diff --git a/salt/elastic/files/elasticsearch.yml b/salt/elastic/files/elasticsearch.yml
new file mode 100644
index 000000000..b8f66a310
--- /dev/null
+++ b/salt/elastic/files/elasticsearch.yml
@@ -0,0 +1,10 @@
+{%- set esclustername = salt['pillar.get']('master:esclustername', '') %}
+cluster.name: "{{ esclustername }}"
+network.host: 0.0.0.0
+
+# minimum_master_nodes need to be explicitly set when bound on a public IP
+# set to 1 to allow single node clusters
+# Details: https://github.com/elastic/elasticsearch/pull/17288
+discovery.zen.minimum_master_nodes: 1
+# This is a test -- if this is here, then the volume is mounted correctly.
+path.logs: /var/log/elasticsearch
diff --git a/salt/elastic/files/log4j2.properties b/salt/elastic/files/log4j2.properties
new file mode 100644
index 000000000..85cf5d8fb
--- /dev/null
+++ b/salt/elastic/files/log4j2.properties
@@ -0,0 +1,20 @@
+status = error
+#appender.console.type = Console
+#appender.console.name = console
+#appender.console.layout.type = PatternLayout
+#appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
+#rootLogger.level = info
+#rootLogger.appenderRef.console.ref = console
+# This is a test -- if this here, then the volume is mounted correctly.
+appender.rolling.type = RollingFile
+appender.rolling.name = rolling
+appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
+appender.rolling.layout.type = PatternLayout
+appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %.10000m%n
+appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log
+appender.rolling.policies.type = Policies
+appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
+appender.rolling.policies.time.interval = 1
+appender.rolling.policies.time.modulate = true
+rootLogger.level = info
+rootLogger.appenderRef.rolling.ref = rolling
diff --git a/salt/elastic/init.sls b/salt/elastic/init.sls
index 8b0c99754..29c8ce42d 100644
--- a/salt/elastic/init.sls
+++ b/salt/elastic/init.sls
@@ -13,9 +13,15 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-{% set esclustername = salt['pillar.get'](master:esclustername) %}
-{% set esheap = salt['pillar.get'](master:esheap) %}
-{% set esaccessip = salt['pillar.get'](master:esaccessip) %}
+{% set esclustername = salt['pillar.get']('master:esclustername', '') %}
+{% set esheap = salt['pillar.get']('master:esheap', '') %}
+{% set esaccessip = salt['pillar.get']('master:esaccessip', '') %}
+
+# Add ES Group
+elasticsearchgroup:
+  group.present:
+    - name: elasticsearch
+    - gid: 930
 
 # Add ES user
 elasticsearch:
@@ -24,45 +30,39 @@ elasticsearch:
     - gid: 930
     - home: /opt/so/conf/elasticsearch
 
-# Add the logstash user for the jog4j settings
-logstash:
-  user.present:
-    - uid: 931
-    - gid: 931
-    - home: /opt/so/conf/logstash
+eslog4jfile:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/log4j2.properties
+    - source: salt://elasticsearch/files/log4j2.properties
+    - user: 930
+    - group: 939
+    - template: jinja
 
-file.directory:
-  - name: /opt/so/conf/logstash
-  - user: 931
-  - group: 939
-  - makedirs: True
+esyml:
+  file.managed:
+    - name: /opt/so/conf/elasticsearch/elasticsearch.yml
+    - source: salt://elasticsearch/files/elasticsearch.yml
+    - user: 930
+    - group: 939
+    - template: jinja
 
-file.manage:
-  - name: /opt/so/conf/logstash/log4j2.properties
-  - source: salt://logstash/files/log4j2.properties
-  - user: 931
-  - group: 939
+nsmesdir:
+  file.directory:
+    - name: /nsm/elasticsearch
+    - user: 930
+    - group: 939
+    - makedirs: True
 
-file.directory:
-  - name: /opt/so/conf/elasticsearch
-  - user: 930
-  - group: 939
-
-file.directory:
-  - name: /nsm/elasticsearch
-  - user: 930
-  - group: 939
-  - makedirs: True
-
-file.directory:
-  - name: /opt/so/log/elasticsearch
-  - user: 930
-  - group: 939
-  - makedirs: True
+eslogdir:
+  file.directory:
+    - name: /opt/so/log/elasticsearch
+    - user: 930
+    - group: 939
+    - makedirs: True
 
 so-elasticsearch:
-  dockerng.running:
-    - image: pillaritem/so-elasticsearch
+  docker_container.running:
+    - image: securityonion/so-elasticsearch:latest
     - hostname: elasticsearch
     - user: elasticsearch
     - environment:
@@ -79,7 +79,6 @@ so-elasticsearch:
       - {{ esaccessip }}:9200:9200
       - {{ esaccessip }}:9300:9300
     - binds:
-      - /opt/so/conf/logstash/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro
       - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 62f297631..70bd970f0 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -15,32 +15,32 @@
 
 # Logstash Section
 
-# Only run this is you are in the sensor role
-{% if grains['role'] == 'so-sensor' %}
+logstashgroup:
+  group.present:
+    - name: logstash
+    - gid: 931
 
-# Add Logstash user
+# Add the logstash user for the jog4j settings
 logstash:
   user.present:
     - uid: 931
     - gid: 931
     - home: /opt/so/conf/logstash
 
-# Create logstash conf directory
-file.directory:
-  - name: /opt/so/conf/logstash
-  - user: 931
-  - group: 939
-  - makedirs: True
+lsconfdir:
+  file.directory:
+    - name: /opt/so/conf/logstash
+    - user: 931
+    - group: 939
+    - makedirs: True
 
-# Set the heap size from the sensor pillar
-{% set lsheap = salt['pillar.get'](sensor:lsheap) %}
+log4jfile:
+  file.managed:
+    - name: /opt/so/conf/logstash/log4j2.properties
+    - source: salt://logstash/files/log4j2.properties
+    - user: 931
+    - group: 939
 
-{% else %}
-
-# Set the heap size from the master pillar
-{% set lsheap = salt['pillar.get'](master:lsheap) %}
-
-{% endif %}
 
 # Create the conf/d logstash directory
 file.directory: