<pattern>@QSTRING:s0:[]@ [@ESTRING::]@ @ESTRING:s1: [Classification@:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@]: @QSTRING:s3:&lt;&gt;@ @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+				</patterns>
+			</rule>
+			<rule class='8' id='8'>
+				<!--via barnyard2 using config to include year with date extracted-->
+				<patterns>
+					<pattern>@NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@NUMBER:pdb_extracted_month:@/@NUMBER:pdb_extracted_day:@/@NUMBER:pdb_extracted_shortyear:@-@NUMBER:pdb_extracted_hour:@:@NUMBER:pdb_extracted_minute:@:@NUMBER:pdb_extracted_second:@.@NUMBER::@@ESTRING::[**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@ESTRING:s2:] @[Priority: @NUMBER:i0:@] {@ESTRING:i1:}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
+				</patterns>	
+				<values>
+					<value name="pdb_extracted_timestamp">20$pdb_extracted_shortyear-$pdb_extracted_month-$pdb_extracted_day $pdb_extracted_hour:$pdb_extracted_minute:$pdb_extracted_second</value>
+				</values>
+			</rule>
+			<rule provider="C Martinez" class='8' id='8'>
+				<!-- Patterns for forwarded messages from fast.log which contain [**]-->
+				<patterns>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt;@IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt;@IPv4:i4:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt;@IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1:[@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -&gt;@IPv4:i4:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: {@@ESTRING:i1:}@ @IPv4:i2:@:@NUMBER:i3:@-&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
+					<pattern>@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority: @NUMBER:i0:@] @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@[Priority: @NUMBER:i0:@]: @QSTRING:i1:{}@ @IPv4:i2:@ -&gt; @IPv4:i4:@</pattern>
+					<pattern>@ESTRING:: [**]@@QSTRING:s0:[]@ @ESTRING:s1: [**] {@@ESTRING:i1:}@@IPv4:i2:@:@NUMBER:i3:@ -&gt; @IPv4:i4:@:@NUMBER:i5:@</pattern>
+				</patterns>
+			</rule>
+		</rules>
+	</ruleset>
+	<!--<ruleset>
+		<rules>
+			<rule class="10" id="10" context-id="ironport-icid" context-timeout="10" context-scope="program">
+				<patterns>
+					<pattern>Info: New SMTP ICID @NUMBER:icid:@ interface @ESTRING:interface_name: @(@IPv4:interface_ip:@) address @IPv4:sender_ip:@ reverse dns host @ESTRING:sender_dns: @verified yes</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="ironport_mail_logs">Info: New SMTP ICID 696117306 interface InternalNet (192.168.1.1) address 192.168.1.1 reverse dns host hostname verified yes</test_message>
+						<test_value name="icid">696117306</test_value>
+						<test_value name="interface_name">InternalNet</test_value>
+						<test_value name="interface_ip">192.168.1.1</test_value>
+						<test_value name="sender_ip">192.168.1.1</test_value>
+						<test_value name="sender_dns">hostname</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>-->
+	<ruleset name="ssh">
+		<pattern>sshd</pattern>
+		<rules>
+			<rule class="11" id="11">
+				<patterns>
+					<!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service -->
+					<pattern>Accepted @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
+				</patterns>
+			</rule>
+			<rule class="12" id="12">
+				<patterns>
+					<!-- s0=usracct.authmethod, s1=usracct.username, s2=usracct.device, i0=port, s3=usracct.service -->
+					<pattern>Failed @ESTRING:s0: @for @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
+					<pattern>Failed @ESTRING:s0: @for invalid user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
+					<pattern>Failed @ESTRING:s0: @for illegal user @ESTRING:s1: @from @ESTRING:s2: @port @ESTRING:i0: @@ANYSTRING:s3@</pattern>
+				</patterns>
+			</rule>
+			<rule class="13" id="13">
+				<patterns>
+					<!-- s0=usracct.username -->
+					<pattern>pam_unix(sshd:session): session closed for user @ANYSTRING:s0:@</pattern>
+					<pattern>session closed for user @ANYSTRING:s0:@</pattern>
+				</patterns>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_dns</pattern>
+		<rules>
+			<rule class="14" id="14">
+				<patterns>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_dns">1318443095.831281|0L5Ro2iPit1|10.0.0.0|23657|69.22.154.225|53|udp|31608|e2932.c.akamaiedge.net|1|C_INTERNET|1|A|0|NOERROR|F|T|F|F|F|1|20.000000|23.0.124.9</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.0.0.0</test_value>
+						<!-- srcport -->
+						<test_value name="i1">23657</test_value>
+						<!-- dstip -->
+						<test_value name="i2">69.22.154.225</test_value>
+						<!-- dstport -->
+						<test_value name="i3">53</test_value>
+						<!-- proto -->
+						<test_value name="i4">udp</test_value>
+						<!-- hostname -->
+						<test_value name="s0">e2932.c.akamaiedge.net</test_value>
+						<!-- answer -->
+						<test_value name="s1">23.0.124.9</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_notice</pattern>
+		<rules>
+			<rule class="41" id="Bro file transfer via bro_notice">
+				<patterns>
+					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING::|@@IPv4::@|@IPv4::@|@NUMBER::@|@ANYSTRING::@</pattern>
+					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@HTTP::MD5|@IPv4::@ @ESTRING:s0: @http@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@</pattern>
+				</patterns>
+				<values>
+					<value name="s2">/$s2</value>
+				</values>
+			</rule>
+			<rule class='15' id='15'>
+				<patterns>
+					<pattern description="bro-2.2">@ESTRING::|@@ESTRING::|@@IPv4:i0@|@NUMBER:i1@|@IPv4:i2@|@NUMBER:i3@|@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:@|@IPv4:@|@NUMBER:@|@ANYSTRING::@</pattern>
+					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@-|-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|@NUMBER:i3@|@ANYSTRING::@</pattern>
+					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@-|@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|@IPv4:i2@|-|-|@ANYSTRING::@</pattern>
+					<pattern description="bro-2.2">@ESTRING::|@-|-|@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@-|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@IPv4:i0@|-|-|-|@ANYSTRING::@</pattern>
+					<pattern description="bro-2.2">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@-|-|-|-|@ANYSTRING::@</pattern>
+					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@tcp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
+					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@udp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
+					<pattern description="bro-2.1">@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@icmp|@ESTRING:s0:|@@ESTRING:s1:|@@ANYSTRING::@</pattern>
+					<pattern description="bro-2.1">@ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|-|-|-|-@ANYSTRING::@</pattern>
+					<pattern description="bro-2.1">@ESTRING::|@-|-|-|-|-|-|@ESTRING:s0:|@@ESTRING:s1:|@-|@IPv4:i0:@|@ANYSTRING::@</pattern>
+				</patterns>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern description='bro-2.2'>bro_files</pattern>
+		<rules>
+			<rule class='54' id='54'>
+				<patterns>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@</pattern>
+				</patterns>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_smtp</pattern>
+		<rules>
+			<rule class="16" id="16">
+				<patterns>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ANYSTRING::@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_smtp">1320612601.697404|SFiDYDwOSl8|10.0.0.0|45765|66.94.25.228|25|@woMgeVXDE|server.example.com|&lt;prvs=284e51a33=user@domain.com&gt;|&lt;user@example.com&gt;|Sun, 6 Nov 2011 14:50:00 -0600|"user" &lt;user@domain.com&gt;|"'user@example.com'" &lt;user@example.com&gt;|-|&lt;F3AC33A1A5033546890246040DCA32E303CDF29D5FE6@mailserver.domain.com&gt;|&lt;user@example.com&gt;|RE: some subject|-|from mailserver.domain.com ([10.0.0.0]) with mapi; Sun, 6 Nov 2011 14:50:01 -0600|from mailserver.domain.com ([10.0.0.0]) by mailserver.domain.com with ESMTP/TLS/RC4-MD5; 06 Nov 2011 14:50:01 -0600|250 2.0.0 10wk4g5v6k-1 Message accepted for delivery|192.168.1.1,10.0.0.0|-|F</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.0.0.0</test_value>
+						<!-- srcport -->
+						<test_value name="i1">45765</test_value>
+						<!-- dstip -->
+						<test_value name="i2">66.94.25.228</test_value>
+						<!-- dstport -->
+						<test_value name="i3">25</test_value>
+						<!-- server -->
+						<test_value name="s0">server.example.com</test_value>
+						<!-- from -->
+						<test_value name="s1">"user" &lt;user@domain.com&gt;</test_value>
+						<!-- to -->
+						<test_value name="s2">"'user@example.com'" &lt;user@example.com&gt;</test_value>
+						<!-- subject -->
+						<test_value name="s3">RE: some subject</test_value>
+						<!-- last_reply -->
+						<test_value name="s4">250 2.0.0 10wk4g5v6k-1 Message accepted for delivery</test_value>
+						<!-- path -->
+						<test_value name="s5">192.168.1.1,10.0.0.0</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_smtp_entities</pattern>
+		<rules>
+			<rule class="17" id="17">
+				<patterns>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_smtp_entities">1320613389.303478|zQQiHb1x3fj|216.33.127.82|37295|10.0.0.0|25|@VqmVdbY2Mm3|CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf|54399|application/pdf|-|-|-</test_message>
+						<!-- srcip -->
+						<test_value name="i0">216.33.127.82</test_value>
+						<!-- srcport -->
+						<test_value name="i1">37295</test_value>
+						<!-- dstip -->
+						<test_value name="i2">10.0.0.0</test_value>
+						<!-- dstport -->
+						<test_value name="i3">25</test_value>
+						<!-- filename -->
+						<test_value name="s0">CDocuments and SettingsckaiserLocal SettingsTemporary Internet FilesContent.IE535ZF226Areport[3].pdf</test_value>
+						<!-- content_len -->
+						<test_value name="i4">54399</test_value>
+						<!-- mime_type -->
+						<test_value name="s1">application/pdf</test_value>
+						<!-- md5 -->
+						<test_value name="s2">-</test_value>
+						<!-- extraction_file -->
+						<test_value name="s3">-</test_value>
+						<!-- excerpt -->
+						<test_value name="s4">-</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_ssl</pattern>
+		<rules>
+			<rule class="18" id="18">
+				<patterns>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@@ESTRING::|@@ESTRING:i4:|@@ANYSTRING::@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_ssl">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|443|TLSv10|TLS_RSA_WITH_RC4_128_MD5|-|48eacd8fda1a4f48188288ce09ba84d93b8b40aaafdeafd8bace5a1ba9f7c3ce|CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US|1286341200.000000|1381035599.000000|04918ecb442ca62e6e8f29272b9cff42|ok</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.0.0.0</test_value>
+						<!-- srcport -->
+						<test_value name="i1">19427</test_value>
+						<!-- dstip -->
+						<test_value name="i2">80.175.58.76</test_value>
+						<!-- dstport -->
+						<test_value name="i3">443</test_value>
+						<!-- hostname -->
+						<test_value name="s0">-</test_value>
+						<!-- subject -->
+						<test_value name="s1">CN=www.forneymaterialstesting.com,OU=Comodo InstantSSL,OU=Online Sales,O=Forney Inc,streetAddress=One Adams Place,L=Seven Fields\,,ST=Pennsylvania,postalCode=16046,C=US</test_value>
+						<!-- expiration -->
+						<test_value name="i4">1381035599.000000</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_http</pattern>
+		<rules>
+			<rule class="19" id="19">
+				<patterns>
+					<!--ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       trans_depth     method  
+					  host    uri     referrer        user_agent      request_body_len        response_body_len       status_code     
+					  status_msg      info_code       info_msg        filename        tags    username        password        
+					  proxied mime_type       md5     extraction_file-->
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING:i5:|@@ESTRING:i4:|@</pattern>
+					<!--ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       method  
+					host    uri     referrer        user_agent      request_body_len       
+					 request_body_interrupted        response_body_len       response_body_interrupted       status_code     
+					 status_msg      filename        tags    username        password        proxied mime_type
+       md5     extraction_file-->
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING:i5:|@@ESTRING::|@@ESTRING:i4:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_http">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|GET|www.google.com|/|http://example.com|myagent|-|-|1000|0|200|</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.0.0.0</test_value>
+						<!-- srcport -->
+						<test_value name="i1">19427</test_value>
+						<!-- dstip -->
+						<test_value name="i2">80.175.58.76</test_value>
+						<!-- dstport -->
+						<test_value name="i3">80</test_value>
+						<!-- method -->
+						<test_value name="s0">GET</test_value>
+						<!-- host -->
+						<test_value name="s1">www.google.com</test_value>
+						<!-- uri -->
+						<test_value name="s2">/</test_value>
+						<!-- referer -->
+						<test_value name="s3">http://example.com</test_value>
+						<!-- user_agent -->
+						<test_value name="s4">myagent</test_value>
+						<!-- status_code -->
+						<test_value name="i4">200</test_value>
+						<!-- content_length -->
+						<test_value name="i5">1000</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_conn</pattern>
+		<rules>
+			<rule class="20" id="20">
+				<patterns>
+					<!--ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	
+					conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes-->
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:i5:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING:s4:|@</pattern>
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_conn">1319824864.447838|g6XHk1uplZc|10.0.0.0|19427|80.175.58.76|80|tcp|...</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.0.0.0</test_value>
+						<!-- srcport -->
+						<test_value name="i1">19427</test_value>
+						<!-- dstip -->
+						<test_value name="i2">80.175.58.76</test_value>
+						<!-- dstport -->
+						<test_value name="i3">80</test_value>
+						<!-- proto -->
+						<test_value name="i4">tcp</test_value>
+					</example>
+					<example>
+						<test_message program="bro_conn">1355091922.994655|fOFtbJ91cG7|192.168.1.103|52949|206.12.19.9|80|tcp|http|3.970039|2829|574725|SF|-|3706|ShADadFf|200|14697|403|591995</test_message>
+						<!-- srcip -->
+						<test_value name="i0">192.168.1.103</test_value>
+						<!-- srcport -->
+						<test_value name="i1">52949</test_value>
+						<!-- dstip -->
+						<test_value name="i2">206.12.19.9</test_value>
+						<!-- dstport -->
+						<test_value name="i3">80</test_value>
+						<!-- proto -->
+						<test_value name="i4">tcp</test_value>
+						<!-- service -->
+						<test_value name="s0">http</test_value>
+						<!-- duration -->
+						<test_value name="s1">3.970039</test_value>
+						<!-- orig_bytes -->
+						<test_value name="s2">2829</test_value>
+						<!-- resp_bytes -->
+						<test_value name="i5">574725</test_value>
+						<!-- orig_pkts -->
+						<test_value name="s3">200</test_value>
+						<!-- resp_pkts -->
+						<test_value name="s4">403</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="fortinet_url" id='21'>
+		<pattern>kernel</pattern>
+		<rules>
+			<rule provider="ELSA" class='21' id='21'>
+				<patterns>
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=webfilter pri=@ESTRING:: @vd=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @serial=@ESTRING:: @user=@ESTRING:s0: @group=@ESTRING:s1: @src=@IPv4:i0:@ sport=@ESTRING:i1: @src_port=@ESTRING:: @src_int=@ESTRING:: @dst=@IPv4:i2:@ dport=@ESTRING:i3: @dst_port=@ESTRING:: @dst_int=@ESTRING:: @service=@ESTRING:s2: @hostname=@ESTRING:s3: @profiletype=@ESTRING:: @profile=@ESTRING:: @status=@ESTRING:s4: @req_type=@ESTRING:: @url=@ESTRING:s5: @method=@ESTRING:: @class=@ESTRING:: @cat=@ESTRING:i4: @cat_desc=@QSTRING::""@ carrier_ep=@ESTRING:: @msg=@QSTRING::""@ class_desc=@ESTRING:: @profilegroup=</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="kernel">date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FG100C999999999 log_id=13312 subtype=ftgd_allow type=webfilter pri=notice vd=VDOM policyid=44 identidx=1 serial=369298248 user=USER group=AD/GROUP src=10.1.2.3 sport=2163 src_port=2163 src_int=INT dst=4.3.2.1 dport=80 dst_port=80 dst_int=WAN service=http hostname=col.stb.s-msn.com profiletype=Webfilter_Profile profile=PROFILE status=passthrough req_type=referral url=/i/79/65F987C952BDA0E84AE52464ADD59.jpg method=domain class=0 cat=41 cat_desc="Search Engines and Portals" carrier_ep=N/A msg="URL belongs to an allowed category in policy" class_desc=N/A profilegroup=N/A</test_message>
+						<test_values>
+							<test_value name="i0">10.1.2.3</test_value>
+							<test_value name="i1">2163</test_value>
+							<test_value name="i2">4.3.2.1</test_value>
+							<test_value name="i3">80</test_value>
+							<test_value name="s0">USER</test_value>
+							<test_value name="s1">AD/GROUP</test_value>
+							<test_value name="s2">http</test_value>
+							<test_value name="s3">col.stb.s-msn.com</test_value>
+							<test_value name="s4">passthrough</test_value>
+							<test_value name="s5">/i/79/65F987C952BDA0E84AE52464ADD59.jpg</test_value>
+							<test_value name="i4">41</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="fortinet_traffic" id='22'>
+		<pattern>kernel</pattern>
+		<rules>
+			<rule provider="ELSA" class='22' id='22'>
+				<patterns>
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @subtype=@ESTRING:: @type=traffic pri=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4@ app_type=@ESTRING:: @duration=@NUMBER:i5@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @src_int=@ESTRING:: @dst_int=@ESTRING:: @SN=@ESTRING:: @app=@ESTRING:: @app_cat=@ESTRING:: @carrier_ep=@ESTRING:: @vpn=@ESTRING:: @status=@ESTRING:: @user=@ESTRING:: @group=@ESTRING:: @shaper_sent_name=@ESTRING:: @shaper_rcvd_name=@ESTRING:: @perip_name</pattern>
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=traffic subtype=@ESTRING:: @level=@ESTRING:: @vd=@ESTRING:: @srcip=@IPv4:i0:@ srcport=@NUMBER:i1:@ srcintf=@QSTRING::""@ dstip=@IPv4:i2:@ dstport=@NUMBER:i3:@ dstintf=@QSTRING::""@ sessionid=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dstcountry=@QSTRING::""@ srccountry=@QSTRING::""@ trandisp=@ESTRING:: @tranip=@ESTRING:: @tranport=@ESTRING:: @transip=@ESTRING:: @transport=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sentbyte=@ESTRING:: @rcvdbyte=@ESTRING:: @sentpkt=@ESTRING:: @rcvdpkt</pattern>
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ src_port=@NUMBER:i1:@ src_int=@QSTRING::""@ dst=@IPv4:i2:@ dst_port=@NUMBER:i3:@ dst_int=@QSTRING::""@ SN=@ESTRING:: @status=@ESTRING:: @policyid=@ESTRING:: @dst_country=@QSTRING::""@ src_country=@QSTRING::""@ service=@ESTRING:: @proto=@NUMBER:i4:@ duration=@NUMBER:i5:@ sent=@ESTRING:: @rcvd=@ESTRING:: @msg</pattern>
+					<!-- Complete pattern, not used now because we aren't capturing later strings 
+						<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@ rule=@ESTRING:: @policyid=@ESTRING:: @identidx=@ESTRING:: @sent=@ESTRING:: @rcvd=@ESTRING:: @shaper_drop_sent=@ESTRING:: @shaper_drop_rcvd=@ESTRING:: @perip_drop=@ESTRING:: @shaper_sent_name=@QSTRING::""@ shaper_rcvd_name=@QSTRING::""@ perip_name=@QSTRING::""@ sent_pkt=@ESTRING:: @rcvd_pkt=@ESTRING:: @vpn=@QSTRING::""@ src_int=@QSTRING::""@ dst_int=@QSTRING::""@ SN=@ESTRING:: @app=@QSTRING::""@ app_cat=@QSTRING::""@ user=@QSTRING::""@ group=@QSTRING::""@ carrier_ep=@QSTRING::""@</pattern>
+					-->
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @dir_disp=@ESTRING:: @tran_disp=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ tran_ip=@ESTRING:: @tran_port=@ESTRING:: @service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>
+					<pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @device_id=@ESTRING:: @log_id=@ESTRING:: @type=traffic subtype=@ESTRING:: @pri=@ESTRING:: @status=@ESTRING:: @vd=@ESTRING:: @src=@IPv4:i0:@ srcname=@ESTRING:: @src_port=@NUMBER:i1:@ dst=@IPv4:i2:@ dstname=@ESTRING:: @dst_port=@NUMBER:i3:@ service=@ESTRING:: @proto=@NUMBER:i4:@ app_type=@ESTRING:: @duration=@NUMBER:i5:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="kernel">date=2012-02-10 time=11:27:01 devname=CUSTID01-SITEID-FW device_id=FGT80C9999999999 log_id=2 subtype=allowed type=traffic pri=notice vd=VDOM dir_disp=org tran_disp=snat src=10.1.2.3 srcname=10.1.2.3 src_port=53624 dst=4.3.2.2 dstname=4.3.2.2 dst_port=80 tran_ip=5.4.3.2 tran_port=49648 service=80/tcp proto=6 app_type=N/A duration=120 rule=49 policyid=49 identidx=0 sent=1221 rcvd=2062 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 sent_pkt=7 rcvd_pkt=6 src_int=INT dst_int=WAN SN=16349534 app=N/A app_cat=N/A carrier_ep=N/A vpn=N/A status=accept user=N/A group=N/A shaper_sent_name=N/A shaper_rcvd_name=N/A perip_name=N/A</test_message>
+						<test_values>
+							<test_value name="i0">10.1.2.3</test_value>
+							<test_value name="i1">53624</test_value>
+							<test_value name="i2">4.3.2.2</test_value>
+							<test_value name="i3">80</test_value>
+							<test_value name="i4">6</test_value>
+							<test_value name="i5">120</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="checkpoint_deny" id='23'>
+		<rules>
+			<rule provider="ELSA" class='23' id='23'>
+				<patterns>
+					<pattern>@QSTRING:i0:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING:s0:""@ @QSTRING:s1:""@ @QSTRING:s2:""@ @QSTRING:s3:""@ @QSTRING:s4:""@ @QSTRING::""@ @QSTRING:i1:""@ @QSTRING:i2:""@ @QSTRING:i3:""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ @QSTRING::""@ "message_info: @ESTRING:s5:"@ @QSTRING::""@ @QSTRING::""@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="">"1" "12Feb2012" "23:59:04" "bond0.30" "FW-INT-CHCKPNT1" "Log" "Drop" "ntp-udp" "ntp-udp" "192.168.1.210" "10.133.3.10" "udp" "" "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""</test_message>
+						<test_values>
+							<test_value name="i0">1</test_value>
+							<test_value name="s0">bond0.30</test_value>
+							<test_value name="s1">FW-INT-CHCKPNT1</test_value>
+							<test_value name="s2">Log</test_value>
+							<test_value name="s3">Drop</test_value>
+							<test_value name="s4">ntp-udp</test_value>
+							<test_value name="i1">192.168.1.210</test_value>
+							<test_value name="i2">10.133.3.10</test_value>
+							<test_value name="i3">udp</test_value>
+							<test_value name="s5">Address spoofing</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="palo_alto_url" id='24'>
+		<rules>
+			<rule provider="ELSA" class='24' id='24'>
+				<patterns>
+					<pattern>@NUMBER::@:@NUMBER::@,@NUMBER::@,@ESTRING::,@url,@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING::,@@ESTRING:s2:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@1@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@"@ESTRING:s3:/@@ESTRING:s4:"@,(@NUMBER::@),@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s5:,@</pattern>
+					<!-- Alternative pattern for PAN with columns listed -->
+					<pattern>@ESTRING::,@ TYPE: THREAT, SUBTYPE: url, THREAT_ID: (@NUMBER::@), ACTION: @ESTRING::,@ RULE: @ESTRING::,@ MISC: "@ESTRING:s3:/@@ESTRING:s4:"@</pattern>
+					<values>
+						<value name="s4">/$s4</value>
+					</values>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="">46:31,002501000259,THREAT,url,0,2012/02/21 09:46:31,192.168.1.1,208.71.123.129,0.0.0.0,0.0.0.0,USERS-Network-AllowAll-to-EXT,domain\joeschmo,,web-browsing,vsys1,Users,External,ethernet1/3,ethernet1/5,forward-syslog-to-elsa,2012/02/2109:46:30,156730,1,50836,80,0,0,0x8000,tcp,alert,"network.realmedia.com/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75",(9999),All,informational,client-to-server,19630699,0x0,United States,United States,0,text/xml</test_message>
+						<test_values>
+							<test_value name="i0">192.168.1.1</test_value>
+							<test_value name="i1">208.71.123.129</test_value>
+							<test_value name="s0">USERS-Network-AllowAll-to-EXT</test_value>
+							<test_value name="s1">domain\joeschmo</test_value>
+							<test_value name="s2">web-browsing</test_value>
+							<test_value name="i2">156730</test_value>
+							<test_value name="s3">network.realmedia.com</test_value>
+							<test_value name="s4">/RealMedia/ads/adstream_sx.ads/newsinc_ap_video_us/preroll/vast/sx/ss/a/@x75</test_value>
+							<test_value name="s5">United States</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="palo_alto_traffic" id='25'>
+		<rules>
+			<rule provider="ELSA" class='25' id='25'>
+				<patterns>
+					<pattern>@NUMBER::@:@NUMBER::@,@ESTRING::TRAFFIC,@@ESTRING:s5:,@@NUMBER::@,@ESTRING::,@@IPv4:i0:@,@IPv4:i1:@,@IPv4::@,@IPv4::@,@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING:s1:,@@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i2:,@@ESTRING:i3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:i4:,@@ESTRING::,@@ESTRING:i5:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@</pattern>
+					<!-- Alternative pattern for PAN with columns listed -->
+					<pattern>@ESTRING::,@ TYPE: TRAFFIC, SUBTYPE: @ESTRING:s5:,@ RULE: @ESTRING::,@ ACTION: @ESTRING::,@ INBOUND_INTERFACE: @ESTRING:s2:,@ FROM_ZONE: @ESTRING:s0:,@ SOURCE_USER: @ESTRING::,@ SOURCE_IP: @ESTRING:i0:,@ NAT_SOURCE_IP: @ESTRING::,@ SOURCE_PORT: @ESTRING:i2:,@ OUTBOUND_INTERFACE: @ESTRING:s3:,@ TO_ZONE: @ESTRING:s1:,@ DESTINATION_USER: @ESTRING::,@ DESTINATION_IP: @ESTRING:i1:,@ DESTINATION_PORT: @ESTRING:i3:,@ DESTINATION_LOCATION: @ESTRING:s4:,@ CATEGORY: @ESTRING:s5:,@ PROTOCOL: @ESTRING:i4:,@ APPLICATION: @ESTRING::,@ ELAPSED_TIME: @ESTRING::,@ BYTES: @ESTRING:i5:,@ BYTES_RECEIVED: @ESTRING::,@ BYTES_SENT: @ESTRING::,@ TOTAL_PACKETS: @ESTRING::,@ PACKETS_RECEIVED: @ESTRING::,@ PACKETS_SENT: @ESTRING::,@ REPEAT_COUNT_5sec: </pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="">46:31,002501000259,TRAFFIC,end,0,2012/02/21 09:46:31,10.10.10.10,192.168.1.1,0.0.0.0,0.0.0.0,ALL-http-https-to-BASTION,,,web-browsing,vsys1,External,Bastion,ethernet1/5,ethernet1/2,forward-syslog-to-elsa,2012/02/21 09:46:30,632179,1,4074,80,0,0,0x0,tcp,allow,2986,1493,1493,19,2012/02/21 09:45:57,31,not-resolved,0,453403179,0x0,United States,United States,0,10,9</test_message>
+						<test_values>
+							<test_value name="i0">10.10.10.10</test_value>
+							<test_value name="i1">192.168.1.1</test_value>
+							<test_value name="s0">External</test_value>
+							<test_value name="s1">Bastion</test_value>
+							<test_value name="s2">ethernet1/5</test_value>
+							<test_value name="s3">ethernet1/2</test_value>
+							<test_value name="i2">4074</test_value>
+							<test_value name="i3">80</test_value>
+							<test_value name="i4">tcp</test_value>
+							<test_value name="i5">2986</test_value>
+							<test_value name="s4">United States</test_value>
+							<test_value name="s5">end</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="ossec" id='26'>
+		<rules>
+			<rule provider="ELSA" class="4" id="26">
+				<patterns>
+					<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@@ESTRING::Account Name@@ESTRING::Account Name@:  @ESTRING:s1: @@ESTRING::Account Domain@:  @ESTRING:s2: @@ESTRING::Source Network Address@: @IPv4:i1:@</pattern>
+					<values>
+						<value name="PROGRAM">$pdb_extracted_program</value>
+					</values>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="">2013 Jan 18 20:25:08 (host.example.com) 172.20.0.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: myuser: MYDOMAIN: MYDOMAIN-DC-1.example.com: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  MYDOMAIN-DC-1$  Account Domain:  MYDOMAIN  Logon ID:  0x3e7  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-3113823999-9998615402-9997257512-9966  Account Name:  myuser  Account Domain:  MYDOMAIN  Logon ID:  0x2339f787  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1e8  Process Name:  C:\\Windows\\System32\\lsass.exe  Network Information:  Workstation Name: MYDOMAIN-DC-1  Source Network Address: 172.24.248.117  Source Port:  54265  Detailed Authentication Information:  Logon Process:  Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.</test_message>
+						<test_values>
+							<test_value name="i0">4624</test_value>
+							<test_value name="s1">myuser</test_value>
+							<test_value name="s2">MYDOMAIN</test_value>
+							<test_value name="i1">172.24.248.117</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='4' id='26'>
+				<patterns>
+					<pattern>@NUMBER::@@ESTRING::(@@ESTRING::)@ @IPv4:pdb_extracted_sourceip:@->WinEvtLog WinEvtLog: @ESTRING:pdb_extracted_program::@ AUDIT_@ESTRING::(@@ESTRING:i0:)@</pattern>
+					<values>
+						<value name="PROGRAM">$pdb_extracted_program</value>
+					</values>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="">2012 Feb 20 09:04:41 (serverb) 123.123.40.23->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: bgreen@DOM1.A.COM: DOM1.A.COM: serverb.dom1.a.com: A Kerberos service ticket was requested. Account Information:  Account Name: bgreen@DOM1.A.COM  Account Domain:  DOM1.A.COM  Logon GUID: {CBB22EBF-4367-CB43-E5AC-2A8C13FD9641}  Service Information:  Service Name:  SERVERC$  Service ID: S-1-5-21-117536760-2556423787-3220343774-160533  Network Information:Client Address:  ::ffff:123.123.39.33  Client Port:  62513  Additional Information:  Ticket Options:  0x40810000  Ticket Encryption Type: 0x12  Failure Code:  0x0  Transited Services: -  This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.</test_message>
+						<test_values>
+							<test_value name="i0">4769</test_value>
+							<test_value name="PROGRAM">Security</test_value>
+							<test_value name="pdb_extracted_sourceip">123.123.40.23</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="barracuda" id='27'>
+		<pattern>from</pattern>
+		<rules>
+			<rule provider="ELSA" class='27' id='27'>
+				<patterns>
+					<pattern>@IPv4:pdb_extracted_sourceip:@: scan[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="from">192.168.1.10: scan[8077]: UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM</test_message>
+						<test_values>
+							<test_value name="i0">10.37.80.102</test_value>
+							<test_value name="s0">sender@example.com</test_value>
+							<test_value name="s1">recipient@example.com</test_value>
+							<test_value name="i1">0</test_value>
+							<test_value name="i2">0</test_value>
+							<test_value name="s2">-</test_value>
+							<test_value name="s3">Service - Flow Capture (inside)|status.example.com|PROBLEM</test_value>
+							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='28' id='28'>
+				<patterns>
+					<pattern>@IPv4:pdb_extracted_sourceip:@: inbound/pass@NUMBER::@[@NUMBER::@]@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="from">192.168.1.10: inbound/pass1[22443]: host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13</test_message>
+						<test_values>
+							<test_value name="i0">8.7.24.13</test_value>
+							<test_value name="s0">test@test.com</test_value>
+							<test_value name="s1">test1@test.ca</test_value>
+							<test_value name="i1">2</test_value>
+							<test_value name="i2">62</test_value>
+							<test_value name="s2">8.7.24.13</test_value>
+							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class='29' id='29'>
+				<patterns>
+					<pattern>@IPv4:pdb_extracted_sourceip:@: outbound/smtp[@NUMBER::@]: @IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="from">192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 &lt;0be658c5d60e4a0ea51a0a4745d6115e@mail.ca&gt; Queued mail for delivery</test_message>
+						<test_values>
+							<test_value name="i0">127.0.0.1</test_value>
+							<test_value name="s0">Queued mail for delivery</test_value>
+							<test_value name="i1">1</test_value>
+							<test_value name="pdb_extracted_sourceip">192.168.1.10</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="barracuda_scan" id='27_scan'>
+		<pattern>scan</pattern>
+		<rules>
+			<rule provider="ELSA" class='27' id='27'>
+				<patterns>
+					<pattern>@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @SCAN @ESTRING:: @@ESTRING:s0: @@ESTRING:s1: @@ESTRING:: @@ESTRING:i1: @@ESTRING:i2: @@ESTRING:s2: @SZ:@NUMBER::@ SUBJ:@ANYSTRING:s3:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="scan">UNKNOWN[10.37.80.102] 1329946623-01792678721d5b70001-uwIQq5 1329946623 1329946623 SCAN - sender@example.com recipient@example.com 0.341 0 0 - SZ:1634 SUBJ:Service - Flow Capture (inside)|status.example.com|PROBLEM</test_message>
+						<test_values>
+							<test_value name="i0">10.37.80.102</test_value>
+							<test_value name="s0">sender@example.com</test_value>
+							<test_value name="s1">recipient@example.com</test_value>
+							<test_value name="i1">0</test_value>
+							<test_value name="i2">0</test_value>
+							<test_value name="s2">-</test_value>
+							<test_value name="s3">Service - Flow Capture (inside)|status.example.com|PROBLEM</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>		
+	<ruleset name="barracuda_inbound" id='27_inbound'>
+		<pattern>inbound</pattern>
+		<rules>
+			<rule provider="ELSA" class='28' id='28'>
+				<patterns>
+					<pattern>@ESTRING::[@@IPv4:i0:@] @ESTRING:: @@ESTRING:: @@ESTRING:: @RECV @ESTRING:s0: @@ESTRING:s1: @@ESTRING:i1: @@ESTRING:i2: @@ANYSTRING:s2:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="inbound/pass1">host.com[8.7.24.13] 1329330589-01792657ab486050001-5NcMI6 1329330589 1329330590 RECV test@test.com test1@test.ca 2 62 8.7.24.13</test_message>
+						<test_values>
+							<test_value name="i0">8.7.24.13</test_value>
+							<test_value name="s0">test@test.com</test_value>
+							<test_value name="s1">test1@test.ca</test_value>
+							<test_value name="i1">2</test_value>
+							<test_value name="i2">62</test_value>
+							<test_value name="s2">8.7.24.13</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>		
+	<ruleset name="barracuda_outbound" id='27_outbound'>
+		<pattern>outbound</pattern>
+		<rules>
+			<rule provider="ELSA" class='29' id='29'>
+				<patterns>
+					<pattern>@IPv4:i0:@ @ESTRING:: @@ESTRING:: @@ESTRING:: @SEND @ESTRING:: @@ESTRING:i1: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ANYSTRING:s0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="outbound/smtp">192.168.1.10: outbound/smtp[17580]: 127.0.0.1 1329330593-01792657ab486060001-slQ29D 0 0 SEND - 1 40FD5C6C659 250 &lt;0be658c5d60e4a0ea51a0a4745d6115e@mail.ca&gt; Queued mail for delivery</test_message>
+						<test_values>
+							<test_value name="i0">127.0.0.1</test_value>
+							<test_value name="s0">Queued mail for delivery</test_value>
+							<test_value name="i1">1</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name='Microsoft Exchange via Epilog' id='30'>
+		<patterns>exchmtlog</patterns>
+		<rules>
+			<rule provider='ELSA' class='30' id='30'>
+				<patterns>
+					<pattern>@ESTRING::,@@ESTRING::,@@ESTRING:s0:,@@ESTRING::,@@ESTRING:s1:,@@ESTRING::,@@ESTRING::,@STOREDRIVER,DELIVER,@NUMBER::@,@ESTRING:s2:,@@ESTRING:s3:,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING::,@@ESTRING:s4:,@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="exchmtlog">2012-03-16T17:13:16.475Z,,servername,,casservername,,,STOREDRIVER,DELIVER,23065261,sender@some.org,recipient@other.org,,156558,1,,,TEST MESSAGE SUBJECT,sender@some.org,sender@some.org,2012-03-16T17:13:16.147Z</test_message>
+						<test_value name="s0">servername</test_value>
+						<test_value name="s1">casservername</test_value>
+						<test_value name="s2">sender@some.org</test_value>
+						<test_value name="s3">recipient@other.org</test_value>
+						<test_value name="s4">TEST MESSAGE SUBJECT</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name='URL via Novell forwarder script' id='31'>
+		<patterns>novell_logs_</patterns>
+		<rules>
+			<rule provider='ELSA' class='7' id='7'>
+				<patterns>
+					<!-- date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem cs-uri-query c-version sc-status x-cache-info sc-header-size sc(Content-Length) sc-completed sc-bytes
+	 cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) cs(X-Forwarded-For) cached x-fill-proxy-ip x-origin-ip rs-bytes sc(ETag) cs(If-Range) cs(Range) sc(Content-Range) cs(Pragma
+	) sc(Pragma)-->
+					<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:username:|@@ESTRING:i1:|@@ESTRING:s1:|@@ESTRING:s0:|@@ESTRING::|@"@ESTRING:s2:"@|"@ESTRING::|@@ESTRING::|@@ESTRING:i2:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i3:|@@ESTRING:i5:|@"@ESTRING:s4:"@|@ESTRING::|@"@ESTRING:s3:"@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="novell_logs_test">2012-04-06|15:57:49|10.124.19.11|-|10.0.59.189|dev.mail.example.com|GET|"https://dev.mail.example.com:443/owa/auth/preload.htm"|"/owa/auth/preload.htm"|""|HTTP/1.1|200|"In Cache, Fresh"|550|"1527"|Success|2077|916|0.000|"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)"|"ASPSESSIONIDSSDSDRTA=JPNHAEECMAIOIDMIHNPJGOKE; ASPSESSIONIDSQDSCQSA=FGPFCJECCJAGBFBHLPHPKMPD"|"https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&amp;reason=0&amp;replaceCurrent=1"|""|1|-|-|""|""|""|""|""|""</test_message>
+						<test_value name="i0">10.124.19.11</test_value>
+						<test_value name="i1">10.0.59.189</test_value>
+						<test_value name="s0">GET</test_value>
+						<test_value name="s1">dev.mail.example.com</test_value>
+						<test_value name="s2">/owa/auth/preload.htm</test_value>
+						<test_value name="s3">https://dev.mail.example.com/exchweb/bin/auth/owalogon.asp?url=https://dev.mail.example.com/exchange&amp;reason=0&amp;replaceCurrent=1</test_value>
+						<test_value name="s4">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)</test_value>
+						<test_value name="i2">200</test_value>
+						<test_value name="i3">916</test_value>
+						<test_value name="i5">0.000</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Windows Event log Firewall Filtering" id='32'>
+		<pattern>Security-Auditing</pattern>
+		<rules>
+			<rule provider="M Smith" class='3' id='1000'>
+				<patterns>
+					<pattern>@ESTRING:: @The Windows Filtering Platform has @ESTRING:: @a connection. Application Information: Process ID: @ESTRING:: @Application Name: @ESTRING:: @Network Information: Direction: @ESTRING:: @Source Address: @IPv4:i1@ Source Port: @NUMBER:i2:@ Destination Address: @IPv4:i3:@ Destination Port: @NUMBER:i4:@ Protocol: @NUMBER:i0:@ Filter Information: Filter Run-Time ID: @ESTRING:: @Layer Name: @ESTRING:: @Layer Run-Time ID: @NUMBER::@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="Security-Auditing">5156: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1924 Application Name: \device\harddiskvolume1\users\admin\appdata\local\dude\win.exe Network Information: Direction: Outbound Source Address: 1.1.1.1 Source Port: 1234 Destination Address: 2.2.2.2 Destination Port: 4567 Protocol: 17 Filter Information: Filter Run-Time ID: 70078 Layer Name: Connect Layer Run-Time ID: 48</test_message>
+							<!-- srcip -->
+							<test_value name="i1">1.1.1.1</test_value>
+							<!-- srcport -->
+							<test_value name="i2">1234</test_value>
+							<!-- dstip -->
+							<test_value name="i3">2.2.2.2</test_value>
+							<!-- dstport -->
+							<test_value name="i4">4567</test_value>
+							<!-- proto -->
+							<test_value name="i0">17</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="TMG-Gateway-W3C-Logs-via-Epilog" id='10099'>
+            <rules>
+                    <rule provider="bgreen" class='3' id='10099'>
+                            <patterns>
+                                    <pattern>@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:::@@ESTRING:i2:|@@ESTRING:i3::@@ESTRING:i4:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@</pattern>
+                            </patterns>
+                            <examples>
+                                    <example>
+                                            <test_message program="ISAFWSLOG">BOB|2012-07-05|15:05:11|TCP|123.123.123.222:40521|123.123.123.111:443|123.123.111.111|Local Host|Internal|Establish|0x0|-|HTTPS|0|0|0|0|-|-|-|-|4|1874698|-|-|::|-|1048575|-</test_message>
+                                            <!-- proto -->
+                                            <test_value name="i0">TCP</test_value>
+                                            <!-- srcip -->
+                                            <test_value name="i1">123.123.111.111</test_value>
+                                            <!-- srcport -->
+                                            <test_value name="i2">40521</test_value>
+                                            <!-- dstip -->
+                                            <test_value name="i3">123.123.123.111</test_value>
+                                            <!-- dstport -->
+                                            <test_value name="i4">443</test_value>
+											<!-- inside interface -->
+											<test_value name="s0">Local Host</test_value>
+											<!-- outside interface -->
+											<test_value name="s1">Internal</test_value>
+                                    </example>
+                            </examples>
+                    </rule>
+            </rules>
+    </ruleset>
+    <ruleset name="ISAFWSLog-via-Epilog">
+    		<patterns>
+    			<pattern>ISAFWSLog</pattern>
+    		</patterns>
+            <rules>
+                    <rule provider="ELSA" class='7' id='7'>
+                            <patterns>
+                                    <pattern>@ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:|@@ESTRING:i2:|@</pattern>
+                                    <pattern>@ESTRING:i0:|@@ESTRING::|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:i1:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING:s1:|@</pattern>
+                            </patterns>
+                            <examples>
+                                    <example>
+                                    		<test_message program="ISAFWSLog">1.1.1.1|domainname\username|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)|2012-08-27|18:59:49|MAD00GS6|2.2.2.2|2.2.2.2|80|http|GET|http://search.twitter.com/search.json?q=hp%2520dell%2520problems&amp;since_id=240160211699122180&amp;callback=twitter._queue_callback&amp;result_type=mixed|200|Internet Access to Users|Req ID: 1f449904 |Internal|External|0x480|Allowed|-</test_message>
+                                            <test_value name="i0">1.1.1.1</test_value>
+											<test_value name="i1">2.2.2.2</test_value>
+											<test_value name="s0">GET</test_value>
+											<test_value name="s1">search.twitter.com</test_value>
+											<test_value name="s2">search.json?q=hp%2520dell%2520problems&amp;since_id=240160211699122180&amp;callback=twitter._queue_callback&amp;result_type=mixed</test_value>
+											<test_value name="s3"></test_value>
+											<test_value name="s4">Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)</test_value>
+											<test_value name="s5"></test_value>
+											<test_value name="i2">200</test_value>
+											<test_value name="i3"></test_value>
+											<test_value name="i4"></test_value>
+                                    </example>
+                            </examples>
+                    </rule>
+            </rules>
+    </ruleset>
+    <ruleset name="Cisco SEC">
+    	<pattern>%SEC-</pattern>
+    	<rules>
+    		<rule provider="ELSA" class="2" id="2">
+    			<pattern>list @ESTRING:s2: @denied @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@</pattern>
+    			<examples>
+	    			<example>
+	    				<test_message program="%SEC-6-IPACCESSLOGP">list FILTER-INTERNET-IN denied tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet</test_message>
+	    				<test_value name="s2">FILTER-INTERNET-IN</test_value>
+	    				<test_value name="i0">tcp</test_value>
+	    				<test_value name="i1">1.2.3.4</test_value>
+	    				<test_value name="i2">53420</test_value>
+	    				<test_value name="i3">5.6.7.8</test_value>
+	    				<test_value name="i4">23</test_value>
+	    			</example>
+	    		</examples>
+	    	</rule>
+    	</rules>
+    	<rules>
+    		<rule provider="ELSA" class="3" id="3">
+    			<pattern>list @ESTRING:s2: @permitted @ESTRING:i0: @@ESTRING:i1:(@@NUMBER:i2:@) -> @ESTRING:i3:(@@NUMBER:i4:@@ANYSTRING@</pattern>
+    			<examples>
+	    			<example>
+	    				<test_message program="%SEC-6-IPACCESSLOGP">list FILTER-INTERNET-IN permitted tcp 1.2.3.4(53420) -> 5.6.7.8(23), 1 packet</test_message>
+	    				<test_value name="s2">FILTER-INTERNET-IN</test_value>
+	    				<test_value name="i0">tcp</test_value>
+	    				<test_value name="i1">1.2.3.4</test_value>
+	    				<test_value name="i2">53420</test_value>
+	    				<test_value name="i3">5.6.7.8</test_value>
+	    				<test_value name="i4">23</test_value>
+	    			</example>
+	    		</examples>
+	    	</rule>
+    	</rules>
+    </ruleset>
+    <ruleset name="CEF">
+    	<rules>
+    		<rule provider="ELSA" class="32" id="32">
+    			<pattern>CEF:@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@NUMBER:i0:@|@ANYSTRING:s5:@</pattern>
+    			<examples>
+	    			<example>
+	    				<test_message program="">CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232</test_message>
+	    				<test_value name="i0">10</test_value>
+	    				<test_value name="s0">security</test_value>
+	    				<test_value name="s1">threatmanager</test_value>
+	    				<test_value name="s2">1.0</test_value>
+	    				<test_value name="s3">100</test_value>
+	    				<test_value name="s4">worm successfully stopped</test_value>
+	    				<test_value name="s5">src=10.0.0.1 dst=2.1.2.2 spt=1232</test_value>
+	    			</example>
+	    		</examples>
+	    	</rule>
+    	</rules>
+	</ruleset>
+	<ruleset name="Watchguard Firewall">
+		<pattern>firewall</pattern>
+		<rules>
+			<rule provider="ELSA" class="2" id="2">
+				<pattern>Deny @ESTRING:s0: @@ESTRING:s1: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @</pattern>
+				<examples>
+					<example>
+						<test_message program="firewall">Deny 0-External Firebox 1340 tcp 20 56 74.125.225.143 10.0.1.1 443 3449 offset 5 A 451109382 win 257 (Unhandled External Packet-00)</test_message>
+						<test_value name="i0">tcp</test_value>
+						<test_value name="i1">74.125.225.143</test_value>
+						<test_value name="i2">443</test_value>
+						<test_value name="i3">10.0.1.1</test_value>
+						<test_value name="i4">3449</test_value>
+						<test_value name="s0">0-External</test_value>
+						<test_value name="s1">Firebox</test_value>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class="3" id="3">
+				<pattern>Allow @ESTRING:s1: @@ESTRING:s0: @@NUMBER::@ @ESTRING:i0: @@NUMBER::@ @NUMBER::@ @ESTRING:i1: @@ESTRING:i3: @@ESTRING:i2: @@ESTRING:i4: @</pattern>
+				<examples>
+					<example>
+						<test_message program="firewall">Allow 1-Trusted 0-External 52 tcp 20 127 192.168.1.31 96.60.118.121 55185 8005 offset 8 S 1125590318 win 32 (ATSBDR-00)</test_message>
+						<test_value name="i0">tcp</test_value>
+						<test_value name="i1">192.168.1.31</test_value>
+						<test_value name="i2">55185</test_value>
+						<test_value name="i3">96.60.118.121</test_value>
+						<test_value name="i4">8005</test_value>
+						<test_value name="s0">0-External</test_value>
+						<test_value name="s1">1-Trusted</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Watchguard URL">
+		<pattern>http-proxy</pattern>
+		<rules>
+			<rule provider="ELSA" class="7" id="7">
+				<pattern>Deny @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@</pattern>
+				<examples>
+					<example>
+						<test_message program="http-proxy">Deny 1-Trusted 0-External tcp 192.168.1.17 23.21.13.155 62115 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="" dstname="23.21.13.155" arg="" sent_bytes="1" rcvd_bytes="0" (HTTP-proxy-ExceptLunch-00)</test_message>
+						<test_value name="i0">192.168.1.17</test_value>
+						<test_value name="i1">23.21.13.155</test_value>
+						<test_value name="i3">0</test_value>
+						<test_value name="s0"></test_value>
+						<test_value name="s1">23.21.13.155</test_value>
+						<test_value name="s2"></test_value>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class="7" id="7">
+				<pattern>Allow @ESTRING:: @@ESTRING:: @tcp @ESTRING:i0: @@ESTRING:i1: @@NUMBER::@ @NUMBER::@ msg="@ESTRING::"@ proxy_act="@ESTRING::"@ op="@ESTRING:s0:"@ dstname="@ESTRING:s1:"@ arg="@ESTRING:s2:"@ sent_bytes="@NUMBER::@" rcvd_bytes="@NUMBER:i3:@</pattern>
+				<examples>
+					<example>
+						<test_message program="http-proxy">Allow 1-Trusted 0-External tcp 192.168.1.22 74.125.142.95 2597 80 msg="HTTP Request" proxy_act="HTTP-Client.1" op="GET" dstname="ajax.googleapis.com" arg="/ajax/libs/jquery/1.5/jquery.min.js" sent_bytes="363" rcvd_bytes="30368" (HTTP-proxy-ExceptLunch-00)</test_message>
+						<test_value name="i0">192.168.1.22</test_value>
+						<test_value name="i1">74.125.142.95</test_value>
+						<test_value name="i3">30368</test_value>
+						<test_value name="s0">GET</test_value>
+						<test_value name="s1">ajax.googleapis.com</test_value>
+						<test_value name="s2">/ajax/libs/jquery/1.5/jquery.min.js</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Sidewinder Firewall">
+		<pattern>auditd</pattern>
+		<rules>
+			<rule provider="ELSA" class="2" id="2">
+				<pattern>date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@</pattern>
+				<pattern>date@ESTRING::event=@ACL deny@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@protocol=@NUMBER:i0:@</pattern>
+				<pattern>date@ESTRING::type=@t_attack@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@@ESTRING::protocol=@@NUMBER:i0:@@ESTRING::dstip=@@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@</pattern>
+				<pattern>date@ESTRING::type=@t_netprobe@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,protocol=@NUMBER:i0:@,interface=@ESTRING:s0:,@</pattern>
+				<examples>
+					<example>
+						<test_message program="auditd">date="Oct 1 16:24:57 2012 UTC",fac=f_kernel_ipfilter,area=a_general_area,type=t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,logid=0,cmd=kernel,domain=htpp,edomain=htpp,hostname=localhost,event=IP Filter session open,rule_name=myrule-out,srcip=1.1.1.1,srcport=1,srcburb=internal2,dstip=2.2.2.2,dstport=2,dstburb=external1,protocol=6,netsessid=5069c3d9000c7831</test_message>
+						<test_value name="i0">6</test_value>
+						<test_value name="i1">1.1.1.1</test_value>
+						<test_value name="i2">1</test_value>
+						<test_value name="i3">2.2.2.2</test_value>
+						<test_value name="i4">2</test_value>
+						<test_value name="s0">external1</test_value>
+						<test_value name="s1">internal2</test_value>
+					</example>
+				</examples>
+			</rule>
+			<rule provider="ELSA" class="3" id="3">
+				<pattern>date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@</pattern>
+				<pattern>date@ESTRING::event=@proxy traffic end@ESTRING::srcip=@@IPv4:i1:@,srcburb=@ESTRING:s1:,@protocol=@NUMBER:i0:@,dstip=@IPv4:i3:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@</pattern>
+				<pattern>date@ESTRING::event=@IP Filter session close@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@</pattern>
+				<pattern>date@ESTRING::event=@IP Filter session timeout@ESTRING::srcip=@@IPv4:i1:@,srcport=@NUMBER:i2:@,srcburb=@ESTRING:s1:,@dstip=@IPv4:i3:@,dstport=@NUMBER:i4:@,dstburb=@ESTRING:s0:,@bytes_written_to_client=@NUMBER:i5:@@ESTRING::protocol=@@NUMBER:i0:@</pattern>
+				<examples>
+					<example>
+						<test_message program="auditd">date="Oct 1 16:24:57 2012 UTC",fac=f_http_proxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=28529,ruid=0,euid=0,pgid=28529,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=localhost,event=proxy traffic end,service_name=http,netsessid=5069c3d9000ab8ce,srcip=1.1.1.1,srcport=1,srcburb=internal2,protocol=6,dstip=2.2.2.2,dstport=2,dstburb=external1,bytes_written_to_client=1297,bytes_written_to_server=421,rule_name=www.isa.webproxy,cache_hit=0,request_status=0,start_time="Mon Oct 1 11:24:57 2012"</test_message>
+						<test_value name="i0">6</test_value>
+						<test_value name="i1">1.1.1.1</test_value>
+						<test_value name="i2">1</test_value>
+						<test_value name="i3">2.2.2.2</test_value>
+						<test_value name="i4">2</test_value>
+						<test_value name="s0">external1</test_value>
+						<test_value name="s1">internal2</test_value>
+						<test_value name="i5">1297</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Websense">
+		<pattern></pattern>
+		<rules>
+			<rule provider="ELSA" class="33" id="33">
+				<pattern>vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @@ESTRING:://@@ESTRING::/@@ANYSTRING:s2:@</pattern>
+				<pattern>vendor=Websense@ESTRING::action=@@ESTRING:s5: @severity=@ESTRING::category=@@ESTRING:s3: @user=@ESTRING:s0: @src_host=@IPv4:i0:@@ESTRING::dst_host=@@ESTRING:s1: @dst_ip=@IPv4:i1:@@ESTRING::http_response=@@NUMBER:i2:@@ESTRING::http_user_agent=@@ESTRING:s4: @@ESTRING::disposition=@@ESTRING:s3: @</pattern>
+				<values>
+					<value name="s2">/$s2</value>
+				</values>
+				<examples>
+					<example>
+						<test_message program="">vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com/index.html</test_message>
+						<test_value name="i0">10.64.134.74</test_value>
+						<test_value name="i1">74.125.224.53</test_value>
+						<test_value name="i2">200</test_value>
+						<test_value name="s0">-</test_value>
+						<test_value name="s1">mail.google.com</test_value>
+						<test_value name="s2">/index.html</test_value>
+						<test_value name="s3">1034</test_value>
+						<test_value name="s4">Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_en-US;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23</test_value>
+						<test_value name="s5">permitted</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="McAfee SmartFilter">
+		<pattern></pattern>
+		<rules>
+			<rule provider="ELSA" class="33" id="33">
+				<pattern>@IPv4:i0@ - @ESTRING:s0: @@ESTRING::"@@ESTRING:://@@ESTRING:s1:/@@ESTRING:s2:"@ @NUMBER:i2:@ @ESTRING:s5: @@QSTRING:s3:"@</pattern>
+				<values>
+					<value name="s2">/$s2</value>
+				</values>
+				<examples>
+					<example>
+						<test_message program="McAfee SmartFilter">1.1.1.1 - username [03/Oct/2012:06:52:51 +0100]  "GET http://a.nice.url/some/uri?parameters=go&amp;in=here" 200 ALLOW "Blogs/Wiki, Entertainment"</test_message>
+						<test_value name="i0">1.1.1.1</test_value>
+						<test_value name="i2">200</test_value>
+						<test_value name="s0">username</test_value>
+						<test_value name="s1">a.nice.url</test_value>
+						<test_value name="s2">/some/uri?parameters=go&amp;in=here</test_value>
+						<test_value name="s3">Blogs/Wiki, Entertainment</test_value>
+						<test_value name="s5">ALLOW</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="Netflow" id='Netflow'>
+		<pattern>netflow_syslog</pattern>
+		<rules>
+			<rule provider="ELSA" class='34' id='34'>
+				<patterns>
+					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ANYSTRING:s5:@</pattern>
+					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@</pattern>
+					<pattern>@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:i5:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="netflow_syslog">tcp|192.85.128.47|35843|1.1.1.1|443|30486|2173|US|Palo Alto, CA|37.376202|-122.182602|HPES - Hewlett-Packard Company</test_message>
+						<test_values>
+							<test_value name="i0">tcp</test_value>
+							<test_value name="i1">192.85.128.47</test_value>
+							<test_value name="i2">35843</test_value>
+							<test_value name="i3">1.1.1.1</test_value>
+							<test_value name="i4">443</test_value>
+							<test_value name="i5">30486</test_value>
+							<test_value name="s0">2173</test_value>
+							<test_value name="s1">US</test_value>
+							<test_value name="s2">Palo Alto, CA</test_value>
+							<test_value name="s3">37.376202</test_value>
+							<test_value name="s4">-122.182602</test_value>
+							<test_value name="s5">HPES - Hewlett-Packard Company</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="BIND">
+		<pattern>BIND</pattern>
+		<rules>
+			<rule provider="ELSA" class='35' id='35'>
+				<patterns>
+					<pattern>@ESTRING::client @@ESTRING:i0:#@@NUMBER::@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@</pattern>
+					<pattern>@ESTRING::client @@ESTRING:i0:#@@NUMBER::@ (@ESTRING::)@: query: @ESTRING:s0: @IN @ESTRING:s1: @@ESTRING:: @(@ESTRING:s2:)@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="BIND-DNS">02-Nov-2012 15:49:58.516 queries: info: client 198.211.94.24#55557: query: 174.2.219.178.in-addr.arpa IN PTR + (198.211.94.23)</test_message>
+						<test_values>
+							<test_value name="i0">198.211.94.24</test_value>
+							<test_value name="s0">174.2.219.178.in-addr.arpa</test_value>
+							<test_value name="s1">PTR</test_value>
+							<test_value name="s2">198.211.94.23</test_value>
+						</test_values>
+					</example>
+					<example>
+						<test_message program="BIND-DNS">02-Nov-2012 16:01:27.731 client 10.10.10.185#49999 (10.10.10.185): query: p.twitter.com IN A + (10.10.210.210)</test_message>
+						<test_values>
+							<test_value name="i0">10.10.10.185</test_value>
+							<test_value name="s0">p.twitter.com</test_value>
+							<test_value name="s1">A</test_value>
+							<test_value name="s2">10.10.210.210</test_value>
+						</test_values>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="IISWebLog">
+		<pattern>IISWebLog</pattern>
+		<rule provider="ELSA" class="7" id="IIS_7">
+			<pattern>@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i1:@ @ESTRING:s0: @@ESTRING:s2: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@IPv4:i0:@ @ESTRING:: @@ESTRING:s4: @@ESTRING:: @@ESTRING:s3: @@ESTRING:s1: @@NUMBER:i2:@ @NUMBER::@ @NUMBER::@ @NUMBER:i3:@ @NUMBER::@ @NUMBER:i5:@</pattern>
+			<examples>
+				<example>
+					<test_message program="IISWebLog">2012-12-13 13:39:16 W3SVC1 MYSERVERNAME 1.1.1.1 GET / - 80 - 2.2.2.2 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11 - - www.fqdn.of.website.from.host.header.com 301 0 0 401 408 453</test_message>
+					<test_values>
+						<test_value name="i0">2.2.2.2</test_value>
+						<test_value name="i1">1.1.1.1</test_value>
+						<test_value name="i2">301</test_value>
+						<test_value name="i3">401</test_value>
+						<test_value name="i5">453</test_value>
+						<test_value name="s0">GET</test_value>
+						<test_value name="s1">www.fqdn.of.website.from.host.header.com</test_value>
+						<test_value name="s2">/</test_value>
+						<test_value name="s3">-</test_value>
+						<test_value name="s4">Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.11+(KHTML,+like+Gecko)+Chrome/23.0.1271.95+Safari/537.11</test_value>
+					</test_values>
+				</example>
+			</examples>
+		</rule>
+	</ruleset>
+	<ruleset name="Vyatta FW">
+		<!-- Note: Vyatta bug id:7640 https://bugzilla.vyatta.com/show_bug.cgi?id=7640 Trailing space missing from default log prefix "-R]IN" should be "-R] "-->
+		<pattern>kernel-</pattern>
+		<rules>
+			<rule provider="ELSA" class="2" id="2">
+				<patterns>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-R]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-D]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="kernel">[100100.226323] [WEB_IN-default-R]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.105 LEN=44 TOS=0x00 PREC=0x00 TTL=41 ID=16822 PROTO=TCP SPT=51425 DPT=23 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
+						<test_value name="s0">eth1</test_value>
+						<test_value name="s1">eth0</test_value>
+						<test_value name="s2">WEB_IN-default</test_value>
+						<test_value name="i0">TCP</test_value>
+						<test_value name="i1">172.31.254.28</test_value>
+						<test_value name="i2">51425</test_value>
+						<test_value name="i3">172.31.253.105</test_value>
+						<test_value name="i4">23</test_value>
+					</example>
+					<example>
+						<test_message program="kernel">[382188.344294] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.109 LEN=44 TOS=0x00 PREC=0x00 TTL=45 ID=55452 PROTO=TCP SPT=51809 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
+						<test_value name="s0">eth1</test_value>
+						<test_value name="s1">eth0</test_value>
+						<test_value name="s2">WEB_IN-default</test_value>
+						<test_value name="i0">TCP</test_value>
+						<test_value name="i1">172.31.254.28</test_value>
+						<test_value name="i2">51809</test_value>
+						<test_value name="i3">172.31.253.109</test_value>
+						<test_value name="i4">80</test_value>
+					</example>
+					<example>
+						<test_message program="kernel">[387123.927635] [WEB_IN-8-D] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.103 LEN=28 TOS=0x00 PREC=0x00 TTL=47 ID=49372 PROTO=ICMP TYPE=8 CODE=0 ID=5799 SEQ=0</test_message>
+						<test_value name="s0">eth1</test_value>
+						<test_value name="s1">eth0</test_value>
+						<test_value name="s2">WEB_IN-8</test_value>
+						<test_value name="i0">ICMP</test_value>
+						<test_value name="i1">172.31.254.28</test_value>
+						<test_value name="i2"></test_value>
+						<test_value name="i3">172.31.253.103</test_value>
+						<test_value name="i4"></test_value>
+					</example>
+					<example>
+						<test_message program="kernel">[466981.095849] [WEB_IN-default-D]IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.106 LEN=20 TOS=0x00 PREC=0x00 TTL=44 ID=39983 PROTO=135</test_message>
+						<test_value name="s0">eth1</test_value>
+						<test_value name="s1">eth0</test_value>
+						<test_value name="s2">WEB_IN-default</test_value>
+						<test_value name="i0">135</test_value>
+						<test_value name="i1">172.31.254.28</test_value>
+						<test_value name="i2"></test_value>
+						<test_value name="i3">172.31.253.106</test_value>
+						<test_value name="i4"></test_value>
+					</example>
+					<example>
+						<test_message program="kernel">[451134.428328] [WEB_IN-9-R] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.107 LEN=20 TOS=0x00 PREC=0x00 TTL=37 ID=12252 PROTO=ESP INCOMPLETE [0 bytes]</test_message>
+						<test_value name="s0">eth1</test_value>
+						<test_value name="s1">eth0</test_value>
+						<test_value name="s2">WEB_IN-9</test_value>
+						<test_value name="i0">ESP</test_value>
+						<test_value name="i1">172.31.254.28</test_value>
+						<test_value name="i2"></test_value>
+						<test_value name="i3">172.31.253.107</test_value>
+						<test_value name="i4"></test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+		<rules>
+			<rule provider="ELSA" class="3" id="3">
+				<patterns>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @@ANYSTRING@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
+					<pattern>@QSTRING::[]@ [@ESTRING:s2:-A]@ IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING::SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@STRING:i0:@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="kernel">[88829.069484] [WEB_IN-7-A] IN=eth0 OUT=eth1 MAC=00:50:56:a6:00:13:00:50:56:a6:1f:41:08:00 SRC=172.31.254.28 DST=172.31.253.102 LEN=44 TOS=0x00 PREC=0x00 TTL=46 ID=22533 PROTO=TCP SPT=59995 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0</test_message>
+						<test_value name="s0">eth1</test_value>
+						<test_value name="s1">eth0</test_value>
+						<test_value name="s2">WEB_IN-7</test_value>
+						<test_value name="i0">TCP</test_value>
+						<test_value name="i1">172.31.254.28</test_value>
+						<test_value name="i2">59995</test_value>
+						<test_value name="i3">172.31.253.102</test_value>
+						<test_value name="i4">3306</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="OSSEC_ALERTS">
+		<pattern>ossec</pattern>
+		<rules>
+			<rule provider="shadejinx" class='35' id='35'>
+				<pattern>Alert Level: @NUMBER:i0:@; Rule: @NUMBER:i1:@ - @ESTRING:s0:;@ Location: @ESTRING:s1:-@@ESTRING::;@ user: @ESTRING:s2:;@</pattern>
+				<examples>
+					<example>
+						<test_message program="ossec">Alert Level: 4; Rule: 18105 - Windows audit failure event.; Location: %SERVER.DOMAIN.LOCAL%->/var/log/ossec_in; user: %USERNAME%; Jan 12 13:51:34 %SERVER.DOMAIN.LOCAL% MSWinEventLog|1|Security|3151378|Sat Jan 12 13:51:32 2013|4776|Microsoft-Windows-Security-Auditing|%USERNAME%|N/A|Failure Audit|%SERVER.DOMAIN.LOCAL%|None||The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: %USERNAME% Source Workstation: %WORKSTATION_NAME% Error Code: 0xc0000064|3147595</test_message>
+						<test_value name="i0">4</test_value>
+						<test_value name="i1">18105</test_value>
+						<test_value name="s0">Windows audit failure event.</test_value>
+						<test_value name="s1">%SERVER.DOMAIN.LOCAL%</test_value>
+						<test_value name="s2">%USERNAME%</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="NetScreen" id='1001'>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:: @policy_id=@ESTRING:s2: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Deny sent=@ESTRING:: @rcvd=@ESTRING:: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="fwgate-1">NetScreen device_id=fw [Root]system-notification-00257(traffic): start_time="2012-10-02 09:46:20" duration=0 policy_id=10005 service=http proto=6 src zone=OUT dst zone=IN action=Deny sent=0 rcvd=40 src=192.168.0.1 dst=192.168.1.1 src_port=51271 dst_port=80 session_id=0 reason=Traffic Denied</test_message>
+						<test_value name="i0">6</test_value>
+						<test_value name="s0">IN</test_value>
+						<test_value name="i1">192.168.0.1</test_value>
+						<test_value name="s1">OUT</test_value>
+						<test_value name="i2">51271</test_value>
+						<test_value name="i3">192.168.1.1</test_value>
+						<test_value name="i4">80</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+		<rules>
+			<rule provider="ELSA" class='3' id='3'>
+				<patterns>
+					<pattern>NetScreen device_id=@ESTRING:: @@ESTRING:: start_time="@@ESTRING::"@ duration=@ESTRING:s2: @policy_id=@ESTRING:: @service=@ESTRING:: @proto=@ESTRING:i0: @src zone=@ESTRING:s1: @dst zone=@ESTRING:s0: @action=Permit sent=@ESTRING:: @rcvd=@ESTRING:i5: @src=@ESTRING:i1: @dst=@ESTRING:i3: @src_port=@ESTRING:i2: @dst_port=@ESTRING:i4: @</pattern>
+				</patterns>
+				<examples>
+					<example>
+					    <test_message program="fwgate-1">NetScreen device_id=fwgate-1 [Root]system-notification-00257(traffic): start_time="2013-02-14 15:37:46" duration=2 policy_id=8 service=tcp/port:10050 proto=6 src zone=Trust dst zone=DMZ action=Permit sent=379 rcvd=377 src=192.168.1.XX dst=192.168.XXX.XXX src_port=36033 dst_port=10050 src-xlated ip=192.168.XX.XX port=36033 dst-xlated ip=192.168.XXX.XXX port=10050 session_id=253315 reason=Close - TCP FIN</test_message>
+						<test_value name="i0">6</test_value>
+						<test_value name="i1">192.168.1.XX</test_value>
+						<test_value name="i2">36033</test_value>
+						<test_value name="i3">192.168.XXX.XXX</test_value>
+						<test_value name="i4">10050</test_value>
+						<test_value name="i5">377</test_value>
+						<test_value name="s0">DMZ</test_value>
+						<test_value name="s1">Trust</test_value>
+						<test_value name="s2">2</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="ATT Uverse" id='1001'>
+		<rules>
+			<rule provider="ELSA" class='2' id='2'>
+				<patterns>
+					<pattern>src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @sport=@ESTRING:i2: @dport=@ESTRING:i4: @</pattern>
+					<pattern>src=@ESTRING:i1: @dst=@ESTRING:i3: @ipprot=@ESTRING:i0: @</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="fw,fwmon">src=192.168.1.65 dst=192.168.2.8 ipprot=17 sport=7547 dport=3478 Drop traffic to 192.168.0.0/16</test_message>
+						<test_value name="i0">17</test_value>
+						<test_value name="i1">192.168.1.65</test_value>
+						<test_value name="i2">7547</test_value>
+						<test_value name="i3">192.168.2.8</test_value>
+						<test_value name="i4">3478</test_value>
+					</example>
+					<example>
+						<test_message program="fw,fwmon">src=192.168.2.8 dst=192.168.1.72 ipprot=17 (layer 4 info unknown) Unknown inbound session stopped</test_message>
+						<test_value name="i0">17</test_value>
+						<test_value name="i1">192.168.2.8</test_value>
+						<test_value name="i3">192.168.1.72</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<!-- Bluecoat requires using a separate TCP destination in syslog-ng with the no-parse flag set and program_override("url")-->
+	<ruleset name='bluecoat'>
+		<pattern>url</pattern>
+		<rules>
+			<rule class='7' id='7'>
+				<patterns>
+					<pattern>@ESTRING:: @@ESTRING:: @@NUMBER:i5:@ @IPv4:i0:@ @NUMBER:i2:@ @ESTRING:: @@NUMBER::@ @NUMBER:i3:@ @ESTRING:s0: @@ESTRING:: @@ESTRING:s1: @@ESTRING:: @@ESTRING:s2_a: @@ESTRING:s2_b: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s4: @@ESTRING:s5: @</pattern>
+					<pattern>20@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:i0: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:: @@ESTRING:s1: @</pattern>
+				</patterns>
+				<values>
+					<value name="s2">$s2_a$s2_b</value>
+				</values>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="infoblox_dhcp" id='40'>
+		<pattern>dhcpd</pattern>
+		<rules>
+			<rule provider="ELSA" class='40' id='40'>
+				<!-- i0 = srcip, s0=MAC address, s1=domain, s2=hostname -->
+				<patterns>
+					<pattern>DHCPDISCOVER from @ESTRING:s0: @via @ESTRING:i0::@</pattern>
+					<pattern>bind update on @ESTRING:i0: @from @ESTRING:s1:(@@NUMBER::@)</pattern>
+					<pattern>Forward map from @ESTRING:s2: @to @ESTRING:i0: @</pattern>
+					<pattern>Abandoning IP address @ESTRING:i0::@</pattern>
+					<pattern>Reclaiming abandoned lease @IPvANY:i0:@</pattern>
+					<pattern>client @ESTRING:i0:#@@NUMBER::@: update forwarding '@ESTRING:s1:/@</pattern>
+					<pattern>DNS format error from @ESTRING:i1:#@@NUMBER:i2:@ resolving </pattern>
+					<pattern>DHCPACK on @ESTRING:i0: @to @ESTRING:s0: @(@ESTRING:s2:)@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="dhcpd">DHCPDISCOVER from aa:aa:aa:aa:aa:aa via 10.1.52.31: peer holds all free leases</test_message>
+						<test_value name="s0">aa:aa:aa:aa:aa:aa</test_value>
+						<test_value name="i0">10.1.52.31</test_value>
+					</example>
+					<example>
+						<test_message program="dhcpd">bind update on 1.1.1.1 from corp-test(1368109376) rejected: incoming update is less critical than outgoing update</test_message>
+						<test_value name="i0">1.1.1.1</test_value>
+						<test_value name="s1">corp-test</test_value>
+					</example>
+					<example>
+						<test_message program="dhcpd">Forward map from host.test.com to 1.1.1.1 FAILED: Has an address record but no DHCID, not mine.</test_message>
+						<test_value name="i0">1.1.1.1</test_value>
+						<test_value name="s2">host.test.com</test_value>
+					</example>
+					<example>
+						<test_message program="dhcpd">Abandoning IP address 1.1.1.1: pinged before offer</test_message>
+						<test_value name="i0">1.1.1.1</test_value>
+					</example>
+					<example>
+						<test_message program="dhcpd">Reclaiming abandoned lease 10.1.52.207.</test_message>
+						<test_value name="i0">10.1.52.207</test_value>
+					</example>
+					<example>
+						<test_message program="dhcpd">client 1.1.1.1#64919: update forwarding 'test.com/IN' denied</test_message>
+						<test_value name="i0">1.1.1.1</test_value>
+						<test_value name="s1">test.com</test_value>
+					</example>
+					<example>
+						<test_message program="dhcpd">DHCPACK on 192.168.208.64 to aa:aa:aa:aa:aa:aa (JT-Mac) via 192.168.208.8</test_message>
+						<test_value name="i0">192.168.208.64</test_value>
+						<test_value name="s0">aa:aa:aa:aa:aa:aa</test_value>
+						<test_value name="s2">JT-Mac</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset name="FIREEYE" id='10003'>
+        <pattern>fenotify</pattern>
+		<rules>
+			<rule provider="ELSA" class='42' id='42'>
+				<patterns>
+					<pattern>@ESTRING::cnchost=@@ESTRING:i0:,@alertType=@ESTRING:s0:,@shost=@ESTRING:s1:,@dst=@ESTRING:i1:,@@ESTRING::sname=@@ESTRING:s2:,@fileHash=@ESTRING:s3:,@@ESTRING::occurred=@@ESTRING:i2:,@@ESTRING::cncport=@@ESTRING:i3:,@src=@ESTRING:i4:,@dpt=@ESTRING:i5:,@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="fenotify">CSV:0:FireEye:Web MPS:7.0.0.138133:IM:infection-match,osinfo=,sev=minr,malware_type=,alertid=16232,app=,spt=2791,locations=,smac=c4:7d:4f:ef:e0:03,header=,cnchost=127.0.0.1,alertType=infection-match,shost=thegibson.domain.com,dst=127.0.0.1,original_name=,application=,sid=504606,malware-note=,objurl=,mwurl=,profile=,dmac=00:0a:42:f4:94:00,product=Web MPS,sname=Local.Infection,fileHash=351f1dc4e958975661f02c86a485431e,dvchost=,occurred=2013-01-14T16:58:18Z,release=7.0.0.138133,link=,cncport=80,src=10.10.10.10,dpt=80,anomaly=,dvc=,channel=,action=notified,os=,stype=bot-command,</test_message>
+						<test_value name="s0">infection-match</test_value>
+						<test_value name="s1">thegibson.domain.com</test_value>
+						<test_value name="s2">Local.Infection</test_value>
+						<test_value name="s3">351f1dc4e958975661f02c86a485431e</test_value>
+						<test_value name="s4">bot-command</test_value>
+						<test_value name="i0">127.0.0.1</test_value>
+						<test_value name="i1">127.0.0.1</test_value>
+						<test_value name="i2">2013-01-14T16:58:18Z</test_value>
+						<test_value name="i3">80</test_value>
+						<test_value name="i4">10.10.10.10</test_value>
+						<test_value name="i5">80</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_ftp</pattern>
+		<rules>
+			<rule class="43" id="43">
+				<patterns>
+				  <!-- start securityonion -->
+                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s0:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@</pattern>
+                  <!-- end securityonion -->
+				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
+				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_ftp">1360158824.989266|B6a0lYqUPm4|10.1.10.64|2504|10.2.20.40|21|redcell|hidden|RETR|ftp://10.2.20.40/./bandook.exe|-|-|-|-|-|-|-</test_message>
+						<!-- eventid -->
+						<test_value name="s0">B6a0lYqUPm4</test_value>
+						<!-- srcip -->
+						<test_value name="i0">10.1.10.64</test_value>
+						<!-- srcport -->
+						<test_value name="i1">2504</test_value>
+						<!-- dstip -->
+						<test_value name="i2">10.2.20.40</test_value>
+						<!-- dstport -->
+						<test_value name="i3">21</test_value>
+						<!-- username -->
+						<test_value name="s1">redcell</test_value>
+						<!-- password -->
+						<test_value name="s2">hidden</test_value>
+						<!-- command -->
+						<test_value name="s3">RETR</test_value>
+						<!-- arg -->
+						<test_value name="s4">ftp://10.2.20.40/./bandook.exe</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_weird</pattern>
+		<rules>
+			<rule class="44" id="44">
+				<patterns>
+                <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s3:|@</pattern>  
+                </patterns>
+				<examples>
+					<example>
+						<test_message program="bro_weird">1351197195.607686|mHKKLqyI4mf|192.168.1.12|137|192.168.1.13|137|DNS_label_len_gt_pkt|-|F|bro</test_message>
+						<!-- eventid -->
+						<test_value name="s0">mHKKLqyI4mf</test_value>
+						<!-- srcip -->
+						<test_value name="i0">192.168.1.12</test_value>
+						<!-- srcport -->
+						<test_value name="i1">137</test_value>
+						<!-- dstip -->
+						<test_value name="i2">192.168.1.13</test_value>
+						<!-- dstport -->
+						<test_value name="i3">137</test_value>
+						<!-- name -->
+						<test_value name="s3">DNS_label_len_gt_pkt</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_tunnel</pattern>
+		<rules>
+			<rule class="45" id="45">
+				<patterns>
+                  <!-- start securityonion -->
+                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:@</pattern>
+                  <!-- end securityonion -->
+				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
+				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_tunnel">1360153388.439863|FIRbnuXCRqh|70.55.213.211|0|192.88.99.1|0|Tunnel::IP|Tunnel::DISCOVER</test_message>
+						<!-- eventid -->
+						<test_value name="s0">FIRbnuXCRqh</test_value>
+						<!-- srcip -->
+						<test_value name="i0">70.55.213.211</test_value>
+						<!-- srcport -->
+						<test_value name="i1">0</test_value>
+						<!-- dstip -->
+						<test_value name="i2">192.88.99.1</test_value>
+						<!-- dstport -->
+						<test_value name="i3">0</test_value>
+						<!-- name -->
+						<test_value name="s1">Tunnel::IP</test_value>
+						<!-- desc -->
+						<test_value name="s2">Tunnel::DISCOVER</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_software</pattern>
+		<rules>
+			<rule class="46" id="46">
+				<patterns>
+                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s2:@</pattern>
+                  </patterns>
+				<examples>
+					<example>
+						<test_message program="bro_software">1360157307.572112|10.1.50.5|-|HTTP::BROWSER|MSIE|5|1|-|-|Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.1.50.5</test_value>
+						<!-- srcport -->
+						<test_value name="i1">-</test_value>
+						<!-- type -->
+						<test_value name="s0">HTTP::BROWSER</test_value>
+						<!-- name -->
+						<test_value name="s1">MSIE</test_value>
+						<!-- version_major -->
+						<test_value name="i2">5</test_value>
+						<!-- version_minor -->
+						<test_value name="i3">1</test_value>
+						<!-- product -->
+						<test_value name="s2">Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_ssh</pattern>
+		<rules>
+			<rule class="47" id="47">
+				<patterns>
+                  <!-- start securityonion -->
+                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:i4:|@</pattern>
+                  <!-- end securityonion -->
+				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ANYSTRING:s1@</pattern>
+				  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s0:|@</pattern>
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_ssh">1360157311.364242|YDPUHZNdL05|10.2.199.248|41392|10.1.40.1|22|failure|OUTBOUND|-|SSH-2.0-Cisco-1.25|1119|-|-|-|-|-</test_message>
+						<!-- eventid -->
+						<test_value name="s0">YDPUHZNdL05</test_value>
+						<!-- srcip -->
+						<test_value name="i0">10.2.199.248</test_value>
+						<!-- srcport -->
+						<test_value name="i1">41392</test_value>
+						<!-- dstip -->
+						<test_value name="i2">10.1.40.1</test_value>
+						<!-- dstport -->
+						<test_value name="i3">22</test_value>
+						<!-- status -->
+						<test_value name="s1">failure</test_value>
+						<!-- direction -->
+						<test_value name="s2">OUTBOUND</test_value>
+						<!-- client -->
+						<test_value name="s3">-</test_value>
+						<!-- server -->
+						<test_value name="s4">SSH-2.0-Cisco-1.25</test_value>
+						<!-- conn_bytes -->
+						<test_value name="i4">1119</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_syslog</pattern>
+		<rules>
+			<rule class="48" id="48">
+				<patterns>
+                  <!-- start securityonion -->
+                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:i4:|@@ESTRING:s1:|@@ESTRING:s2:|@@ANYSTRING:s3:@</pattern>
+                  <!-- end securityonion -->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_syslog">1375571619.507641|QMOWsHjZqde|192.168.1.1|514|192.168.1.116|514|udp|LOCAL0|INFO|Aug  3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55)   192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)</test_message>
+						<!-- eventid -->
+						<test_value name="s0">QMOWsHjZqde</test_value>
+						<!-- srcip -->
+						<test_value name="i0">192.168.1.1</test_value>
+						<!-- srcport -->
+						<test_value name="i1">514</test_value>
+						<!-- dstip -->
+						<test_value name="i2">192.168.1.116</test_value>
+						<!-- dstport -->
+						<test_value name="i3">514</test_value>
+						<!-- proto -->
+						<test_value name="i4">udp</test_value>
+						<!-- bro_syslog_facility -->
+						<test_value name="s1">LOCAL0</test_value>
+						<!-- bro_syslog_severity -->
+						<test_value name="s2">INFO</test_value>
+						<!-- bro_syslog_message -->
+						<test_value name="s3">Aug  3 23:13:39 pf: 00:00:00.804184 rule 36/0(match): pass in on vr0: (tos 0x0, ttl 64, id 11232, offset 0, flags [DF], proto UDP (17), length 55)   192.168.1.116.43172 > 192.168.1.1.53: 40972+ A? localhost. (27)</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_irc</pattern>
+		<rules>
+			<rule class="49" id="49">
+				<patterns>
+                  <!-- start securityonion -->      
+                  <pattern>@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ANYSTRING:s1:@</pattern>
+                  <!-- end securityonion -->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_irc">1352413490.163439|FB2AqwMeEy4|192.168.1.12|1045|212.48.121.249|5050|NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-</test_message>
+						<!-- eventid -->
+						<test_value name="s0">FB2AqwMeEy4</test_value>
+						<!-- srcip -->
+						<test_value name="i0">192.168.1.12</test_value>
+						<!-- srcport -->
+						<test_value name="i1">1045</test_value>
+						<!-- dstip -->
+						<test_value name="i2">212.48.121.249</test_value>
+						<!-- dstport -->
+						<test_value name="i3">5050</test_value>
+						<!-- bro_syslog_facility -->
+						<test_value name="s1">NEW-[USA|00|P|23733]|XP-1630|JOIN|#!nn!| with channel key: 'test'|-|-|-|-</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_known_cert</pattern>
+		<rules>
+			<rule class="50" id="50">
+				<patterns>
+                  <!-- start securityonion -->      
+                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@@ESTRING::emailAddress=@@ESTRING:s3:,@</pattern>
+                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING::CN=@@ESTRING:s0:,@@ESTRING::OU=@@ESTRING:s1:@@ESTRING::O=@@ESTRING:s2:,@</pattern>
+                  <!-- end securityonion -->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_known_cert">1360154644.236015|10.2.20.60|443|emailAddress=webmaster@dox.site,CN=dox.site,OU=web server,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|emailAddress=webmaster@dox.site,CN=dox.site,OU=CA,O=SuSE Linux Web Server,L=unknown,ST=unknown,C=XY|02</test_message>
+						<!-- srcip -->
+						<test_value name="i0">10.2.20.60</test_value>
+						<!-- srcport -->
+						<test_value name="i1">443</test_value>
+						<!-- common_name -->
+						<test_value name="s0">dox.site</test_value>
+						<!-- organizational unit -->
+						<test_value name="s1">web server</test_value>
+						<!-- organization -->
+						<test_value name="s2">SuSE Linux Web Server</test_value>
+						<!-- email_address -->
+						<test_value name="s3">webmaster@dox.site</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_known_hosts</pattern>
+		<rules>
+			<rule class="51" id="51">
+				<patterns>
+                  <!-- start securityonion -->      
+                  <pattern>@ESTRING::|@@ESTRING:i0:@</pattern>
+                  <!-- end securityonion -->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_known_hosts">1360154565.568704|192.168.3.35</test_message>
+						<!-- srcip -->
+						<test_value name="i0">192.168.3.35</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_known_services</pattern>
+		<rules>
+			<rule class="52" id="52">
+				<patterns>
+                  <!-- start securityonion -->      
+                  <pattern>@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:s0:@</pattern>
+                  <!-- end securityonion -->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_known_services">1360154567.821951|192.168.10.100|2869|tcp|HTTP</test_message>
+						<!-- srcip -->
+						<test_value name="i0">192.168.10.100</test_value>
+						<!-- srcport -->
+						<test_value name="i1">2869</test_value>
+						<!-- proto -->
+						<test_value name="i2">tcp</test_value>
+						<!-- service -->
+						<test_value name="s0">HTTP</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+	<ruleset>
+		<pattern>bro_capture_loss</pattern>
+		<rules>
+			<rule class="53" id="53">
+				<patterns>
+                  <!-- start securityonion -->      
+                  <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:s1:@</pattern>
+                  <!-- end securityonion -->
+				</patterns>
+				<examples>
+					<example>
+						<test_message program="bro_capture_loss">1377263179.538810|900.000092|so12-eth1-1|0|3991|0.000%</test_message>
+						<!-- interface -->
+						<test_value name="s0">so12-eth1-1</test_value>
+						<!-- gaps -->
+						<test_value name="i0">0</test_value>
+						<!-- acks -->
+						<test_value name="i1">3991</test_value>
+						<!-- percent_loss -->
+						<test_value name="s1">0.000%</test_value>
+					</example>
+				</examples>
+			</rule>
+		</rules>
+	</ruleset>
+</patterndb>
diff --git a/salt/syslog-ng/files/syslog-ng.conf b/salt/syslog-ng/files/syslog-ng.conf
new file mode 100644
index 000000000..7b1601f02
--- /dev/null
+++ b/salt/syslog-ng/files/syslog-ng.conf
@@ -0,0 +1,243 @@
+@version: 3.5
+source s_syslog { unix-dgram("/dev/log"); };
+
+source s_network {
+	tcp();
+	udp();
+};
+
+parser p_db {
+	db-parser(file("/opt/so/conf/syslog-ng/patterndb.xml"));
+};
+
+filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
+filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
+filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
+filter f_snort { match('snort:' value("MSGHDR")); };
+filter f_bro_headers { message("^#") };
+
+rewrite r_cisco_program {
+        set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
+        set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
+};
+
+rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
+rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global) condition(program("bro_*" type(glob)))); };
+rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
+rewrite r_host { set("$SOURCEIP", value("HOST")); };
+rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };
+
+template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };
+
+source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
+source s_bro_http {
+	file("/nsm/bro/logs/current/http_eth1.log" flags(no-parse) program_override("bro_http"));
+
+};
+source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
+source s_bro_files { file("/nsm/bro/logs/current/files.log" flags(no-parse) program_override("bro_files")); };
+source s_bro_dhcp { file("/nsm/bro/logs/current/dhcp.log" flags(no-parse) program_override("bro_dhcp")); };
+source s_bro_weird { file("/nsm/bro/logs/current/weird.log" flags(no-parse) program_override("bro_weird")); };
+source s_bro_tunnels { file("/nsm/bro/logs/current/tunnel.log" flags(no-parse) program_override("bro_tunnels")); };
+source s_bro_syslog { file("/nsm/bro/logs/current/syslog.log" flags(no-parse) program_override("bro_syslog")); };
+source s_bro_ftp { file("/nsm/bro/logs/current/ftp.log" flags(no-parse) program_override("bro_ftp")); };
+source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
+source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
+source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
+source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
+source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
+source s_bro_software { file("/nsm/bro/logs/current/software.log" flags(no-parse) program_override("bro_software")); };
+source s_bro_irc { file("/nsm/bro/logs/current/irc.log" flags(no-parse) program_override("bro_irc")); };
+source s_bro_ssh { file("/nsm/bro/logs/current/ssh.log" flags(no-parse) program_override("bro_ssh")); };
