diff --git a/salt/logstash/conf/conf.enabled.txt.search b/salt/logstash/conf/conf.enabled.txt.search
index 470f19c55..dad8af484 100644
--- a/salt/logstash/conf/conf.enabled.txt.search
+++ b/salt/logstash/conf/conf.enabled.txt.search
@@ -104,3 +104,4 @@
 /usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
 /usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
 /usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
+/usr/share/logstash/pipeline.dynamic/9700_output_strelka.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval
index d125fc829..49948728d 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -111,3 +111,4 @@
 #/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
 /usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
 /usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
+/usr/share/logstash/pipeline.dynamic/9700_output_strelka.conf
diff --git a/salt/logstash/conf/pipelines/eval/templates/9700_ouptut_strelka.conf b/salt/logstash/conf/pipelines/eval/templates/9700_ouptut_strelka.conf
new file mode 100644
index 000000000..861f8a034
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9700_ouptut_strelka.conf
@@ -0,0 +1,30 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if [event_type] =~ "strelka" {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if [event_type] =~ "strelka" {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-strelka-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
+
diff --git a/salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf b/salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf
new file mode 100644
index 000000000..861f8a034
--- /dev/null
+++ b/salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf
@@ -0,0 +1,30 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if [event_type] =~ "strelka" {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if [event_type] =~ "strelka" {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-strelka-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
+
diff --git a/salt/logstash/etc/logstash-strelka-template.json b/salt/logstash/etc/logstash-strelka-template.json
new file mode 100644
index 000000000..34b937b87
--- /dev/null
+++ b/salt/logstash/etc/logstash-strelka-template.json
@@ -0,0 +1,24 @@
+{
+  "index_patterns": ["logstash-strelka-*"],
+  "version":50001,
+  "order" : 0,
+  "settings":{
+    "number_of_replicas":0,
+    "number_of_shards":1,
+    "index.refresh_interval":"30s"
+  },
+  "mappings":{
+    "doc":{
+      "dynamic": false,
+      "date_detection": false,
+      "properties":{
+        "@timestamp":{
+         "type":"date"
+        },
+        "@version":{
+          "type":"keyword"
+        }
+      }
+    }
+  }
+}
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 222d6c586..77a1e3ff4 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -227,6 +227,7 @@ so-logstash:
       - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - /opt/so/conf/logstash/etc/logstash-template.json:/logstash-template.json:ro
       - /opt/so/conf/logstash/etc/logstash-ossec-template.json:/logstash-ossec-template.json:ro
+      - /opt/so/conf/logstash/etc/logstash-strelka-template.json:/logstash-strelka-template.json:ro
       - /opt/so/conf/logstash/etc/beats-template.json:/beats-template.json:ro
       - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
       - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro