From a2f39858136c44038513390acc696344a6ac287b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 9 Feb 2018 16:05:30 -0500
Subject: [PATCH] LS salt module - rework of the init.sls

---
 pillar/masters/example.sls                    |   2 +
 .../files/conf.d/0000_input_syslogng.conf     |  19 -
 .../files/conf.d/0001_input_json.conf         |  19 -
 .../files/conf.d/0002_input_windows_json.conf |  22 --
 .../files/conf.d/0003_input_syslog.conf       |  18 -
 .../files/conf.d/0005_input_suricata.conf     |  19 -
 .../files/conf.d/0006_input_beats.conf        |  11 -
 .../files/conf.d/0007_input_import.conf       | 182 ---------
 .../conf.d/1000_preprocess_log_elapsed.conf   |  13 -
 .../conf.d/1001_preprocess_syslogng.conf      |  30 --
 .../files/conf.d/1002_preprocess_json.conf    |  18 -
 .../files/conf.d/1003_preprocess_bro.conf     |  24 --
 .../conf.d/1004_preprocess_syslog_types.conf  |  19 -
 .../files/conf.d/1026_preprocess_dhcp.conf    | 156 --------
 .../files/conf.d/1029_preprocess_esxi.conf    |  31 --
 .../conf.d/1030_preprocess_greensql.conf      |  21 --
 .../files/conf.d/1031_preprocess_iis.conf     |  21 --
 .../files/conf.d/1032_preprocess_mcafee.conf  |  26 --
 .../files/conf.d/1033_preprocess_snort.conf   |  89 -----
 .../files/conf.d/1034_preprocess_syslog.conf  |  16 -
 .../conf.d/1100_preprocess_bro_conn.conf      |  44 ---
 .../conf.d/1101_preprocess_bro_dhcp.conf      |  17 -
 .../files/conf.d/1102_preprocess_bro_dns.conf |  36 --
 .../files/conf.d/1103_preprocess_bro_dpd.conf |  22 --
 .../conf.d/1104_preprocess_bro_files.conf     |  18 -
 .../files/conf.d/1105_preprocess_bro_ftp.conf |  21 --
 .../conf.d/1106_preprocess_bro_http.conf      |  21 --
 .../files/conf.d/1107_preprocess_bro_irc.conf |  22 --
 .../conf.d/1108_preprocess_bro_kerberos.conf  |  20 -
 .../conf.d/1109_preprocess_bro_notice.conf    |  22 --
 .../files/conf.d/1110_preprocess_bro_rdp.conf |  21 --
 .../1111_preprocess_bro_signatures.conf       |  22 --
 .../conf.d/1112_preprocess_bro_smtp.conf      |  21 --
 .../conf.d/1113_preprocess_bro_snmp.conf      |  22 --
 .../conf.d/1114_preprocess_bro_software.conf  |  22 --
 .../files/conf.d/1115_preprocess_bro_ssh.conf |  21 --
 .../files/conf.d/1116_preprocess_bro_ssl.conf | 149 --------
 .../conf.d/1117_preprocess_bro_syslog.conf    |  23 --
 .../conf.d/1118_preprocess_bro_tunnel.conf    |  22 --
 .../conf.d/1119_preprocess_bro_weird.conf     |  16 -
 .../conf.d/1121_preprocess_bro_mysql.conf     |  30 --
 .../conf.d/1122_preprocess_bro_socks.conf     |  34 --
 .../conf.d/1123_preprocess_bro_x509.conf      | 123 -------
 .../conf.d/1124_preprocess_bro_intel.conf     |  21 --
 .../conf.d/1125_preprocess_bro_modbus.conf    |  34 --
 .../files/conf.d/1126_preprocess_bro_sip.conf |  32 --
 .../conf.d/1127_preprocess_bro_radius.conf    |  33 --
 .../files/conf.d/1128_preprocess_bro_pe.conf  |  33 --
 .../files/conf.d/1129_preprocess_bro_rfb.conf |  33 --
 .../conf.d/1130_preprocess_bro_dnp3.conf      |  33 --
 .../conf.d/1131_preprocess_bro_smb_files.conf |  21 --
 .../1132_preprocess_bro_smb_mapping.conf      |  21 --
 .../conf.d/1133_preprocess_bro_ntlm.conf      |  21 --
 .../conf.d/1134_preprocess_bro_dce_rpc.conf   |  21 --
 .../logstash/files/conf.d/1998_test_data.conf |  16 -
 .../files/conf.d/2000_network_flow.conf       |  59 ---
 salt/logstash/files/conf.d/6000_bro.conf      | 136 -------
 .../files/conf.d/6001_bro_import.conf         |  14 -
 salt/logstash/files/conf.d/6002_syslog.conf   |  11 -
 .../files/conf.d/6101_switch_brocade.conf     |  33 --
 .../files/conf.d/6200_firewall_fortinet.conf  | 281 --------------
 .../files/conf.d/6201_firewall_pfsense.conf   |  33 --
 salt/logstash/files/conf.d/6300_windows.conf  | 161 --------
 .../files/conf.d/6301_dns_windows.conf        |  49 ---
 salt/logstash/files/conf.d/6400_suricata.conf |  92 -----
 salt/logstash/files/conf.d/6500_ossec.conf    |  83 -----
 .../files/conf.d/6501_ossec_sysmon.conf       |  81 ----
 .../files/conf.d/6502_ossec_autoruns.conf     |  23 --
 .../conf.d/8000_postprocess_bro_cleanup.conf  |  17 -
 ...01_postprocess_common_ip_augmentation.conf |  58 ---
 .../files/conf.d/8006_postprocess_dns.conf    |  47 ---
 .../files/conf.d/8007_postprocess_http.conf   |  27 --
 .../conf.d/8200_postprocess_tagging.conf      |  58 ---
 .../conf.d/8998_postprocess_log_elapsed.conf  |  19 -
 .../conf.d/8999_postprocess_rename_type.conf  |   8 -
 .../files/conf.d/9000_output_bro.conf         |  22 --
 .../files/conf.d/9001_output_switch.conf      |  22 --
 .../files/conf.d/9002_output_import.conf      |  20 -
 .../files/conf.d/9004_output_flow.conf        |  22 --
 .../files/conf.d/9026_output_dhcp.conf        |  21 --
 .../files/conf.d/9029_output_esxi.conf        |  20 -
 .../files/conf.d/9030_output_greensql.conf    |  20 -
 .../files/conf.d/9031_output_iis.conf         |  21 --
 .../files/conf.d/9032_output_mcafee.conf      |  21 --
 .../files/conf.d/9033_output_snort.conf       |  22 --
 .../files/conf.d/9034_output_syslog.conf      |  21 --
 .../files/conf.d/9200_output_firewall.conf    |  22 --
 .../files/conf.d/9300_output_windows.conf     |  23 --
 .../files/conf.d/9301_output_dns_windows.conf |  23 --
 .../files/conf.d/9400_output_suricata.conf    |  22 --
 .../files/conf.d/9500_output_beats.conf       |  18 -
 .../files/conf.d/9998_output_test_data.conf   |  21 --
 .../files/dictionaries/iana_protocols.yaml    | 256 -------------
 .../files/dictionaries/iana_services.yaml     | 345 ------------------
 .../logstash/files/dictionaries/services.yaml |   3 -
 .../files/dictionaries/tcp_flags.yaml         |  64 ----
 salt/logstash/files/logstash.yml              |  12 +-
 salt/logstash/init.sls                        |   4 +-
 98 files changed, 15 insertions(+), 4164 deletions(-)
 delete mode 100644 salt/logstash/files/conf.d/0000_input_syslogng.conf
 delete mode 100644 salt/logstash/files/conf.d/0001_input_json.conf
 delete mode 100644 salt/logstash/files/conf.d/0002_input_windows_json.conf
 delete mode 100644 salt/logstash/files/conf.d/0003_input_syslog.conf
 delete mode 100644 salt/logstash/files/conf.d/0005_input_suricata.conf
 delete mode 100644 salt/logstash/files/conf.d/0006_input_beats.conf
 delete mode 100644 salt/logstash/files/conf.d/0007_input_import.conf
 delete mode 100644 salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf
 delete mode 100644 salt/logstash/files/conf.d/1001_preprocess_syslogng.conf
 delete mode 100644 salt/logstash/files/conf.d/1002_preprocess_json.conf
 delete mode 100644 salt/logstash/files/conf.d/1003_preprocess_bro.conf
 delete mode 100644 salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf
 delete mode 100644 salt/logstash/files/conf.d/1026_preprocess_dhcp.conf
 delete mode 100644 salt/logstash/files/conf.d/1029_preprocess_esxi.conf
 delete mode 100644 salt/logstash/files/conf.d/1030_preprocess_greensql.conf
 delete mode 100644 salt/logstash/files/conf.d/1031_preprocess_iis.conf
 delete mode 100644 salt/logstash/files/conf.d/1032_preprocess_mcafee.conf
 delete mode 100644 salt/logstash/files/conf.d/1033_preprocess_snort.conf
 delete mode 100644 salt/logstash/files/conf.d/1034_preprocess_syslog.conf
 delete mode 100644 salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf
 delete mode 100644 salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf
 delete mode 100644 salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf
 delete mode 100644 salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf
 delete mode 100644 salt/logstash/files/conf.d/1104_preprocess_bro_files.conf
 delete mode 100644 salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf
 delete mode 100644 salt/logstash/files/conf.d/1106_preprocess_bro_http.conf
 delete mode 100644 salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf
 delete mode 100644 salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf
 delete mode 100644 salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf
 delete mode 100644 salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf
 delete mode 100644 salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf
 delete mode 100644 salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf
 delete mode 100644 salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf
 delete mode 100644 salt/logstash/files/conf.d/1114_preprocess_bro_software.conf
 delete mode 100644 salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf
 delete mode 100644 salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf
 delete mode 100644 salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf
 delete mode 100644 salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf
 delete mode 100644 salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf
 delete mode 100644 salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf
 delete mode 100644 salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf
 delete mode 100644 salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf
 delete mode 100644 salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf
 delete mode 100644 salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf
 delete mode 100644 salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf
 delete mode 100644 salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf
 delete mode 100644 salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf
 delete mode 100644 salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf
 delete mode 100644 salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf
 delete mode 100644 salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf
 delete mode 100644 salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf
 delete mode 100644 salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf
 delete mode 100644 salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf
 delete mode 100644 salt/logstash/files/conf.d/1998_test_data.conf
 delete mode 100644 salt/logstash/files/conf.d/2000_network_flow.conf
 delete mode 100644 salt/logstash/files/conf.d/6000_bro.conf
 delete mode 100644 salt/logstash/files/conf.d/6001_bro_import.conf
 delete mode 100644 salt/logstash/files/conf.d/6002_syslog.conf
 delete mode 100644 salt/logstash/files/conf.d/6101_switch_brocade.conf
 delete mode 100644 salt/logstash/files/conf.d/6200_firewall_fortinet.conf
 delete mode 100644 salt/logstash/files/conf.d/6201_firewall_pfsense.conf
 delete mode 100644 salt/logstash/files/conf.d/6300_windows.conf
 delete mode 100644 salt/logstash/files/conf.d/6301_dns_windows.conf
 delete mode 100644 salt/logstash/files/conf.d/6400_suricata.conf
 delete mode 100644 salt/logstash/files/conf.d/6500_ossec.conf
 delete mode 100644 salt/logstash/files/conf.d/6501_ossec_sysmon.conf
 delete mode 100644 salt/logstash/files/conf.d/6502_ossec_autoruns.conf
 delete mode 100644 salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf
 delete mode 100644 salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf
 delete mode 100644 salt/logstash/files/conf.d/8006_postprocess_dns.conf
 delete mode 100644 salt/logstash/files/conf.d/8007_postprocess_http.conf
 delete mode 100644 salt/logstash/files/conf.d/8200_postprocess_tagging.conf
 delete mode 100644 salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf
 delete mode 100644 salt/logstash/files/conf.d/8999_postprocess_rename_type.conf
 delete mode 100644 salt/logstash/files/conf.d/9000_output_bro.conf
 delete mode 100644 salt/logstash/files/conf.d/9001_output_switch.conf
 delete mode 100644 salt/logstash/files/conf.d/9002_output_import.conf
 delete mode 100644 salt/logstash/files/conf.d/9004_output_flow.conf
 delete mode 100644 salt/logstash/files/conf.d/9026_output_dhcp.conf
 delete mode 100644 salt/logstash/files/conf.d/9029_output_esxi.conf
 delete mode 100644 salt/logstash/files/conf.d/9030_output_greensql.conf
 delete mode 100644 salt/logstash/files/conf.d/9031_output_iis.conf
 delete mode 100644 salt/logstash/files/conf.d/9032_output_mcafee.conf
 delete mode 100644 salt/logstash/files/conf.d/9033_output_snort.conf
 delete mode 100644 salt/logstash/files/conf.d/9034_output_syslog.conf
 delete mode 100644 salt/logstash/files/conf.d/9200_output_firewall.conf
 delete mode 100644 salt/logstash/files/conf.d/9300_output_windows.conf
 delete mode 100644 salt/logstash/files/conf.d/9301_output_dns_windows.conf
 delete mode 100644 salt/logstash/files/conf.d/9400_output_suricata.conf
 delete mode 100644 salt/logstash/files/conf.d/9500_output_beats.conf
 delete mode 100644 salt/logstash/files/conf.d/9998_output_test_data.conf
 delete mode 100644 salt/logstash/files/dictionaries/iana_protocols.yaml
 delete mode 100644 salt/logstash/files/dictionaries/iana_services.yaml
 delete mode 100644 salt/logstash/files/dictionaries/services.yaml
 delete mode 100644 salt/logstash/files/dictionaries/tcp_flags.yaml

diff --git a/pillar/masters/example.sls b/pillar/masters/example.sls
index c17933408..0d4d34ff5 100644
--- a/pillar/masters/example.sls
+++ b/pillar/masters/example.sls
@@ -3,3 +3,5 @@ master:
   esaccessip: 127.0.0.1
   esheap: CHANGEME
   esclustername: {{ grains.host }}
+  freq: 0
+  domainstats: 0
diff --git a/salt/logstash/files/conf.d/0000_input_syslogng.conf b/salt/logstash/files/conf.d/0000_input_syslogng.conf
deleted file mode 100644
index 791045f46..000000000
--- a/salt/logstash/files/conf.d/0000_input_syslogng.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-input {
-  tcp {
-    port => 6050
-    codec =>   json
-    tags => "syslogng"
-  }
-}
-filter {
-  if "syslogng" in [tags] {
-	mutate {
-	  #add_tag => [ "conf_file_0000"]
-	}
-  }  
-}
diff --git a/salt/logstash/files/conf.d/0001_input_json.conf b/salt/logstash/files/conf.d/0001_input_json.conf
deleted file mode 100644
index 4df89d293..000000000
--- a/salt/logstash/files/conf.d/0001_input_json.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-input {
-  tcp {
-    port => 6051
-    codec =>   json
-    tags => [ "json" ]
-  }
-}
-filter {
-  if "json" in [tags] {
-    mutate {
-		#add_tag => [ "conf_file_0001"]
-	}
-  }
-}
\ No newline at end of file
diff --git a/salt/logstash/files/conf.d/0002_input_windows_json.conf b/salt/logstash/files/conf.d/0002_input_windows_json.conf
deleted file mode 100644
index 54b700bd5..000000000
--- a/salt/logstash/files/conf.d/0002_input_windows_json.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-input {
-  tcp {
-    port => 6052
-    type => "windows"
-    tags => [ "json" ]
-    codec =>   json {
-      charset => "CP1252"
-    }
-  }
-}
-filter {
-  if [type] == "windows" {
-    mutate {
-		#add_tag => [ "conf_file_0002"]
-	}
-  }
-}
\ No newline at end of file
diff --git a/salt/logstash/files/conf.d/0003_input_syslog.conf b/salt/logstash/files/conf.d/0003_input_syslog.conf
deleted file mode 100644
index dbd1c29bb..000000000
--- a/salt/logstash/files/conf.d/0003_input_syslog.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-#input {
-#  udp {
-#    port => 1514
-#    tags => "syslog"
-#  }
-#}
-#filter {
-#  if "syslog" in [tags] {
-#    mutate {
-#		#add_tag => [ "conf_file_0003"]
-#	}
-#  }
-#}
diff --git a/salt/logstash/files/conf.d/0005_input_suricata.conf b/salt/logstash/files/conf.d/0005_input_suricata.conf
deleted file mode 100644
index d3d23063a..000000000
--- a/salt/logstash/files/conf.d/0005_input_suricata.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-input {
-  tcp {
-    port => 6053
-    codec => json
-    type => "suricata"
-  }
-}
-filter {
-  if [type] == "suricata" {
-    mutate {
-		#add_tag => [ "conf_file_0005"]
-	}
-  }
-}
\ No newline at end of file
diff --git a/salt/logstash/files/conf.d/0006_input_beats.conf b/salt/logstash/files/conf.d/0006_input_beats.conf
deleted file mode 100644
index d4a57c998..000000000
--- a/salt/logstash/files/conf.d/0006_input_beats.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# Author: Justin Henderson
-# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolutions.com
-# Last Update: 12/11/2017
-
-input {
-  beats {
-    port => "5044"
-    tags => [ "beat" ]
-  }
-}
diff --git a/salt/logstash/files/conf.d/0007_input_import.conf b/salt/logstash/files/conf.d/0007_input_import.conf
deleted file mode 100644
index c502b57ca..000000000
--- a/salt/logstash/files/conf.d/0007_input_import.conf
+++ /dev/null
@@ -1,182 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-
-input {
-	file {
-		path => "/nsm/import/bro/conn*"
-		type => "bro_conn"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/dce_rpc*"
-		type => "bro_dce_rpc"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/dhcp*"
-		type => "bro_dhcp"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/dnp3*"
-		type => "bro_dnp3"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/dns*"
-		type => "bro_dns"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/dpd*"
-		type => "bro_dpd"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/files*"
-		type => "bro_files"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/ftp*"
-		type => "bro_ftp"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/http*"
-		type => "bro_http"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/intel*"
-		type => "bro_intel"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/irc*"
-		type => "bro_irc"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/kerberos*"
-		type => "bro_kerberos"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/modbus*"
-		type => "bro_modbus"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/mysql*"
-		type => "bro_mysql"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/notice*"
-		type => "bro_notice"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/ntlm*"
-		type => "bro_ntlm"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/pe*"
-		type => "bro_pe"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/radius*"
-		type => "bro_radius"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/rdp*"
-		type => "bro_rdp"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/rfb*"
-		type => "bro_rfb"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/signatures*"
-		type => "bro_signatures"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/sip*"
-		type => "bro_sip"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/smb_files*"
-		type => "bro_smb_files"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/smb_mapping*"
-		type => "bro_smb_mapping"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/smtp*"
-		type => "bro_smtp"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/snmp*"
-		type => "bro_snmp"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/socks*"
-		type => "bro_socks"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/software*"
-		type => "bro_software"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/ssh*"
-		type => "bro_ssh"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/ssl*"
-		type => "bro_ssl"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/syslog*"
-		type => "bro_syslog"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/tunnel*"
-		type => "bro_tunnels"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/weird*"
-		type => "bro_weird"
-	    	tags => ["bro", "import"]
-	}
-	file {
-		path => "/nsm/import/bro/x509*"
-		type => "bro_x509"
-	    	tags => ["bro", "import"]
-	}
-}
-filter {
-  if "import" in [tags] {
-	mutate {
-	  #add_tag => [ "conf_file_0006"]
-	}
-  }  
-}
diff --git a/salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf b/salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf
deleted file mode 100644
index d098eb11a..000000000
--- a/salt/logstash/files/conf.d/1000_preprocess_log_elapsed.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_start', Time.now.to_f)"
-  }
-  mutate {
-    #add_tag => [ "conf_file_1000"]
-  }
-}
diff --git a/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf b/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf
deleted file mode 100644
index d2467a3f8..000000000
--- a/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-filter {
-  if "syslogng" in [tags] {
-	mutate {
-		rename => { "MESSAGE" => "message" }
-		rename => { "PROGRAM" => "type" }
-		rename => { "FACILITY" => "syslog-facility" }
-		rename => { "FILE_NAME" => "syslog-file_name" }
-		rename => { "HOST" => "syslog-host" }
-		rename => { "HOST_FROM" => "syslog-host_from" }
-		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
-		rename => { "PID" => "syslog-pid" }
-		rename => { "PRIORITY" => "syslog-priority" }
-		rename => { "SOURCEIP" => "syslog-sourceip" }
-		rename => { "TAGS" => "syslog-tags" }
-          	#add_tag => [ "conf_file_1000"]
-	}
-	if "bro_" in [type] {
-		mutate {
-			add_tag => [ "bro"]
-		}
-	} else {
-		mutate {
-			add_tag => [ "syslog"]
-		}
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1002_preprocess_json.conf b/salt/logstash/files/conf.d/1002_preprocess_json.conf
deleted file mode 100644
index 8aff64715..000000000
--- a/salt/logstash/files/conf.d/1002_preprocess_json.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "json" in [tags]{
-    json {
-      source => "message"
-    }
-    mutate {
-      remove_tag => [ "json" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1001"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1003_preprocess_bro.conf b/salt/logstash/files/conf.d/1003_preprocess_bro.conf
deleted file mode 100644
index e24da1329..000000000
--- a/salt/logstash/files/conf.d/1003_preprocess_bro.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-filter {
-  if "bro" in [tags] {
-    # If a log comes in with a message starting with # then drop it as it doesn'then
-	# contain anything and is the header of a rotated bro log
-    if [message] =~ /^#/ {
-      drop {  }
-    } else {
-	  # Replace the host field with the host found in the bro log
-      if [bro_host] {
-#        mutate {
-#          replace => [ "host", "%{bro_host}" ]
-#        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1002"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf b/salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf
deleted file mode 100644
index 5b47968b2..000000000
--- a/salt/logstash/files/conf.d/1004_preprocess_syslog_types.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-filter {
-  if "syslog" in [tags] {
-    if [host] == "172.16.1.1" {
-      mutate {
-        add_field => { "type" => "fortinet" }
-        add_tag => [ "firewall" ]
-      }
-    }
-    if [host] == "10.0.0.101" {
-      mutate {
-        add_field => { "type" => "brocade" }
-        add_tag => [ "switch" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1003"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1026_preprocess_dhcp.conf b/salt/logstash/files/conf.d/1026_preprocess_dhcp.conf
deleted file mode 100644
index 6ba00012f..000000000
--- a/salt/logstash/files/conf.d/1026_preprocess_dhcp.conf
+++ /dev/null
@@ -1,156 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
-filter {
-  if [type] == "dhcp" {
-    mutate {
-      add_field => { "Hostname" => "%{host}" }
-    }
-    mutate {
-      strip => "message"
-    }
-  }
-  # If the message contains nothing then drop it
-  if [message] =~ /^$/ {
-    drop {  }
-  } 
-  # If the message starts with # then drop it as it is the header of the DHCP log.
-  # This behavior is normal when the log is rotated.
-  if [message] =~ /^#/ {
-    drop {  }
-  } else {
-    if [type] == "dhcp" {
-	  # This is the initial parsing of the log
-      grok {
-        # Server 2008+
-        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
-        # Server 2003
-        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
-        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
-      }
-	  # This section below translates the message ID into something humans can understand.
-      if [id] == "00" {
-        mutate {
-          add_field => [ "event", "The log was started"]
-        }
-      }
-      if [id] == "01" {
-        mutate {
-          add_field => [ "event", "The log was stopped"]
-        }
-      }
-      if [id] == "02" {
-        mutate {
-          add_field => [ "event", "The log was temporarily paused due to low disk space"]
-        }
-      }
-      if [id] == "10" {
-        mutate {
-          add_field => [ "event", "A new IP address was leased to a client"]
-        }
-      }
-      if [id] == "11" {
-        mutate {
-          add_field => [ "event", "A lease was renewed by a client"]
-        }
-      }
-      if [id] == "12" {
-        mutate {
-          add_field => [ "event", "A lease was released by a client"]
-        }
-      }
-      if [id] == "13" {
-        mutate {
-          add_field => [ "event", "An IP address was found to be in use on the network"]
-        }
-      }
-      if [id] == "14" {
-        mutate {
-          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
-        }
-      }
-      if [id] == "15" {
-        mutate {
-          add_field => [ "event", "A lease was denied"]
-        }
-      }
-      if [id] == "16" {
-        mutate {
-          add_field => [ "event", "A lease was deleted"]
-        }
-      }
-      if [id] == "17" {
-        mutate {
-          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
-        }
-      }
-      if [id] == "18" {
-        mutate {
-          add_field => [ "event", "A lease was expired and DNS records were deleted"]
-        }
-      }
-      if [id] == "20" {
-        mutate {
-          add_field => [ "event", "A BOOTP address was leased to a client"]
-        }
-      }
-      if [id] == "21" {
-        mutate {
-          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
-        }
-      }
-      if [id] == "22" {
-        mutate {
-          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
-        }
-      }
-      if [id] == "23" {
-        mutate {
-          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
-        }
-      }
-      if [id] == "24" {
-        mutate {
-          add_field => [ "event", "IP address cleanup operation has began"]
-        }
-      }
-      if [id] == "25" {
-        mutate {
-          add_field => [ "event", "IP address cleanup statistics"]
-        }
-      }
-      if [id] == "30" {
-        mutate {
-          add_field => [ "event", "DNS update request to the named DNS server"]
-        }
-      }
-      if [id] == "31" {
-        mutate {
-          add_field => [ "event", "DNS update failed"]
-        }
-      }
-      if [id] == "32" {
-        mutate {
-          add_field => [ "event", "DNS update successful"]
-        }
-      }
-      if [id] == "33" {
-        mutate {
-          add_field => [ "event", "Packet dropped due to NAP policy"]
-        }
-      }
-	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
-      #if "_grokparsefailure" not in [tags] { 
-      #  mutate {
-      #    remove_field => [ "message"]
-      #  }
-      #}
-    }
-	mutate {
-		#add_tag => [ "conf_file_1026"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1029_preprocess_esxi.conf b/salt/logstash/files/conf.d/1029_preprocess_esxi.conf
deleted file mode 100644
index 18120d00d..000000000
--- a/salt/logstash/files/conf.d/1029_preprocess_esxi.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
-filter {
-  # This is an example of using an IP address range to classify a syslog message to a specific type of log
-  # This is helpful as so many devices only send logs via syslog
-  if [host] =~ "10\.[0-1]\.9\." {
-    mutate {
-      replace => ["type", "esxi"]
-    }
-  }
-  if [host] =~ "\.234$" {
-    mutate {
-      replace => ["type", "esxi"]
-    }
-  }
-  if [type] == "esxi" {
-     grok {
-          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
-
-#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
-    }
-	mutate {
-		#add_tag => [ "conf_file_1029"]
-	}
-  }
-}
-
diff --git a/salt/logstash/files/conf.d/1030_preprocess_greensql.conf b/salt/logstash/files/conf.d/1030_preprocess_greensql.conf
deleted file mode 100644
index adea86053..000000000
--- a/salt/logstash/files/conf.d/1030_preprocess_greensql.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "greensql" {
-    # This section is parsing out the fields for GreenSQL syslog data
-    grok {
-      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
-      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
-    }
-	# Remove the message field as it is unnecessary
-    #mutate {
-    #  remove_field => [ "message"]
-    #}
-	mutate {
-		#add_tag => [ "conf_file_1030"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1031_preprocess_iis.conf b/salt/logstash/files/conf.d/1031_preprocess_iis.conf
deleted file mode 100644
index 9bcd33a3e..000000000
--- a/salt/logstash/files/conf.d/1031_preprocess_iis.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "iis" {
-    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
-    json {
-      source => "message"
-    }
-    # This removes the message field as it is unneccesary and tags the packet as web
-    mutate {
-    #  remove_field => [ "message"]
-      add_tag => [ "web" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1031"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1032_preprocess_mcafee.conf b/salt/logstash/files/conf.d/1032_preprocess_mcafee.conf
deleted file mode 100644
index de5466288..000000000
--- a/salt/logstash/files/conf.d/1032_preprocess_mcafee.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This file looks for McAfee EPO logs
-filter {
-  if [type] == "mcafee" {
-    # NXLog should be sending the logs in JSON format so they auto parse
-    json {
-      source => "message"
-    }
-	# This section converts the UTC fields to the proper time format
-    date {
-      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
-      target => [ "ReceivedUTC" ]
-    }
-    date {
-      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
-      target => [ "DetectedUTC" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1032"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1033_preprocess_snort.conf b/salt/logstash/files/conf.d/1033_preprocess_snort.conf
deleted file mode 100644
index 659a13c90..000000000
--- a/salt/logstash/files/conf.d/1033_preprocess_snort.conf
+++ /dev/null
@@ -1,89 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/15/2017
-
-filter {
-  if [type] == "snort" {
-    # This is the initial parsing of the log
-    grok {
-      match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
-		"message", "%{GREEDYDATA:alert}"]
-    }
-	
-	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
-    if [alert] =~ "GPL " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "GPL\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Snort GPL" }
-        lowercase => [ "category"]
-        }
-    }
-	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-    if [alert] =~ "ET " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "ET\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Emerging Threats" }
-        lowercase => [ "category"]
-      }
-    }
-	# I recommend changing the field types below to integer so searches can do greater than or less than
-	# and also so math functions can be ran against them
-    mutate {
-      convert => [ "source_port", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "gid", "integer" ]
-      convert => [ "sid", "integer" ]
-    #  remove_field => [ "message"]
-    }
-	# This will translate the priority field into a severity field of either High, Medium, or Low
-	if [priority] == 1 {
-      mutate {
-        add_field => { "severity" => "High" }
-      }
-    }
-    if [priority] == 2 {
-      mutate {
-        add_field => { "severity" => "Medium" }
-      }
-    }
-    if [priority] == 3 {
-      mutate {
-        add_field => { "severity" => "Low" }
-      }
-    }
-    # This section adds URLs to lookup information about a rule online
-    if [sid] and [sid] > 0 and [sid] < 1000000 {
-      mutate {
-        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
-      }
-    }
-    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
-      mutate {
-        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
-      }
-    }
-    if [gid] and [gid] == 1 and [sid] and [sid] > 0 and [sid] < 1000000000 {
-      ruby {
-         code => "sid = event.get('sid'); event.set('rule', `grep -h sid:#{sid} /etc/nsm/rules/*.rules | sort -u`)"
-	}
-    }
-#	mutate {
-		#add_tag => [ "conf_file_1033"]
-#	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1034_preprocess_syslog.conf b/salt/logstash/files/conf.d/1034_preprocess_syslog.conf
deleted file mode 100644
index 998109685..000000000
--- a/salt/logstash/files/conf.d/1034_preprocess_syslog.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/22/2017
-
-filter {
-  if [type] == "syslog" { 
-    # This drops syslog messages regarding license messages.  You may want to comment it out.
-    #if [message] =~ "license" {
-    #  drop { }
-    #}
-	mutate {
-		#convert => [ "status_code", "integer" ]
-	}
-  }  
-}
diff --git a/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf b/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf
deleted file mode 100644
index 87f090408..000000000
--- a/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for conn.log from Bro systems
-filter {
-  if [type] == "bro_conn" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","service","duration","original_bytes","respond_bytes","connection_state","local_orig","local_respond","missed_bytes","history","original_packets","original_ipbytes","respond_packets","respond_ipbytes","tunnel_parents","original_country_code","respond_country_code","sensor_name"]
-
-    # If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
-      separator => "	"
-    }
-    translate {
-      field => "connection_state"
-
-      destination => "connection_state_description"
-
-      dictionary => [
-                    "S0", "Connection attempt seen, no reply",
-                    "S1", "Connection established, not terminated",
-                    "S2", "Connection established and close attempt by originator seen (but no reply from responder)",
-                    "S3", "Connection established and close attempt by responder seen (but no reply from originator)",
-                    "SF", "Normal SYN/FIN completion",
-                    "REJ", "Connection attempt rejected",
-                    "RSTO", "Connection established, originator aborted (sent a RST)",
-                    "RSTR", "Established, responder aborted",
-                    "RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder",
-                    "RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator",
-                    "SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)",
-		    "SHR", "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator",
-                    "OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
-                    ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1100"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf b/salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf
deleted file mode 100644
index e835ecef6..000000000
--- a/salt/logstash/files/conf.d/1101_preprocess_bro_dhcp.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This conf file is based on accepting logs for dhcp.log from Bro systems
-filter {
-  if [type] == "bro_dhcp" {
-    # This is the initial parsing of the log
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mac>(.*?))\t(?<assigned_ip>(.*?))\t(?<lease_time>(.*?))\t(?<transaction_id>(.*))" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1101"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf b/salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf
deleted file mode 100644
index 53cf5addc..000000000
--- a/salt/logstash/files/conf.d/1102_preprocess_bro_dns.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Updated by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for dns.log from Bro systems
-filter {
-  if [type] == "bro_dns" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","transaction_id","rtt","query","query_class","query_class_name","query_type","query_type_name","rcode","rcode_name","aa","tc","rd","ra","z","answers","ttls","rejected"]
-
-      #If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
-      separator => "	"
-    }
-    mutate {
-		  add_tag => [ "dns" ]
-	  }
-    if [ttls] == "-" {
-      mutate {
-        remove_field => [ "ttls" ]
-      }
-    } else {
-      mutate {
-        convert => [ "ttls", "float" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1102"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf b/salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf
deleted file mode 100644
index 39603bf6e..000000000
--- a/salt/logstash/files/conf.d/1103_preprocess_bro_dpd.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Updated by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for dpd.log from Bro systems
-filter {
-  if [type] == "bro_dpd" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","analyzer","failure_reason"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1103"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1104_preprocess_bro_files.conf b/salt/logstash/files/conf.d/1104_preprocess_bro_files.conf
deleted file mode 100644
index 665889358..000000000
--- a/salt/logstash/files/conf.d/1104_preprocess_bro_files.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/14/2017 - Wes lambert
-#
-# This conf file is based on accepting logs for files.log from Bro systems
-filter {
-  if [type] == "bro_files" {
-    # This is the initial parsing of the log
-    csv {
-      columns => ["timestamp","fuid","file_ip","destination_ip","connection_uids","source","depth","analyzer","mimetype","file_name","duration","local_orig","is_orig","seen_bytes","total_bytes","missing_bytes","overflow_bytes","timed_out","parent_fuid","md5","sha1","sha256","extracted"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1104"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf b/salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf
deleted file mode 100644
index 8d1dd1963..000000000
--- a/salt/logstash/files/conf.d/1105_preprocess_bro_ftp.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for ftp.log from Bro systems
-filter {
-  if [type] == "bro_ftp" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","ftp_username","password","ftp_command","ftp_argument","mimetype","file_size","reply_code","reply_message","data_channel_passive","data_channel_source_ip","data_channel_destination_ip","data_channel_destination_port","fuid"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1105"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1106_preprocess_bro_http.conf b/salt/logstash/files/conf.d/1106_preprocess_bro_http.conf
deleted file mode 100644
index b4f25bf16..000000000
--- a/salt/logstash/files/conf.d/1106_preprocess_bro_http.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-#
-# This conf file is based on accepting logs for http.log from Bro systems
-filter {
-  if [type] == "bro_http" {
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<virtual_host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<version>(.*?))\t(?<useragent>(.*?))\t(?<request_body_length>(.*?))\t(?<response_body_length>(.*?))\t(?<status_code>(.*?))\t(?<status_message>(.*?))\t(?<info_code>(.*?))\t(?<info_message>(.*?))\t(?<tags>(.*))\t(?<user>(.*))\t(?<password>(.*))\t(?<proxied>(.*))\t(?<orig_fuids>(.*))\t(?<orig_filenames>(.*?))\t(?<orig_mime_types>(.*))\t(?<resp_fuids>(.*))\t(?<resp_filenames>(.*?))\t(?<resp_mime_types>(.*))" ]
-    }
-    if [useragent] == "-" {
-      mutate {
-        remove_field => [ "useragent" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1106"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf b/salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf
deleted file mode 100644
index 84f7dcb3c..000000000
--- a/salt/logstash/files/conf.d/1107_preprocess_bro_irc.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Update by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for irc.log from Bro systems
-filter {
-  if [type] == "bro_irc" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","nick","irc_username","irc_command","value","additional_info","dcc_file_name","dcc_file_size","dcc_mime_type","fuid"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1107"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf b/salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf
deleted file mode 100644
index a8adf282c..000000000
--- a/salt/logstash/files/conf.d/1108_preprocess_bro_kerberos.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for kerberos.log from Bro systems
-filter {
-  if [type] == "bro_kerberos" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","request_type","client","service","kerberos_success","error_message","valid_from","valid_till","cipher","forwardable","renewable","client_certificate_subject","client_certificate_fuid","server_certificate_subject","server_certificate_fuid"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1108"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf b/salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf
deleted file mode 100644
index 192675450..000000000
--- a/salt/logstash/files/conf.d/1109_preprocess_bro_notice.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Update by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for notice.log from Bro systems
-filter {
-  if [type] == "bro_notice" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","file_mime_type","file_description","protocol","note","msg","sub_msg","source_ip","destination_ip","p","n","peer_description","action","suppress_for","dropped","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1109"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf b/salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf
deleted file mode 100644
index fc80c5ea1..000000000
--- a/salt/logstash/files/conf.d/1110_preprocess_bro_rdp.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Update by Wes Lambert
-# Last Update: 12/14/2016
-#
-# This conf file is based on accepting logs for weird.log from Bro systems
-filter {
-  if [type] == "bro_rdp" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1110"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf b/salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf
deleted file mode 100644
index 70cdb2d6b..000000000
--- a/salt/logstash/files/conf.d/1111_preprocess_bro_signatures.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Updated by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for signatures.log from Bro systems
-filter {
-  if [type] == "bro_signatures" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","note","signature_id","event_message","sub_message","signature_count","host_count"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1111"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf b/salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf
deleted file mode 100644
index a1fb145af..000000000
--- a/salt/logstash/files/conf.d/1112_preprocess_bro_smtp.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-#
-# This conf file is based on accepting logs for smtp.log from Bro systems
-filter {
-  if [type] == "bro_smtp" {
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<helo>(.*?))\t(?<mail_from>(.*?))\t(?<recipient_to>(.*?))\t(?<mail_date>(.*?))\t(?<from>(.*?))\t(?<to>(.*?))\t(?<cc>(.*?))\t(?<reply_to>(.*?))\t(?<message_id>(.*?))\t(?<in_reply_to>(.*?))\t(?<subject>(.*?))\t(?<x_originating_ip>(.*?))\t(?<first_received>(.*))\t(?<second_received>(.*))\t(?<last_reply>(.*))\t(?<path>(.*))\t(?<useragent>(.*))\t(?<tls>(.*))\t(?<fuids>(.*))\t(?<is_webmail>(.*))" ]
-    }
-    if [useragent] == "-" {
-      mutate {
-        remove_field => [ "useragent" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1112"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf b/salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf
deleted file mode 100644
index e7b8e43fa..000000000
--- a/salt/logstash/files/conf.d/1113_preprocess_bro_snmp.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Update by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for snmp.log from Bro systems
-filter {
-  if [type] == "bro_snmp" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","duration","version","community","get_requests","get_bulk_requests","get_responses","set_requests","display_string","up_since"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1113"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1114_preprocess_bro_software.conf b/salt/logstash/files/conf.d/1114_preprocess_bro_software.conf
deleted file mode 100644
index 83ad55e61..000000000
--- a/salt/logstash/files/conf.d/1114_preprocess_bro_software.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Update by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for software.log from Bro systems
-filter {
-  if [type] == "bro_software" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","source_ip","source_port","software_type","name","version_major","version_minor","version_minor2","version_minor3","version_additional_info","unparsed_version"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1114"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf b/salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf
deleted file mode 100644
index df24f0730..000000000
--- a/salt/logstash/files/conf.d/1115_preprocess_bro_ssh.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for ssh.log from Bro systems
-filter {
-  if [type] == "bro_ssh" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1115"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf b/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf
deleted file mode 100644
index 90e032368..000000000
--- a/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf
+++ /dev/null
@@ -1,149 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for ssl.log from Bro systems
-filter {
-  if [type] == "bro_ssl" {
-   # This is the initial parsing of the log
-   mutate {
-      gsub => [ "message", "[\"']", "" ]
-    } 
-   csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3"]
-      separator => "	"
-    }
-    mutate {
-      gsub => [ "subject", "\\\\,", "|" ]
-    }
-    kv {
-      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
-      field_split => ","
-      source => "certificate_issuer"
-    }
-    mutate {
-      rename => { "CN" => "issuer_common_name"}
-      rename => { "C" => "issuer_country_code"}
-      rename => { "O" => "issuer_organization"}
-      rename => { "OU" => "issuer_organization_unit"}
-      rename => { "ST" => "issuer_state"}
-      rename => { "SN" => "issuer_surname"}
-      rename => { "L" => "issuer_locality"}
-      rename => { "DC" => "issuer_distinguished_name"}
-      rename => { "GN" => "issuer_given_name"}
-      rename => { "pseudonym" => "issuer_pseudonym"}
-      rename => { "serialNumber" => "issuer_serial_number"}
-      rename => { "title" => "issuer_title"}
-      rename => { "initials" => "issuer_initials"}
-    }
-    kv {
-      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
-      field_split => ","
-      source => "certificate_subject"
-    }
-    mutate {
-      rename => { "CN" => "certificate_common_name"}
-      rename => { "C" => "certificate_country_code"}
-      rename => { "O" => "certificate_organization"}
-      rename => { "OU" => "certificate_organization_unit"}
-      rename => { "ST" => "certificate_state"}
-      rename => { "SN" => "certificate_surname"}
-      rename => { "L" => "certificate_locality"}
-      rename => { "GN" => "certificate_given_name"}
-      rename => { "pseudonym" => "certificate_pseudonym"}
-      rename => { "serialNumber" => "certificate_serial_number"}
-      rename => { "title" => "certificate_title"}
-      rename => { "initials" => "certificate_initials"}
-    }
-    if [certificate_subject] == "-" {
-      mutate {
-        remove_field => [ "certificate_subject" ]
-      }
-    }
-    if [certificate_issuer] == "-" {
-      mutate {
-        remove_field => [ "certificate_issuer" ]
-      }
-    }
-    if [certificate_common_name] {
-      ruby {
-        code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
-      }
-    }
-    if [issuer_common_name] {
-      ruby {
-        code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
-      }
-    }
-    if [server_name] == "-" {
-      mutate {
-        remove_field => [ "server_name" ]
-      }
-    } else {
-      ruby {
-        code => "event.set('server_name_length', event.get('server_name').length)"
-      }
-    }
-    if [certificate_chain_fuids] == "-" {
-      mutate {
-        remove_field => [ "certificate_chain_fuids" ]
-      }
-    } else {
-      ruby {
-        code => "event.set('certificate_chain_count', event.get('certificate_chain_fuids').count(',') + 1)"
-      }
-      mutate {
-        convert => [ "certificate_chain_length", "integer" ]
-      }
-    }
-    if [client_certificate_chain_fuids] == "-" {
-      mutate {
-        remove_field => [ "client_certificate_chain_fuids" ]
-      }
-    }
-    if [client_issuer] == "-" {
-      mutate {
-        remove_field => [ "client_issuer" ]
-      }
-    }
-    if [client_subject] == "-" {
-      mutate {
-        remove_field => [ "client_subject" ]
-      }
-    }
-    if [curve] == "-" {
-      mutate {
-        remove_field => [ "curve" ]
-      }
-    }
-    if [issuer] == "-" {
-      mutate {
-        remove_field => [ "issuer" ]
-      }
-    }
-    if [query] == "-" {
-      mutate {
-        remove_field => [ "query" ]
-      }
-    }
-    if [subject] == "-" {
-      mutate {
-        remove_field => [ "subject" ]
-      }
-    }
-    if [validation_status] == "-" {
-      mutate {
-        remove_field => [ "validation_status" ]
-      }
-    }
-    if [ja3] == "-" {
-      mutate {
-        remove_field => [ "ja3" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1116"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf b/salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf
deleted file mode 100644
index eba64abd3..000000000
--- a/salt/logstash/files/conf.d/1117_preprocess_bro_syslog.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-#
-# Updated by Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for syslog.log from Bro systems
-filter {
-  if [type] == "bro_syslog" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","facility","severity","message"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1117"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf b/salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf
deleted file mode 100644
index 5b9efe2e5..000000000
--- a/salt/logstash/files/conf.d/1118_preprocess_bro_tunnel.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for tunnel.log from Bro systems
-# Security Onion syslog-ng.conf sets type to "bro_tunnels"
-filter {
-  if [type] == "bro_tunnels" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","tunnel_type","action"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1118"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf b/salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf
deleted file mode 100644
index a994dd2b2..000000000
--- a/salt/logstash/files/conf.d/1119_preprocess_bro_weird.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This conf file is based on accepting logs for weird.log from Bro systems
-filter {
-  if [type] == "bro_weird" {
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<name>(.*?))\t(?<additional_info>(.*?))\t(?<notice>(.*?))\t(?<peer>(.*))" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1119"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf b/salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf
deleted file mode 100644
index 61ce85eb8..000000000
--- a/salt/logstash/files/conf.d/1121_preprocess_bro_mysql.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for mysql.log from Bro systems
-#
-# Parse using grok
-filter {
-  if [type] == "bro_mysql" {
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mysql_command>(.*?))\t(?<mysql_argument>(.*?))\t(?<mysql_success>(.*?))\t(?<rows>(.*?))\t(?<response>(.*))" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1121"]
-	}
-  }
-}
-
-# Reverting to grok for now, due to double-quoted values in log file
-# Parse using csv filter
-#filter {
-#  if [type] == "bro_mysql" {
-#    csv {
-#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
-#    separator => "	"
-#    quote_char=
-#    }
-#  }
-#}
diff --git a/salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf b/salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf
deleted file mode 100644
index e6c1a6cf1..000000000
--- a/salt/logstash/files/conf.d/1122_preprocess_bro_socks.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for socks.log from Bro systems
-
-# Parse using csv
-filter {
-  if [type] == "bro_socks" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","user","password","server_status","request_host","request_name","request_port","bound_host","bound_name","bound_port"]
-      separator => "    "
-    }
-        mutate {
-                #add_tag => [ "conf_file_1105"]
-        }
-  }
-}
-# Parse using grok
-#filter {
-#  if [type] == "bro_socks" {
-#    # This is the initial parsing of the log
-#    grok {
-#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<version>(.*?))\t(?<user>(.*?))\t(?<password>(.*?))\t(?<status>(.*))\t(?<request_host>(.*))\t(?<request_name>(.*))\t(?<request_port>(.*))\t(?<bound_host>(.*))\t(?<bound_name>(.*))\t(?<bound_port>(.*))" ]
-#    }
-#	mutate {
-#		#add_tag => [ "conf_file_1122"]
-#	}
-#  }
-#}
diff --git a/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf b/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf
deleted file mode 100644
index 2bd76e39a..000000000
--- a/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-#
-# This conf file is based on accepting logs for x509.log from Bro systems
-
-filter {
-  if [type] == "bro_x509" {
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<id>(.*?))\t(?<certificate_version>(.*?))\t(?<certificate_serial>(.*?))\t(?<certificate_subject>(.*?))\t(?<certificate_issuer>(.*?))\t(?<certificate_not_valid_before>(.*?))\t(?<certificate_not_valid_after>(.*?))\t(?<certificate_key_algorithm>(.*?))\t(?<certificate_signing_algorithm>(.*))\t(?<certificate_key_type>(.*))\t(?<certificate_key_length>(.*))\t(?<certificate_exponent>(.*))\t(?<certificate_curve>(.*))\t(?<san_dns>(.*))\t(?<san_uri>(.*))\t(?<san_email>(.*))\t(?<san_ip>(.*))\t(?<basic_constraints_ca>(.*))\t(?<basic_constraints_path_length>(.*))" ]
-    }
-
-    mutate {
-      gsub => [ "certificate_issuer", "\\\\,", "|" ]
-      gsub => [ "certificate_subject", "\\\\,", "|" ]
-    }
-	
-    kv {
-      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
-      field_split => ","
-      source => "certificate_issuer"
-    }
-    mutate {
-      rename => { "CN" => "issuer_common_name"}
-      rename => { "C" => "issuer_country_code"}
-      rename => { "O" => "issuer_organization"}
-      rename => { "OU" => "issuer_organization_unit"}
-      rename => { "ST" => "issuer_state"}
-      rename => { "SN" => "issuer_surname"}
-      rename => { "L" => "issuer_locality"}
-      rename => { "DC" => "issuer_distinguished_name"}
-      rename => { "GN" => "issuer_given_name"}
-      rename => { "pseudonym" => "issuer_pseudonym"}
-      rename => { "serialNumber" => "issuer_serial_number"}
-      rename => { "title" => "issuer_title"}
-      rename => { "initials" => "issuer_initials"}
-    }
-    kv {
-      include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
-      field_split => ","
-      source => "certificate_subject"
-    }
-    mutate {
-      rename => { "CN" => "certificate_common_name"}
-      rename => { "C" => "certificate_country_code"}
-      rename => { "O" => "certificate_organization"}
-      rename => { "OU" => "certificate_organization_unit"}
-      rename => { "ST" => "certificate_state"}
-      rename => { "SN" => "certificate_surname"}
-      rename => { "L" => "certificate_locality"}
-      rename => { "GN" => "certificate_given_name"}
-      rename => { "pseudonym" => "certificate_pseudonym"}
-      rename => { "serialNumber" => "certificate_serial_number"}
-      rename => { "title" => "certificate_title"}
-      rename => { "initials" => "certificate_initials"}
-      convert => [ "certificate_key_length", "integer" ]
-      convert => [ "certificate_not_valid_after", "integer" ]
-      convert => [ "certificate_not_valid_before", "integer" ]
-    }
-    if [query] == "-" {
-      mutate {
-        remove_field => [ "query" ]
-      }
-    }
-    if [san_dns] == "-" {
-      mutate {
-        remove_field => [ "san_dns" ]
-      }
-    }
-    if [san_email] == "-" {
-      mutate {
-        remove_field => [ "san_email" ]
-      }
-    }
-    if [san_uri] == "-" {
-      mutate {
-        remove_field => [ "san_uri" ]
-      }
-    }
-    if [san_ip] == "-" {
-      mutate {
-        remove_field => [ "san_ip" ]
-      }
-    }
-    if [certificate_common_name] {
-      ruby {
-        code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
-      }
-    }
-    if [issuer_common_name] {
-      ruby {
-        code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
-      }
-    }
-    if [certificate_not_valid_after] == "-" {
-      mutate {
-        remove_field => [ "certificate_not_valid_after" ]
-      }
-    }
-    if [certificate_not_valid_before] == "-" {
-      mutate {
-        remove_field => [ "certificate_not_valid_before" ]
-      }
-    }
-    if [certificate_not_valid_after] and [certificate_not_valid_before] {
-      ruby {
-        code => "event.set('certificate_number_days_valid', ((event.get('certificate_not_valid_after') - event.get('certificate_not_valid_before')) / 86400).ceil)"
-      }
-      date {
-        match => [ "certificate_not_valid_after", "UNIX" ]
-        target => "certificate_not_valid_after"
-      }
-      date {
-        match => [ "certificate_not_valid_before", "UNIX" ]
-        target => "certificate_not_valid_before"
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1123"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf b/salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf
deleted file mode 100644
index 028c4a111..000000000
--- a/salt/logstash/files/conf.d/1124_preprocess_bro_intel.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Wes Lambert
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for intel.log from Bro systems
-filter {
-  if [type] == "bro_intel" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","indicator","indicator_type","seen_where","seen_node","matched","sources","fuid","mimetype","file_description"]
-      separator => "	"
-    }
-	mutate {
-		#add_tag => [ "conf_file_1124"]
-	}
-  }	
-}
diff --git a/salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf b/salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf
deleted file mode 100644
index 7d5bf4abf..000000000
--- a/salt/logstash/files/conf.d/1125_preprocess_bro_modbus.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for modbus.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_modbus" {
-    # This is the initial parsing of the log
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","function","exception"]
-    separator => "	"
-    }
-  }
-}
-
-# Parse using grok
-#filter {
-#  if [type] == "bro_modbus" {
-#    grok {
-#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<func>(.*?))\t(?<exception>(.*?))$" ]
-#    }
-	#mutate {
-		#add_tag => [ "conf_file_1125"]
-	#}
-#   }
-#}
diff --git a/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf b/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf
deleted file mode 100644
index 35c404749..000000000
--- a/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 05/12/2017
-#
-# This conf file is based on accepting logs for sip.log from Bro systems
-#
-# Parse using csv filter
-#filter {
-#  if [type] == "bro_sip" {
-#    csv {
-#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","trans_depth","method","uri","date","request_from","request_to","response_from","response_to","reply_to","call_id","seq","subject","request_path","response_path","user_agent","status_code","status_msg","warning","request_body_len","response_body_len","content_type"]
-#    separator => "	"
-#    }
-#  }
-#}
-
-# some sip logs have quotes which cause csvparsefailures, so let's fall back to grok
-
-# Parse using grok
-filter {
-  if [type] == "bro_sip" {
-    grok {
-      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<uri>(.*?))\t(?<date>(.*?))\t(?<request_from>(.*?))\t(?<request_to>(.*?))\t(?<response_from>(.*?))\t(?<response_to>(.*?))\t(?<reply_to>(.*?))\t(?<call_id>(.*?))\t(?<seq>(.*?))\t(?<subject>(.*?))\t(?<request_path>(.*?))\t(?<response_path>(.*?))\t(?<user_agent>(.*?))\t(?<status_code>(.*?))\t(?<status_msg>(.*?))\t(?<warning>(.*?))\t(?<request_body_len>(.*?))\t(?<response_body_len>(.*?))\t(?<content_type>(.*?))$" ]
-    }
-	mutate {
-		add_tag => [ "conf_file_1126"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf b/salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf
deleted file mode 100644
index 108b8c61d..000000000
--- a/salt/logstash/files/conf.d/1127_preprocess_bro_radius.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for radius.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_radius" {
-   mutate {
-      gsub => [ "message", "[\"']", "" ]
-    } 
-   csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","radius_username","mac","remote_ip","connect_info","result","logged"]
-    separator => "	"
-    }
-  }
-}
-
-# Parse using grok
-#filter {
-#  if [type] == "bro_radius" {
-#    grok {
-#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<username>(.*?))\t(?<mac>(.*?))\t(?<remote_ip>(.*?))\t(?<logged>(.*?))\t(?<connect_info>(.*?))$" ]
-#    }
-#	mutate {
-#		#add_tag => [ "conf_file_1127"]
-#	}
-#  }
-#}
diff --git a/salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf b/salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf
deleted file mode 100644
index 82fc92e1d..000000000
--- a/salt/logstash/files/conf.d/1128_preprocess_bro_pe.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for pe.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_pe" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","fuid","machine","compile_ts","os","subsystem","is_exe","is_64bit","uses_aslr","uses_dep","uses_code_integrity","uses_seh","has_import_table","has_export_table","has_cert_table","has_debug_data","section_names"]
-    separator => "	"
-    }
-  }
-}
-
-# Parse using grok
-#filter {
-#  if [type] == "bro_pe" {
-#    grok {
-#      match => [ "message", "(?<timestamp>(.*?))\t(?<fuid>(.*?))\t(?<machine>(.*?))\t(?<compile_ts>(.*?))\t(?<os>(.*?))\t(?<subsystem>(.*?))\t(?<is_exe>(.*?))\t(?<is_64bit>(.*?))\t(?<uses_aslr>(.*?))\t(?<uses_dep>(.*?))\t(?<uses_code_integrity>(.*?))\t(?<uses_seh>(.*?))\t(?<has_import_table>(.*?))\t(?<has_export_table>(.*?))\t(?<has_cert_table>(.*?))\t(?<has_debug_data>(.*?))\t(?<section_names>(.*?))$" ]
-#    }
-#	mutate {
-#		#add_tag => [ "conf_file_1128"]
-#	}
-# }
-#}
diff --git a/salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf b/salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf
deleted file mode 100644
index 680a1150f..000000000
--- a/salt/logstash/files/conf.d/1129_preprocess_bro_rfb.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for rfb.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_rfb" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","client_major_version","client_minor_version","server_major_version","server_minor_version","authentication_method","auth","share_flag","desktop_name","width","height"]
-    separator => "	"
-    }
-  }
-}
-
-# Parse using grok
-#filter {
-#  if [type] == "bro_rfb" {
-#    grok {
-#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<client_major_version>(.*?))\t(?<client_minor_version>(.*?))\t(?<server_major_version>(.*?))\t(?<server_minor_version>(.*?))\t(?<authentication_method>(.*?))\t(?<auth>(.*?))\t(?<share_flag>(.*?))\t(?<desktop_name>(.*?))\t(?<width>(.*?))\t(?<height>(.*?))$" ]
-#    }
-#	mutate {
-#		#add_tag => [ "conf_file_1129"]
-#	}
-#  }
-#}
diff --git a/salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf b/salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf
deleted file mode 100644
index ed3ba70b2..000000000
--- a/salt/logstash/files/conf.d/1130_preprocess_bro_dnp3.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for dnp3.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_dnp3" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fc_request","fc_reply","iin"]
-    separator => "	"
-    }
-  }
-}
-
-# Parse using grok
-#filter {
-#  if [type] == "bro_dnp3" {
-#    grok {
-#      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<fc_request>(.*?))\t(?<fc_reply>(.*?))\t(?<iin>(.*?))$" ]
-#    }
-#	mutate {
-#		#add_tag => [ "conf_file_1129"]
-#	}
-#  }
-#}
diff --git a/salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf b/salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf
deleted file mode 100644
index 01055d2fa..000000000
--- a/salt/logstash/files/conf.d/1131_preprocess_bro_smb_files.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for smb_files.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_smb_files" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","action","path","name","size","prev_name","times_modified","times_accessed","times_created","times_changed"]
-    separator => "	"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf b/salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf
deleted file mode 100644
index ceac871ee..000000000
--- a/salt/logstash/files/conf.d/1132_preprocess_bro_smb_mapping.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for smb_mapping.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_smb_mapping" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","path","service","native_file_system","share_type"]
-    separator => "	"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf b/salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf
deleted file mode 100644
index fc7b01025..000000000
--- a/salt/logstash/files/conf.d/1133_preprocess_bro_ntlm.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for ntlm.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_ntlm" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","ntlm_username","hostname","domain_name","ntlm_success","status"]
-    separator => "	"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf b/salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf
deleted file mode 100644
index 1d0f186fe..000000000
--- a/salt/logstash/files/conf.d/1134_preprocess_bro_dce_rpc.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Adapted from existing filters provided by Justin Henderson
-#
-# Last Update: 12/14/2017
-#
-# This conf file is based on accepting logs for dce_rpc.log from Bro systems
-#
-# Parse using csv filter
-filter {
-  if [type] == "bro_dce_rpc" {
-    mutate {
-      gsub => [ "message", "[\"']", "" ]
-    }
-    csv {
-      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","rtt","named_pipe","endpoint","operation"]
-    separator => "	"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/1998_test_data.conf b/salt/logstash/files/conf.d/1998_test_data.conf
deleted file mode 100644
index 0fc401428..000000000
--- a/salt/logstash/files/conf.d/1998_test_data.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [test] == "test" {
-    mutate {
-      remove_field => [ "test" ]
-      add_tag => [ "test_data" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1998"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/2000_network_flow.conf b/salt/logstash/files/conf.d/2000_network_flow.conf
deleted file mode 100644
index 40a060955..000000000
--- a/salt/logstash/files/conf.d/2000_network_flow.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "sflow" {
-    if [message] =~ /CNTR/ {
-      drop { }
-    }
-
-    grok {
-      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
-    }
-
-    if "_grokparsefailure" in [tags] {
-      drop { }
-    }
-
-    mutate {
-      add_field => {
-        "[source_hostname]" => "%{source_ip}"
-        "[destination_hostname]" => "%{destination_ip}"
-        "[sflow_source_hostname]" => "%{sflow_source_ip}"
-      }
-    }
-
-    translate {
-      field => "[source_port]"
-      destination => "[source_service]"
-      dictionary_path => "/lib/dictionaries/iana_services.yaml"
-    }
-
-    translate {
-      field => "[destination_port]"
-      destination => "[destination_service]"
-      dictionary_path => "/lib/dictionaries/iana_services.yaml"
-    }
-
-    translate {
-      field => "[protocol]"
-      destination => "[protocol_name]"
-      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
-    }
-
-    translate {
-      field => "[tcp_flags]"
-      destination => "[tcp_flag]"
-      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
-    }
-
-    mutate {
-      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
-    }
-	mutate {
-		#add_tag => [ "conf_file_2000"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6000_bro.conf b/salt/logstash/files/conf.d/6000_bro.conf
deleted file mode 100644
index 8552030d2..000000000
--- a/salt/logstash/files/conf.d/6000_bro.conf
+++ /dev/null
@@ -1,136 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-#
-# This conf file is based on accepting logs for conn.log from Bro systems
-filter {
-  if "bro" in [tags] {
-    if [duration] == "-" {
-      mutate {
-        replace => [ "duration", "0" ]
-      }
-    }
-    if [original_bytes] == "-" {
-      mutate {
-        replace => [ "original_bytes", "0" ]
-      }
-    }
-    # If MissedBytes is unspecified set it to zero so it is an integer
-    if [missed_bytes] == "-" {
-      mutate {
-        replace => [ "missed_bytes", "0" ]
-      }
-    }
-    # If OriginalIPBytes is unspecified set it to zero so it is an integer
-    if [original_ip_bytes] == "-" {
-      mutate {
-        replace => [ "original_ip_bytes", "0" ]
-      }
-    }
-    # If RespondBytes is unspecified set it to zero so it is an integer
-    if [respond_bytes] == "-" {
-      mutate {
-        replace => [ "respond_bytes", "0" ]
-      }
-    }
-    # If RespondIPBytes is unspecified set it to zero so it is an integer
-    if [respond_ip_bytes] == "-" {
-      mutate {
-        replace => [ "respond_ip_bytes", "0" ]
-      }
-    }
-    if [source_port] == "-" {
-      mutate {
-        remove_field => ["source_port"]
-      }
-    }
-    if [destination_port] == "-" {
-      mutate {
-        remove_field => ["destination_port"]
-      }
-    }
-    if [virtual_host] == "-" {
-      mutate {
-        remove_field => ["virtual_host"]
-      }
-    }
-
-    # I renamed conn_uids to uid so that it is easy to pivot to all things tied to a connection
-    mutate {
-       rename => [ "connection_uids", "uid" ]
-    }
-    # If total_bytes is set to "-" change it to 0 so it is an integer
-    if [total_bytes] == "-" {
-      mutate {
-        replace => [ "total_bytes", "0" ]
-      }
-    }
-    # If seen_bytes is set to "-" change it to 0 so it is an integer
-    if [seen_bytes] == "-" {
-      mutate {
-        replace => [ "seen_bytes", "0" ]
-      }
-    }
-    # If missing_bytes is set to "-" change it to 0 so it is an integer
-    if [missing_bytes] == "-" {
-      mutate {
-        replace => [ "missing_bytes", "0" ]
-      }
-    }