+source s_bro_intel { file("/nsm/bro/logs/current/intel.log" flags(no-parse) program_override("bro_intel")); };
+source s_bro_x509 { file("/nsm/bro/logs/current/x509.log" flags(no-parse) program_override("bro_x509")); };
+source s_bro_snmp { file("/nsm/bro/logs/current/snmp.log" flags(no-parse) program_override("bro_snmp")); };
+source s_bro_radius { file("/nsm/bro/logs/current/radius.log" flags(no-parse) program_override("bro_radius")); };
+source s_bro_mysql { file("/nsm/bro/logs/current/mysql.log" flags(no-parse) program_override("bro_mysql")); };
+source s_bro_kerberos { file("/nsm/bro/logs/current/kerberos.log" flags(no-parse) program_override("bro_kerberos")); };
+source s_bro_rdp { file("/nsm/bro/logs/current/rdp.log" flags(no-parse) program_override("bro_rdp")); };
+source s_bro_pe { file("/nsm/bro/logs/current/pe.log" flags(no-parse) program_override("bro_pe")); };
+source s_bro_sip { file("/nsm/bro/logs/current/sip.log" flags(no-parse) program_override("bro_sip")); };
+source s_bro_smb_mapping { file("/nsm/bro/logs/current/smb_mapping.log" flags(no-parse) program_override("bro_smb_mapping")); };
+source s_bro_smb_files { file("/nsm/bro/logs/current/smb_files.log" flags(no-parse) program_override("bro_smb_files")); };
+source s_bro_ntlm { file("/nsm/bro/logs/current/ntlm.log" flags(no-parse) program_override("bro_ntlm")); };
+source s_bro_dce_rpc { file("/nsm/bro/logs/current/dce_rpc.log" flags(no-parse) program_override("bro_dce_rpc")); };
+source s_bro_modbus { file("/nsm/bro/logs/current/modbus.log" flags(no-parse) program_override("bro_modbus")); };
+source s_bro_dnp3 { file("/nsm/bro/logs/current/dnp3.log" flags(no-parse) program_override("bro_dnp3")); };
+source s_bro_rfb { file("/nsm/bro/logs/current/rfb.log" flags(no-parse) program_override("bro_rfb")); };
+
+destination d_elsa { program("sh /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-syslog-ng.sh" template(t_db_parsed)); };
+destination d_logstash { tcp("logstash" port(6050) template("$(format-json --scope selected_macros --scope nv_pairs --exclude DATE --key ISODATE)\n")); };
+
+log {
+	source(s_bro_conn);
+	source(s_bro_http);
+	source(s_bro_dns);
+	source(s_bro_weird);
+  	source(s_bro_tunnels);
+	source(s_bro_syslog);
+	source(s_bro_ftp);
+	source(s_bro_files);
+	source(s_bro_dhcp);
+	source(s_bro_notice);
+	source(s_bro_smtp);
+	source(s_bro_smtp_entities);
+	source(s_bro_ssl);
+   	source(s_bro_irc);
+	source(s_bro_software);
+  	source(s_bro_ssh);
+	source(s_bro_smb_mapping);
+	source(s_bro_smb_files);
+	source(s_bro_ntlm);
+	source(s_bro_dce_rpc);
+  	source(s_bro_intel);
+  	source(s_bro_x509);
+  	source(s_bro_snmp);
+  	source(s_bro_radius);
+  	source(s_bro_mysql);
+  	source(s_bro_kerberos);
+  	source(s_bro_rdp);
+  	source(s_bro_pe);
+  	source(s_bro_sip);
+  	source(s_bro_modbus);
+  	source(s_bro_dnp3);
+  	source(s_bro_rfb);
+	source(s_ossec);
+	source(s_network);
+	source(s_syslog);
+	log { filter(f_bro_headers); flags(final); };
+	log { destination(d_logstash); };
+};
+# Bring it all back
+#source s_src {
+#       system();
+#       internal();
+#};
+########################
+# Destinations
+########################
+# First some standard logfile
+#
+destination d_auth { file("/var/log/auth.log"); };
+destination d_cron { file("/var/log/cron.log"); };
+destination d_daemon { file("/var/log/daemon.log"); };
+destination d_kern { file("/var/log/kern.log"); };
+destination d_lpr { file("/var/log/lpr.log"); };
+destination d_mail { file("/var/log/mail.log"); };
+destination d_syslog { file("/var/log/syslog"); };
+destination d_user { file("/var/log/user.log"); };
+destination d_uucp { file("/var/log/uucp.log"); };
+
+# This files are the log come from the mail subsystem.
+#
+destination d_mailinfo { file("/var/log/mail/mail.info"); };
+destination d_mailwarn { file("/var/log/mail/mail.warn"); };
+destination d_mailerr { file("/var/log/mail/mail.err"); };
+
+# Logging for INN news system
+#
+destination d_newscrit { file("/var/log/news/news.crit"); };
+destination d_newserr { file("/var/log/news/news.err"); };
+destination d_newsnotice { file("/var/log/news/news.notice"); };
+
+# Some `catch-all' logfiles.
+#
+destination d_debug { file("/var/log/debug"); };
+destination d_error { file("/var/log/error"); };
+destination d_messages { file("/var/log/messages"); };
+
+# The root's console.
+#
+destination d_console { usertty("root"); };
+
+# Virtual console.
+#
+destination d_console_all { file("/dev/tty10"); };
+
+# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
+# you must invoke nsole' with the -file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+destination d_xconsole { pipe("/dev/xconsole"); };
+
+# Send the messages to an other host
+#
+#destination d_net { tcp("127.0.0.1" port(1000) authentication(on) encrypt(on) log_fifo_size(1000)); };
+
+# Debian only
+destination d_ppp { file("/var/log/ppp.log"); };
+
+########################
+# Filters
+########################
+# Here's come the filter options. With this rules, we can set which
+# message go where.
+
+filter f_dbg { level(debug); };
+filter f_info { level(info); };
+filter f_notice { level(notice); };
+filter f_warn { level(warn); };
+filter f_err { level(err); };
+filter f_crit { level(crit .. emerg); };
+
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+filter f_error { level(err .. emerg) and not filter(f_snort); };
+filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); };
+filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
+filter f_cron { facility(cron) and not filter(f_debug); };
+filter f_daemon { facility(daemon) and not filter(f_debug); };
+filter f_kern { facility(kern) and not filter(f_debug); };
+filter f_lpr { facility(lpr) and not filter(f_debug); };
+filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); };
+filter f_mail { facility(mail) and not filter(f_debug); };
+filter f_news { facility(news) and not filter(f_debug); };
+filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_snort); };
+filter f_user { facility(user) and not filter(f_debug); };
+filter f_uucp { facility(uucp) and not filter(f_debug); };
+
+filter f_cnews { level(notice, err, crit) and facility(news); };
+filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
+
+filter f_ppp { facility(local2) and not filter(f_debug); };
+filter f_console { level(warn .. emerg); };
+
+########################
+# Log paths
+########################
+log { source(s_syslog); filter(f_auth); destination(d_auth); };
+log { source(s_syslog); filter(f_cron); destination(d_cron); };
+log { source(s_syslog); filter(f_daemon); destination(d_daemon); };
+log { source(s_syslog); filter(f_kern); destination(d_kern); };
+log { source(s_syslog); filter(f_lpr); destination(d_lpr); };
+log { source(s_syslog); filter(f_syslog3); destination(d_syslog); };
+log { source(s_syslog); filter(f_user); destination(d_user); };
+log { source(s_syslog); filter(f_uucp); destination(d_uucp); };
+
+log { source(s_syslog); filter(f_mail); destination(d_mail); };
+#log { source(s_syslog); filter(f_mail); filter(f_info); destination(d_mailinfo); };
+#log { source(s_syslog); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
+#log { source(s_syslog); filter(f_mail); filter(f_err); destination(d_mailerr); };
+
+log { source(s_syslog); filter(f_news); filter(f_crit); destination(d_newscrit); };
+log { source(s_syslog); filter(f_news); filter(f_err); destination(d_newserr); };
+log { source(s_syslog); filter(f_news); filter(f_notice); destination(d_newsnotice); };
+#log { source(s_syslog); filter(f_cnews); destination(d_console_all); };
+#log { source(s_syslog); filter(f_cother); destination(d_console_all); };
+
+#log { source(s_syslog); filter(f_ppp); destination(d_ppp); };
+
+log { source(s_syslog); filter(f_debug); destination(d_debug); };
+log { source(s_syslog); filter(f_error); destination(d_error); };
+log { source(s_syslog); filter(f_messages); destination(d_messages); };
+
+log { source(s_syslog); filter(f_console); destination(d_console_all); destination(d_xconsole); };
+log { source(s_syslog); filter(f_crit); destination(d_console); };
+
+# All messages send to a remote site
+#
+#log { source(s_syslog); destination(d_net); };
+
+###
+# Include all config files in /etc/syslog-ng/conf.d/
+###
diff --git a/salt/syslog-ng/init.sls b/salt/syslog-ng/init.sls
new file mode 100644
index 000000000..bcc86d238
--- /dev/null
+++ b/salt/syslog-ng/init.sls
@@ -0,0 +1,18 @@
+# Sync the Files
+file.directory:
+  - name: /opt/so/conf/syslog-ng
+  - user: 939
+  - group: 939
+
+# Syslog-ng Docker
+
+so-syslog-ng:
+  dockerng.running:
+    - image: pillaritem/so-logstash
+    - hostname: syslog-ng
+    - priviledged: true
+    - ports:
+      - 514/tcp
+      - 514/udp
+      - 601
+    - network_mode: so-elastic-net
diff --git a/salt/top.sls b/salt/top.sls
new file mode 100644
index 000000000..b2dbe542e
--- /dev/null
+++ b/salt/top.sls
@@ -0,0 +1,23 @@
+base:
+  'G@so-role:sensor'
+    - common
+    - pcap
+    - logstash
+    - nids
+    - syslog-ng
+    - bro
+
+  'G@so-role:eval'
+    - common
+    - sensor
+    - master
+    - eval
+
+  'G@so-role:master'
+    - common
+    - master
+
+  'G@so-role:mastersensor'
+    - common
+    - sensor
+    - master
diff --git a/so-setup-network.sh b/so-setup-network.sh
new file mode 100644
index 000000000..879de06cd
--- /dev/null
+++ b/so-setup-network.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# Check for prerequisites
+if [ "$(id -u)" -ne 0 ]; then
+        echo "This script must be run using sudo!"
+        exit 1
+fi
+
+if (whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78) then
+
+	# Let folks know they need their management interface already set up.
+	whiptail --title "Security Onion Setup" --msgbox "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. You must hit OK to continue." 8 78
+
+  # What kind of install are we doing?
+  INSTALLTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose Install Type:" 20 78 4 \
+  "EVALMODE" "Evaluate all the things" ON \
+  "SENSORONLY" "Sensor join existing grid" OFF \
+  "MASTERONLY" "Start a new grid with no sensor running on it" OFF \
+  "MASTERSENSOR" "Start a new grid with a sensor" OFF 3>&1 1>&2 2>&3 )
+
+  # Get list of NICS if it isn't master only
+  if [ $INSTALLTYPE != 'MASTERONLY' ]; then
+
+    NICS=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
+
+    # Pick which interface you want to use as the Management
+  	MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
+
+    # Filter out the management NIC from the monitor NICs
+    FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
+	  BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interfave" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
+  fi
+  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
+    # Get the master server for the install
+    MASTERSRV=$(whiptail --title "Enter your Master Server IP Address")
+  fi
+
+  # Time to get asnwers to questions so we can fill out the pillar file
+  if [ $INSTALLTYPE != 'MASTERONLY' ]; then
+    # Ask what IDS to use
+    # Ask how many CPUs to use for bro
+  fi
+
+  if [ $INSTALLTYPE != 'SENSORONLY' ]; then
+    # Get pulled pork info
+  fi
+
+  #########################
+  ## Do all the things!! ##
+  #########################
+
+  # Detect Base OS
+  if [ -f /etc/redhat-release ]; then
+    OS=centos
+  elif [ -f /etc/os-release ]; then
+    OS=ubuntu
+  else
+    echo "We were unable to determine if you are using a supported OS."
+    exit
+  fi
+
+  # Create bond interface
+  if [ $INSTALLTYPE != 'MASTERONLY' ]; then
+    echo "Setting up Bond"
+  fi
+
+  # Install Updates and the Docker Package
+  if [ $OS == 'centos']; then
+    ADDUSER=adduser
+    yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
+    yum clean expire-cache
+    yum -y install salt-minion
+    if [ $INSTALLTYPE != 'SENSORONLY' ]; then
+      yum -y install salt-master
+    fi
+  else
+    ADDUSER=useradd
+    apt-get -y upgrade
+    wget -O - https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
+    apt-get update
+    apt-get install salt-minion
+  fi
+
+  # Create so-core user
+  mkdir -p /opt/so/conf
+  mkdir -p /opt/so/saltstack/salt
+  mkdir -p /opt/so/saltstack/pillar
+  groupadd --gid 939 socore
+  $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
+
+  chown -R 939:939 /opt/so
+
+  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
+    service salt-minion start
+    salt-call state.highstate
+    # Script to accept key on the master
+
+
+# They did not want to do the install
+else
+    exit
+fi