-    # If pverflow_bytes is set to "-" change it to 0 so it is an integer
-    if [overflow_bytes] == "-" {
-      mutate {
-        replace => [ "overflow_bytes", "0" ]
-      }
-    }
-    # I recommend changing the field types below to integer or floats so searches can do greater than or less than
-    # and also so math functions can be ran against them
-    mutate {
-      convert => [ "bound_port", "integer" ]
-      convert => [ "data_channel_destination_port", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "depth", "integer" ]
-      convert => [ "duration", "float" ]
-      convert => [ "info_code", "integer" ]
-      convert => [ "missed_bytes", "integer" ]
-      convert => [ "missing_bytes", "integer" ]
-      convert => [ "n", "integer" ]
-      convert => [ "original_bytes", "integer" ]
-      convert => [ "original_packets", "integer" ]
-      convert => [ "original_ip_bytes", "integer" ]
-      convert => [ "overflow_bytes", "integer" ]
-      convert => [ "p", "integer" ]
-      convert => [ "query_class", "integer" ]
-      convert => [ "query_type", "integer" ]
-      convert => [ "rcode", "integer" ]
-      convert => [ "request_body_length", "integer" ]
-      convert => [ "request_port", "integer" ]
-      convert => [ "respond_bytes", "integer" ]
-      convert => [ "respond_packets", "integer" ]
-      convert => [ "respond_ip_bytes", "integer" ]
-      convert => [ "response_body_length", "integer" ]
-      convert => [ "seen_bytes", "integer" ]
-      convert => [ "source_port", "integer" ]
-      convert => [ "status_code", "integer" ]
-      convert => [ "suppress_for", "float" ]
-      convert => [ "total_bytes", "integer" ]
-      convert => [ "trans_depth", "integer" ]
-      convert => [ "transaction_id", "integer" ]
-      lowercase => [ "query" ]
-      #remove_field => [ "timestamp" ]
-    }
-
-    # Combine OriginalBytes and RespondBytes and save the value to total_bytes
-    if [original_bytes] {
-      if [respond_bytes] {
-        ruby {
-          code => "event.set('total_bytes', event.get('original_bytes') + event.get('respond_bytes'))"
-        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6000"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6001_bro_import.conf b/salt/logstash/files/conf.d/6001_bro_import.conf
deleted file mode 100644
index abbac3cd6..000000000
--- a/salt/logstash/files/conf.d/6001_bro_import.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-#
-# If we're importing old Bro logs, let's use the original Bro timestamp instead of the time of import
-filter {
-  if "import" in [tags] and "bro" in [tags] {
-	date {
-        	match => [ "timestamp", "UNIX" ]
-	}
-	mutate {
-	  #add_tag => [ "conf_file_6001"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6002_syslog.conf b/salt/logstash/files/conf.d/6002_syslog.conf
deleted file mode 100644
index f82f81a25..000000000
--- a/salt/logstash/files/conf.d/6002_syslog.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-#
-filter {
-  if "syslog" in [tags] {
-	mutate {
-		#convert => [ "status_code", "integer" ]
-	  #add_tag => [ "conf_file_6002"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6101_switch_brocade.conf b/salt/logstash/files/conf.d/6101_switch_brocade.conf
deleted file mode 100644
index dd2f3126c..000000000
--- a/salt/logstash/files/conf.d/6101_switch_brocade.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "brocade" {
-    grok {
-      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
-    }
-    grok {
-      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
-      add_field => [ "received_at", "%{@timestamp}" ]
-    }
-    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
-      grok {
-        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
-      }
-      mutate {
-        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
-      }
-    }
-    date {
-      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
-      timezone => "America/Chicago"
-      remove_field => "syslog_timestamp"
-      remove_field => "received_at"
-    }
-	mutate {
-		#add_tag => [ "conf_file_6101"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6200_firewall_fortinet.conf b/salt/logstash/files/conf.d/6200_firewall_fortinet.conf
deleted file mode 100644
index b33c89bb8..000000000
--- a/salt/logstash/files/conf.d/6200_firewall_fortinet.conf
+++ /dev/null
@@ -1,281 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "fortinet" {
-    mutate {
-      gsub => [ "message", "= ", "=NA " ]
-    }
-
-    grok {
-       match => ["message", "type=%{DATA:event_type}\s+"]
-       tag_on_failure => []
-    }
-    grok {
-       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
-       tag_on_failure => []
-    }
-    kv {
-      source => "kv"
-      exclude_keys => [ "type" ]
-    }
-    mutate {
-      gsub => [ "log", "= ", "=NA " ]
-    }
-    kv {
-      source => "log"
-      target => "SubLog"
-    }
-    grok {
-       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
-       tag_on_failure => [ "" ]
-    }
-    mutate {
-      rename => {  "action" => "action" }
-      rename => {  "addr" => "addr_ip" }
-      rename => {  "age" => "age" }
-      rename => {  "assigned" => "assigned_ip" }
-      rename => {  "assignip" => "assign_ip" }
-      rename => {  "ap" => "access_point" }
-      rename => {  "app" => "application" }
-      rename => {  "appcat" => "application_category" }
-      rename => {  "applist" => "application_list" }
-      rename => {  "apprisk" => "application_risk" }
-      rename => {  "approfile" => "accessPoint_profile" }
-      rename => {  "apscan" => "access_point_scan" }
-      rename => {  "apstatus" => "acces_point_status" }
-      rename => {  "aptype" => "access_point_type" }
-      rename => {  "authproto" => "authentication_protocol" }
-      rename => {  "bandwidth" => "bandwidth" }
-      rename => {  "banned_src" => "banned_source" }
-      rename => {  "cat" => "category" }
-      rename => {  "catdesc" => "category_description" }
-      rename => {  "cfgattr" => "configuration_attribute" }
-      rename => {  "cfgobj" => "configuration_object" }
-      rename => {  "cfgpath" => "configuration_path" }
-      rename => {  "cfgtid" => "configuration_transaction_id" }
-      rename => {  "channel" => "channel" }
-      rename => {  "community" => "community" }
-      rename => {  "cookies" => "cookies" }
-      rename => {  "craction" => "cr_action" }
-      rename => {  "crlevel" => "cr_level" }
-      rename => {  "crscore" => "cr_score" }
-      rename => {  "datarange" => "data_range" }
-      rename => {  "desc" => "description" }
-      rename => {  "detectionmethod" => "detection_method" }
-      rename => {  "devid" => "device_id" }
-      rename => {  "devname" => "device_name" }
-      rename => {  "devtype" => "device_type" }
-      rename => {  "dhcp_msg" => "dhcp_message" }
-      rename => {  "disklograte" => "disk_lograte" }
-      rename => {  "dstcountry" => "destination_country" }
-      rename => {  "dstintf" => "destination_interface" }
-      rename => {  "dstip" => "destination_ip" }
-      rename => {  "dstport" => "destination_port" }
-      rename => {  "duration" => "elapsed_time" }
-      rename => {  "error_num" => "error_number" }
-      rename => {  "espauth" => "esp_authentication" }
-      rename => {  "esptransform" => "esp_transform" }
-      rename => {  "eventid" => "event_id" }
-      rename => {  "eventtype" => "event_type" }
-      rename => {  "fazlograte" => "faz_lograte" }
-      rename => {  "filename" => "file_name" }
-      rename => {  "filesize" => "file_size" }
-      rename => {  "filetype" => "file_type" }
-      rename => {  "hostname" => "hostname" }
-      rename => {  "ip" => "source_ip" }
-      rename => {  "localip" => "source_ip" }
-      rename => {  "locip" => "local_ip" }
-      rename => {  "locport" => "source_port" }
-      rename => {  "logid" => "log_id" }
-      rename => {  "logver" => "log_version" }
-      rename => {  "manuf" => "manufacturer" }
-      rename => {  "mem" => "memory" }
-      rename => {  "meshmode" => "mesh_mode" }
-      rename => {  "msg" => "message" }
-      rename => {  "nextstat" => "next_stat" }
-      rename => {  "onwire" => "on_wire" }
-      rename => {  "osname" => "os_name" }
-      rename => {  "osversion" => "unauthenticated_user" }
-      rename => {  "outintf" => "outbound_interface" }
-      rename => {  "peer_notif" => "peer_notification" }
-      rename => {  "phase2_name" => "phase2_name" }
-      rename => {  "policyid" => "policy_id" }
-      rename => {  "policytype" => "policy_type" }
-      rename => {  "port" => "port" }
-      rename => {  "probeproto" => "probe_protocol" }
-      rename => {  "proto" => "protocol_number" }
-      rename => {  "radioband" => "radio_band" }
-      rename => {  "radioidclosest" => "radio_id_closest" }
-      rename => {  "radioiddetected" => "radio_id_detected" }
-      rename => {  "rcvd" => "bytes_received" }
-      rename => {  "rcvdbyte" => "bytes_received" }
-      rename => {  "rcvdpkt" => "packets_received" }
-      rename => {  "remip" => "destination_ip" }
-      rename => {  "remport" => "remote_port" }
-      rename => {  "reqtype" => "request_type" }
-      rename => {  "scantime" => "scan_time" }
-      rename => {  "securitymode" => "security_mode" }
-      rename => {  "sent" => "bytes_sent" }
-      rename => {  "sentbyte" => "bytes_sent" }
-      rename => {  "sentpkt" => "packets_sent" }
-      rename => {  "session_id" => "session_id" }
-      rename => {  "setuprate" => "setup_rate" }
-      rename => {  "sn" => "serial" }
-      rename => {  "snclosest" => "serial_closest_access_point" }
-      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
-      rename => {  "snmeshparent" => "serial_mesh_parent" }
-      rename => {  "srccountry" => "source_country" }
-      rename => {  "srcip" => "source_ip" }
-      rename => {  "srcmac" => "source_mac" }
-      rename => {  "srcname" => "source_name" }
-      rename => {  "srcintf" => "source_interface" }
-      rename => {  "srcport" => "source_port" }
-      rename => {  "stacount" => "station_count" }
-      rename => {  "stamac" => "static_mac" }
-      rename => {  "srccountry" => "source_country" }
-      rename => {  "srcip" => "source_ip" }
-      rename => {  "srcmac" => "source_mac" }
-      rename => {  "srcname" => "source_name" }
-      rename => {  "sn" => "serial" }
-      rename => {  "srcintf" => "source_interface" }
-      rename => {  "srcport" => "source_port" }
-      rename => {  "total" => "total_bytes" }
-      rename => {  "totalsession" => "total_sessions" }
-      rename => {  "trandisp" => "nat_translation_type" }
-      rename => {  "tranip" => "nat_destination_ip" }
-      rename => {  "tranport" => "nat_destination_port" }
-      rename => {  "transip" => "nat_source_ip" }
-      rename => {  "transport" => "nat_source_port" }
-      rename => {  "tunnelid" => "tunnel_id" }
-      rename => {  "tunnelip" => "tunnel_ip" }
-      rename => {  "tunneltype" => "tunnel_type" }
-      rename => {  "unauthuser" => "unauthenticated_user_source" }
-      rename => {  "unauthusersource" => "os_version" }
-      rename => {  "vendorurl" => "vendor_url" }
-      rename => {  "vpntunnel" => "vpn_tunnel" }
-      rename => {  "vulncat" => "vulnerability_category" }
-      rename => {  "vulncmt" => "vulnerability_count" }
-      rename => {  "vulnid" => "vulnerability_id" }
-      rename => {  "vulnname" => "vulnerability_name" }
-      rename => {  "vulnref" => "vulnerability_reference" }
-      rename => {  "vulnscore" => "vulnerability_score" }
-      rename => {  "xauthgroup" => "x_authentication_group" }
-      rename => {  "xauthuser" => "x_authentication_user" }
-      rename => {  "[SubLog][appid]" => "sub_application_id" }
-      rename => {  "[SubLog][devid]" => "sub_device_id" }
-      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
-      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
-      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
-      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
-      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
-      rename => {  "[SubLog][date]" => "sub_date" }
-      rename => {  "[SubLog][time]" => "sub_time" }
-      rename => {  "[SubLog][srcport]" => "sub_source_port" }
-      rename => {  "[SubLog][subtype]" => "sub_subtype" }
-      rename => {  "[SubLog][devname]" => "sub_device_name" }
-      rename => {  "[SubLog][itime]" => "sub_itime" }
-      rename => {  "[SubLog][level]" => "sub_level" }
-      rename => {  "[SubLog][logid]" => "sub_log_id" }
-      rename => {  "[SubLog][logver]" => "sub_log_version" }
-      rename => {  "[SubLog][type]" => "sub_event_type" }
-      rename => {  "[SubLog][vd]" => "sub_vd" }
-      rename => {  "[SubLog][action]" => "sub_action" }
-      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
-      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
-      rename => {  "[SubLog][reason]" => "sub_reason" }
-      rename => {  "[SubLog][service]" => "sub_service" }
-      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
-      rename => {  "[SubLog][src]" => "sub_source_ip" }
-      rename => {  "[SubLog][status]" => "sub_status" }
-      rename => {  "[SubLog][ui]" => "sub_ui" }
-      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
-      strip => [ "bytes_sent", "bytes_received" ]
-      convert => [ "bytes_sent", "integer" ]
-      convert => [ "bytes_received", "integer" ]
-      convert => [ "cr_score", "integer" ]
-      convert => [ "cr_action", "integer" ]
-      convert => [ "elapsed_time", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "source_port", "integer" ]
-      convert => [ "local_port", "integer" ]
-      convert => [ "remote_port", "integer" ]
-      convert => [ "packets_sent", "integer" ]
-      convert => [ "packets_received", "integer" ]
-      convert => [ "port", "integer" ]
-      convert => [ "ProtocolNumber", "integer" ]
-      convert => [ "XAuthUser", "string" ]
-      remove_field => [ "kv", "log" ]
-    }
-    if [tunnel_ip] == "N/A" {
-      mutate {
-        remove_field => [ "tunnel_ip" ]
-      }
-    }
-    if [nat_destination_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
-        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
-      }
-    }
-    if [sub_destination_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
-        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
-      }
-    }
-    if [nat_source_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{nat_source_ip}" ] }
-        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
-      }
-    }
-    if [sub_source_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{sub_source_ip}" ] }
-        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
-      }
-    }
-    if [addr_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{addr_ip}" ] }
-      }
-    }
-    if [assign_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{assign_ip}" ] }
-      }
-    }
-    if [assigned_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{assigned_ip}" ] }
-      }
-    }
-    grok {
-       match => ["message", "type=%{DATA:event_type}\s+"]
-    }
-    if [date] and [time] {
-      mutate {
-        add_field => { "receive_time" => "%{date} %{time}" }
-        remove_field => [ "date", "time" ]
-      }
-      date {
-        timezone => "America/Chicago"
-        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
-        target => "receive_time"
-      }
-      mutate {
-        rename => { "receive_time" => "@timestamp" }
-      }
-    } else {
-      mutate {
-        add_tag => [ "missing_date" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6200"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6201_firewall_pfsense.conf b/salt/logstash/files/conf.d/6201_firewall_pfsense.conf
deleted file mode 100644
index c964747e0..000000000
--- a/salt/logstash/files/conf.d/6201_firewall_pfsense.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Wes Lambert
-# Last Update: 11/06/2017
-
-
-filter {
-  if [type] == "filterlog" {
-    grok {
-      match => ["message", "(%{NONNEGINT:rule_number})?\,(%{NONNEGINT:sub_rule_number})?\,(%{DATA:anchor})?\,(%{NONNEGINT:tracker_id})?\,%{DATA:interface}\,%{DATA:reason}\,%{DATA:action}\,%{DATA:direction}\,%{NONNEGINT:ip_version},%{GREEDYDATA:sub_msg}"]
-    }
-    if [ip_version] =~ "4" {
-      csv {
-        source => [sub_msg]
-	columns => ["ipv4_tos","ipv4_ecn","ipv4_ttl","ipv4_id","ipv4_offset", "ipv4_flags","ipv4_protocol_id","ipv4_protocol","ipv4_protocol_length","source_ip","destination_ip","source_port","destination_port","data_length","tcp_flags","sequence_number","ack","window","urg","options"]
-      	separator => ","
-      }
-    }
-    if [ip_version] =~ "6" {
-      csv {
-        source => [sub_msg]
-	columns => ["class","flow_label","hop_limit","protocol","protocol_id","length","source_ip","destination_ip","source_port","destination_port","data_length"]
-        separator => ","
-      }
-    }
-    mutate {
-      convert => [ "destination_port", "integer" ]
-      convert => [ "source_port", "integer" ]    
-      convert => [ "ip_version", "integer" ]
-      replace => { "type" => "firewall" }
-      add_tag=>  [ "pfsense","firewall" ]
-      remove_field => [ "sub_msg" ]
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/6300_windows.conf b/salt/logstash/files/conf.d/6300_windows.conf
deleted file mode 100644
index 34450af2b..000000000
--- a/salt/logstash/files/conf.d/6300_windows.conf
+++ /dev/null
@@ -1,161 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "windows" {
-#    json {
-#      source => "message"
-#    }
-    date {
-      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
-      remove_field => [ "EventTime" ]
-    }
-    if [EventID] == 4634 {
-      mutate {
-        add_tag => [ "logoff" ]
-      }
-    }
-    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
-      mutate {
-        add_tag => [ "logon" ]
-        add_tag => [ "alert_data" ]
-      }
-    }
-    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
-      mutate {
-        add_tag => [ "logon_failure" ]
-        add_tag => [ "alert_data" ]
-      }
-    }
-    # Critical event IDs to monitor
-    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
-      mutate {
-        add_tag => [ "alert_data" ]
-      }
-    }
-    # Critical event IDs to monitor
-    if [EventID] == 5152 { drop {} }
-    if [EventID] == 4688 { drop {} }
-    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
-    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
-    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
-    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
-    # Whitelist/Blacklist check
-    if [EventID] == 7045 {
-      translate {
-        field => "ServiceName"
-        destination => "ServiceCheck"
-        dictionary_path => "/lib/dictionaries/services.yaml"
-      }
-    }
-    if [EventID] == 7045 and !([ServiceCheck]) {
-      mutate {
-        add_tag => [ "alert_data","new_service" ] 
-      }
-    }
-    if [ServiceCheck] == 'whitelist' {
-      mutate {
-        remove_field => [ "ServiceCheck" ]
-        add_tag => [ "whitelist" ]
-      }
-    }
-    if [ServiceCheck] == 'blacklist' {
-      mutate {
-        remove_field => [ "ServiceCheck" ]
-        add_tag => [ "blacklist" ]
-      }
-    }
-    if [EventID] == 5158 {
-      if [Application] == "System" { drop {} }
-      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
-      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
-      if [Application] =~ "mcafee" { drop {} }
-      if [Application] =~ "carestream" { drop {} }
-      if [Application] =~ "Softdent" { drop {} }
-    }
-    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
-    if [EventID] == 4690 { drop {} }
-    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
-    if [EventID] == 5447 { drop {} }
-
-    mutate {
-      rename => [ "AccountName", "user" ]
-      rename => [ "AccountType", "account_type" ]
-      rename => [ "ActivityID", "activity_id" ]
-      rename => [ "Category", "category" ]
-      rename => [ "ClientAddress", "client_ip" ]
-      rename => [ "Channel", "channel" ]
-      rename => [ "DCIPAddress", "domain_controller_ip" ]
-      rename => [ "DCName", "domain_controller_name" ]
-      rename => [ "EventID", "event_id" ]
-      rename => [ "EventReceivedTime", "event_received_time" ]
-      rename => [ "EventType", "event_type" ]
-      rename => [ "GatewayIPAddress", "gateway_ip" ]
-      rename => [ "IPAddress", "client_ip" ]
-      rename => [ "Ipaddress", "client_ip" ]
-      rename => [ "IpAddress", "client_ip" ]
-      rename => [ "IPPort", "source_port" ]
-      rename => [ "OpcodeValue", "opcode_value" ]
-      rename => [ "PreAuthType", "preauthentication_type" ]
-      rename => [ "PrincipleSAMName", "user" ]
-      rename => [ "ProcessID", "process_id" ]
-      rename => [ "ProviderGUID", "providerguid" ]
-      rename => [ "RecordNumber", "record_number" ]
-      rename => [ "RemoteAddress", "destination_ip" ]
-      rename => [ "ServiceName", "service_name" ]
-      rename => [ "ServiceID", "service_id" ]
-      rename => [ "SeverityValue", "severity_value" ]
-      rename => [ "SourceAddress", "client_ip" ]
-      rename => [ "SourceModuleName", "source_module_name" ]
-      rename => [ "SourceModuleType", "source_module_type" ]
-      rename => [ "SourceName", "source_name" ]
-      rename => [ "SubjectUserName", "user" ]
-      rename => [ "TaskName", "task_name" ]
-      rename => [ "TargetDomainName", "target_domain_name" ]
-      rename => [ "TargetUserName", "user" ]
-      rename => [ "ThreadID", "thread_id" ]
-      rename => [ "User_ID", "user" ]
-      rename => [ "UserID", "user" ]
-      rename => [ "username", "user" ]
-    }
-    # For any accounts that are service accounts or special accounts add the tag of service_account
-    # This example applies the tag to any username that starts with SVC_.  If you use a different
-    # standard change this.
-    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
-      mutate {
-        add_tag => [ "service_account" ]
-      }
-    }
-    # This looks for events that are typically noisy but may be of use for deep dive investigations
-    # A tag of noise is added to quickly filter out noise
-    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
-      mutate {
-        add_tag => [ "noise" ]
-      }
-    }
-    #Identify machine accounts
-    if [user] =~ /\$/ {
-      mutate {
-        add_tag => [ "machine", "noise" ]
-      }
-    }
-    # Lower case all field names
-    ruby {
-      code => "
-        event_hash = event.to_hash
-        new_event = {}
-        event_hash.keys.each do |key|
-        new_event[key.downcase] = event[key]
-        end
-        event.instance_variable_set(:@data, new_event)"
-    }
-	mutate {
-		#add_tag => [ "conf_file_6300"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6301_dns_windows.conf b/salt/logstash/files/conf.d/6301_dns_windows.conf
deleted file mode 100644
index 1ef5077a6..000000000
--- a/salt/logstash/files/conf.d/6301_dns_windows.conf
+++ /dev/null
@@ -1,49 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "dns" and "bro" not in [tags] {
-    json {
-      source => "message"
-    }
-    # strip whitespace from message field
-    mutate {
-      strip => "message"
-    }
-    # If the message is blank, drop the log
-    if [Message] =~ /^$/ {
-      drop {  }
-    } else {
-      if [type] == "dns" {
-  	  # This section is lookup for a match against the log and parsing out the fields
-        grok {
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          remove_field => [ "Message" ]
-        }
-  	  # This section attempts to convert the dns_domain into the traditional domain.com format
-        mutate {
-          gsub => [ "dns_domain", "(\(\d+\))", "." ]
-        }
-        grok {
-          match => { "dns_domain" => "\.%{DATA:query}\.$" }
-          remove_field => [ "dns_domain" ]
-        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6301"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6400_suricata.conf b/salt/logstash/files/conf.d/6400_suricata.conf
deleted file mode 100644
index 11f185ddf..000000000
--- a/salt/logstash/files/conf.d/6400_suricata.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This conf file is based on accepting logs for suricata json events
-filter {
-  if [type] == "suricata" {
-    if "test_data" not in [tags] {
-      date {
-        match => [ "timestamp", "ISO8601" ]
-      }
-    } else {
-      mutate {
-        remove_field => [ "netflow.start","netflow.end","timestamp" ]
-      }
-    }
-    if [event_type] == "fileinfo" {
-      ruby {
-        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
-      }
-    }
-	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
-    mutate {
-      rename => [ "src_ip", "source_ip" ]
-      rename => [ "dest_ip", "destination_ip" ]
-      rename => [ "src_port", "source_port" ]
-      rename => [ "dest_port", "destination_port" ]
-    }
-	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
-    if [event_type] == "alert" {
-      if [alert][severity] == 1 {
-        mutate {
-          add_field => { "severity" => "High" }
-        }
-      }
-      if [alert][severity] == 2 {
-        mutate {
-          add_field => { "severity" => "Medium" }
-        }
-      }
-      if [alert][severity] == 3 {
-        mutate {
-          add_field => { "severity" => "Low" }
-        }
-      }
-	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
-      if [alert][signature] =~ "GPL " {
-	    # This will parse out the category type from the alert
-        grok {
-          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
-        }
-		# This will store the category
-        mutate {
-          add_field => { "rule_type" => "Snort GPL" }
-          lowercase => [ "category" ]
-        }
-      }
-	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-      if [alert][signature] =~ "ET " {
-	    # This will parse out the category type from the alert
-        grok {
-          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
-        }
-		# This will store the category
-        mutate {
-          add_field => { "rule_type" => "Emerging Threats" }
-          lowercase => [ "category" ]
-        }
-      }
-	  # This section adds URLs to lookup information about a rule online
-      if [rule_type] == "Snort GPL" {
-        mutate {
-          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
-        }
-      }
-      if [rule_type] == "Emerging Threats" {
-        mutate {
-          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
-        }
-      }
-    }
-    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
-    #  mutate {
-    #    remove_field => [ "message" ]
-    #  }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6400"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/6500_ossec.conf b/salt/logstash/files/conf.d/6500_ossec.conf
deleted file mode 100644
index c1f17b424..000000000
--- a/salt/logstash/files/conf.d/6500_ossec.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Last Update: 05/21/2017
-#
-# This conf file is based on accepting logs from OSSEC
-#
-# Parse using grok
-filter {
-  # OSSEC Logs and Alerts
-  if [type] == "ossec" {
-      grok {
-      match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:user}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:user} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:user} : %{GREEDYDATA:details}",  
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:user}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:user}: %{GREEDYDATA:details}.",
-		"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:user};",
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
-		"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
-      # Add tag for OSSEC alerts
-      add_tag => [ "alert" ]
-      }
-      translate {
-       field => "alert_level"
-
-       destination => "classification"
-
-       dictionary => [
-                    "1", "None",
-		    "2", "System low priority notification",
-		    "3", "Successful/authorized event",
-		    "4", "System low priority error",
-		    "5", "User generated error",
-		    "6", "Low relevance attack",
-		    "7", '"Bad word" matching',
-		    "8", "First time seen",
-		    "9", "Error from invalid source",
-		    "10", "Multiple user generated errors",
-		    "11", "Integrity checking warning",
-		    "12", "High importance event",
-		    "13", "Unusal error (high importance)",
-		    "14", "High importance security event",
-		    "15", "Severe attack"
-                    ]
-      }
-     }
-
-  if [type] == "ossec" and "alert" not in [tags] {
-      grok {
-      match => ["message", "%{DATA:user} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
-     }
-  }
-
- 
-  # OSSEC Archive Logs
-  if [type] == "ossec_archive" {
-      grok {
-      match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:user} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
-		"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:user}\) CMD \(%{DATA:command}\)",
-		"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
-		"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'"]
-      remove_field => [ "ossec_timestamp" ]
-      }
-      mutate {
-              convert => [ "status_code", "integer" ]
-      }
-  }
-
-  # Sysmon logs transported by OSSEC
-  if [type] =~ "ossec" {
-     if [message] =~ "WinEvtLog: Microsoft-Windows-Sysmon" {
-       mutate { replace => { "type" => "sysmon" } }
-     }
-     if [message] =~ "AR-LOG" {
-       mutate { replace => { "type" => "autoruns" } } 
-     }
-  }
-}
diff --git a/salt/logstash/files/conf.d/6501_ossec_sysmon.conf b/salt/logstash/files/conf.d/6501_ossec_sysmon.conf
deleted file mode 100644
index ecca99df1..000000000
--- a/salt/logstash/files/conf.d/6501_ossec_sysmon.conf
+++ /dev/null
@@ -1,81 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Last Update: 07/14/2017
-#
-# This conf file is based on accepting Sysmon logs from OSSEC
-#
-# Parse using grok
-filter {
-  # OSSEC Logs and Alerts
-  if [type] == "sysmon" {
-    #mutate { replace => { "type" => "sysmon" } }
-    grok {
-#      match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
-    match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
-    }
-    mutate {
-      convert => ["event_id", "integer"]
-      remove_field => ["timestamp"]
-      remove_field => ["year"]
-    }
-  }
-  if [event_id] == 1 {
-    grok {
-      match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
-		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
-		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
-    }
-    mutate {
-      convert => ["process_guid", "integer"]
-      convert => ["process_id", "integer"]
-      remove_field => ["rest_of_msg"]
-      add_tag => ["process_creation"]
-    }
-  }
-  if [event_id] == 3 {
-    mutate {
-      remove_field => ["source_ip"]
-    }
-    grok {
-      match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:user}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
-    }
-    mutate {
-      convert => ["process_guid", "integer"]
-      convert => ["process_id", "integer"]
-      convert => ["source_port", "integer"]
-      convert => ["destination_port", "integer"]
-      remove_field => ["rest_of_msg"]
-      add_tag => ["network_connection"]
-    }
-  }
-  if [event_id] == 5 {
-    grok {
-      match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
-    }
-    mutate {
-      convert => ["process_guid", "integer"]
-      convert => ["process_id", "integer"]
-      remove_field => ["rest_of_msg"]
-      add_tag => ["process_termination"]
-    }
-  }
-  if [event_id] == 11 {
-    grok {
-      match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
-    }
-    mutate {
-      convert => ["process_guid", "integer"]
-      convert => ["process_id", "integer"]
-      remove_field => ["rest_of_msg"]
-      add_tag => ["file_created"]
-    }
-  }
-#  if [sysmon_event_id] == "16" {
-#    grok {
-#    }
-#    mutate {
-#      add_tag => ["sysmon_config_changed"]
-#    }
-#  }
-}
diff --git a/salt/logstash/files/conf.d/6502_ossec_autoruns.conf b/salt/logstash/files/conf.d/6502_ossec_autoruns.conf
deleted file mode 100644
index 064b30455..000000000
--- a/salt/logstash/files/conf.d/6502_ossec_autoruns.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Last Update: 07/17/2017
-#
-# This conf file is based on accepting Autoruns logs from OSSEC
-#
-# Parse using grok
-filter {
-  if [type] == "autoruns" {
-    grok {
-      match => ["message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"]
-    }
-    #csv {
-#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
-#      separator => "|"
-#      }
-    mutate {
-      remove_field => [ "year" ]
-      remove_field => [ "timestamp" ]
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf b/salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf
deleted file mode 100644
index 3998df8a4..000000000
--- a/salt/logstash/files/conf.d/8000_postprocess_bro_cleanup.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "bro" in [tags] {
-    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
-      #mutate {
-      #  remove_field => [ "message" ]
-      #}
-    }
-	mutate {
-		#add_tag => [ "conf_file_8000"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf
deleted file mode 100644
index d28449da6..000000000
--- a/salt/logstash/files/conf.d/8001_postprocess_common_ip_augmentation.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/20/2017
-
-filter {
-  if [source_ip] {
-    if [source_ip] == "-" {
-      mutate {
-        replace => { "source_ip" => "0.0.0.0" }
-      }
-    }
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
-	mutate {
-	}
-      } else {
-        geoip {
-          source => "[source_ip]"
-          target => "source_geo"
-        }
-      }
-    if [source_ip] {
-      mutate {
-        add_field => { "ips" => "%{source_ip}" }
-        add_field => { "source_ips" => [ "%{source_ip}" ] }
-      }
-    }
-  }
-  if [destination_ip] {
-    if [destination_ip] == "-" {
-      mutate {
-        replace => { "destination_ip" => "0.0.0.0" }
-      }
-    }
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
-      mutate {
-      }
-    }
-    else {
-      geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-      }
-    }
-  }
-  if [destination_ip] {
-    mutate {
-      add_field => { "ips" => "%{destination_ip}" }
-      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
-    }
-  }
-}
-  #if [source_ip] or [destination_ip] {
-  #  mutate {
-	  #add_tag => [ "conf_file_8001"]
-  #	}
-  #}
-
diff --git a/salt/logstash/files/conf.d/8006_postprocess_dns.conf b/salt/logstash/files/conf.d/8006_postprocess_dns.conf
deleted file mode 100644
index a1520e6dc..000000000
--- a/salt/logstash/files/conf.d/8006_postprocess_dns.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-
-filter {
-  if [type] == "bro_dns" or "dns" in [tags] {
-    # Used for whois lookups - can create log loop
-    if [query] =~ "^whois\." {
-      drop { }
-    }
-    # REPLACE test.int with your internal domain
-    if [query] and [query] !~ "\.test\.int$" {
-      mutate {
-        lowercase => [ "query" ]
-      }
-      if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
-        tld {
-          source => "query"
-        }
-        ruby {
-          code => "event.set('query_length', event.get('query').length)"
-        }
-        mutate {
-          rename => { "[SubLog][sessionid]" => "sub_session_id" }
-          rename => { "[tld][domain]" => "highest_registered_domain" }
-          rename => { "[tld][trd]" => "subdomain" }
-          rename => { "[tld][tld]" => "top_level_domain" }
-          rename => { "[tld][sld]" => "parent_domain" }
-        }
-        if [parent_domain] {
-          ruby {
-            code => "event.set('parent_domain_length', event.get('parent_domain').length)"
-          }
-        }
-        if [subdomain] {
-          ruby {
-            code => "event.set('subdomain_length', event.get('subdomain').length)"
-          }
-        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_8006"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/8007_postprocess_http.conf b/salt/logstash/files/conf.d/8007_postprocess_http.conf
deleted file mode 100644
index b9c9d224b..000000000
--- a/salt/logstash/files/conf.d/8007_postprocess_http.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-
-filter {
-  if [type] == "bro_http" {
-    if [uri] {
-      ruby {
-        code => "event.set('uri_length', event.get('uri').length)"
-      }
-    }
-    if [virtual_host] {
-      ruby {
-        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
-      }
-    }
-    if [useragent] {
-      ruby {
-        code => "event.set('useragent_length', event.get('useragent').length)"
-      }
-    }
-	mutate {
-	  ##add_tag => [ "conf_file_8007"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/8200_postprocess_tagging.conf b/salt/logstash/files/conf.d/8200_postprocess_tagging.conf
deleted file mode 100644
index 1b2bd6259..000000000
--- a/salt/logstash/files/conf.d/8200_postprocess_tagging.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [destination_ip] {
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_destination" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_destination" ]
-      }
-    }
-    if "internal_destination" not in [tags] {
-      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-  }
-  if [source_ip] {
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_source" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_source" ]
-      }
-    }
-    if "internal_source" not in [tags] {
-      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-	mutate {
-		##add_tag => [ "conf_file_8200"]
-	}
-  }
-}
diff --git a/salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf b/salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf
deleted file mode 100644
index 478c6b0e0..000000000
--- a/salt/logstash/files/conf.d/8998_postprocess_log_elapsed.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_end', Time.now.to_f)"
-  }
-  ruby {
-    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
-  }
-  mutate {
-    remove_field => [ 'task_start', 'task_end' ]
-  }
-  mutate {
-	#add_tag => [ "conf_file_8998"]
-  }
-}
diff --git a/salt/logstash/files/conf.d/8999_postprocess_rename_type.conf b/salt/logstash/files/conf.d/8999_postprocess_rename_type.conf
deleted file mode 100644
index 383fd9827..000000000
--- a/salt/logstash/files/conf.d/8999_postprocess_rename_type.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# Author: Doug Burks
-# Last Update: 12/10/2017
-
-filter {
-    mutate {
-	  rename => [ "type", "event_type" ]
-	}
-}
diff --git a/salt/logstash/files/conf.d/9000_output_bro.conf b/salt/logstash/files/conf.d/9000_output_bro.conf
deleted file mode 100644
index f9992cafe..000000000
--- a/salt/logstash/files/conf.d/9000_output_bro.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9000"]
-	}
-  }
-}
-output {
-  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-bro-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9001_output_switch.conf b/salt/logstash/files/conf.d/9001_output_switch.conf
deleted file mode 100644
index 2a1b37eba..000000000
--- a/salt/logstash/files/conf.d/9001_output_switch.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "switch" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9001"]
-	}
-  }
-}
-output {
-  if "switch" in [tags] and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-switch-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9002_output_import.conf b/salt/logstash/files/conf.d/9002_output_import.conf
deleted file mode 100644
index f29ee5c88..000000000
--- a/salt/logstash/files/conf.d/9002_output_import.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-
-filter {
-  if "import" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9002"]
-	}
-  }
-}
-output {
-  if "import" in [tags] and "test_data" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-import-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9004_output_flow.conf b/salt/logstash/files/conf.d/9004_output_flow.conf
deleted file mode 100644
index be125243e..000000000
--- a/salt/logstash/files/conf.d/9004_output_flow.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "sflow" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9004"]
-	}
-  }
-}
-output {
-  if [event_type] == "sflow" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-flow-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9026_output_dhcp.conf b/salt/logstash/files/conf.d/9026_output_dhcp.conf
deleted file mode 100644
index 7365cea35..000000000
--- a/salt/logstash/files/conf.d/9026_output_dhcp.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "dhcp" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9026"]
-	}
-  }
-}
-output {
-  if [event_type] == "dhcp" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9029_output_esxi.conf b/salt/logstash/files/conf.d/9029_output_esxi.conf
deleted file mode 100644
index 09547e248..000000000
--- a/salt/logstash/files/conf.d/9029_output_esxi.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "esxi" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9029"]
-	}
-  }
-}
-output {
-  if [event_type] == "esxi" and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => elasticsearch
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9030_output_greensql.conf b/salt/logstash/files/conf.d/9030_output_greensql.conf
deleted file mode 100644
index c08315397..000000000
--- a/salt/logstash/files/conf.d/9030_output_greensql.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "greensql" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9030"]
-	}
-  }
-}
-output {
-  if [event_type] == "greensql" and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => elasticsearch
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9031_output_iis.conf b/salt/logstash/files/conf.d/9031_output_iis.conf
deleted file mode 100644
index c130cc2fb..000000000
--- a/salt/logstash/files/conf.d/9031_output_iis.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "iis" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9031"]
-	}
-  }
-}
-output {
-  if [event_type] == "iis" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9032_output_mcafee.conf b/salt/logstash/files/conf.d/9032_output_mcafee.conf
deleted file mode 100644
index 537381529..000000000
--- a/salt/logstash/files/conf.d/9032_output_mcafee.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "mcafee" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9032"]
-	}
-  }
-}
-output {
-  if [event_type] == "mcafee" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9033_output_snort.conf b/salt/logstash/files/conf.d/9033_output_snort.conf
deleted file mode 100644
index 27b0092fc..000000000
--- a/salt/logstash/files/conf.d/9033_output_snort.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "snort" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9033"]
-	}
-  }
-}
-output {
-    if [event_type] == "snort" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-ids-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9034_output_syslog.conf b/salt/logstash/files/conf.d/9034_output_syslog.conf
deleted file mode 100644
index 0bee8c11f..000000000
--- a/salt/logstash/files/conf.d/9034_output_syslog.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-filter {
-  if "syslog" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9034"]
-	}
-  }
-}
-output {
-  if "syslog" in [tags] and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-syslog-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9200_output_firewall.conf b/salt/logstash/files/conf.d/9200_output_firewall.conf
deleted file mode 100644
index 14becc80a..000000000
--- a/salt/logstash/files/conf.d/9200_output_firewall.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "firewall" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9200"]
-	}
-  }
-}
-output {
-  if "firewall" in [tags] and "test_data" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-firewall-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9300_output_windows.conf b/salt/logstash/files/conf.d/9300_output_windows.conf
deleted file mode 100644
index 9c6470cb7..000000000
--- a/salt/logstash/files/conf.d/9300_output_windows.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "windows" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9300"]
-	}
-  }
-}
-output {
-  if [event_type] == "windows" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-windows-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
-
diff --git a/salt/logstash/files/conf.d/9301_output_dns_windows.conf b/salt/logstash/files/conf.d/9301_output_dns_windows.conf
deleted file mode 100644
index 97d3cb872..000000000
--- a/salt/logstash/files/conf.d/9301_output_dns_windows.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "dns" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9301"]
-	}
-  }
-}
-output {
-  if [event_type] == "dns" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
-
diff --git a/salt/logstash/files/conf.d/9400_output_suricata.conf b/salt/logstash/files/conf.d/9400_output_suricata.conf
deleted file mode 100644
index 76b4526ec..000000000
--- a/salt/logstash/files/conf.d/9400_output_suricata.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "suricata" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9400"]
-	}
-  }
-}
-output {
-  if [event_type] == "suricata" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-ids-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9500_output_beats.conf b/salt/logstash/files/conf.d/9500_output_beats.conf
deleted file mode 100644
index 698d73652..000000000
--- a/salt/logstash/files/conf.d/9500_output_beats.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Author: Wes Lambert
-# Last Update: 12/11/2017
-filter {
-  if "beat" in [tags] {
-    mutate {
-          ##add_tag => [ "conf_file_9000"]
-        }
-  }
-}
-output {
-  if "beat" in [tags] {
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-beats-%{+YYYY.MM.dd}"
-      template => "/beats-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/conf.d/9998_output_test_data.conf b/salt/logstash/files/conf.d/9998_output_test_data.conf
deleted file mode 100644
index fd11e32d7..000000000
--- a/salt/logstash/files/conf.d/9998_output_test_data.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "test_data" in [tags] {
-    mutate {
-	  #add_tag => [ "conf_file_9998"]
-	}
-  }
-}
-output {
-  if "test_data" in [tags] {
-    elasticsearch {
-      hosts => elasticsearch
-      index => "logstash-test-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/files/dictionaries/iana_protocols.yaml b/salt/logstash/files/dictionaries/iana_protocols.yaml
deleted file mode 100644
index 771938fe4..000000000
--- a/salt/logstash/files/dictionaries/iana_protocols.yaml
+++ /dev/null
@@ -1,256 +0,0 @@
-"0": HOPOPT
-"1": ICMP
-"2": IGMP
-"3": GGP
-"4": IPv4
-"5": ST
-"6": TCP
-"7": CBT
-"8": EGP
-"9": IGP
-"10": BBN-RCC-MON
-"11": NVP-II
-"12": PUP
-"13": ARGUS
-"14": EMCON
-"15": XNET
-"16": CHAOS
-"17": UDP
-"18": MUX
-"19": DCN-MEAS
-"20": HMP
-"21": PRM
-"22": XNS-IDP
-"23": TRUNK-1
-"24": TRUNK-2
-"25": LEAF-1
-"26": LEAF-2
-"27": RDP
-"28": IRTP
-"29": ISO-TP4
-"30": NETBLT
-"31": MFE-NSP
-"32": MERIT-INP
-"33": DCCP
-"34": 3PC
-"35": IDPR
-"36": XTP
-"37": DDP
-"38": IDPR-CMTP
-"39": TP++
-"40": IL
-"41": IPv6
-"42": SDRP
-"43": IPv6-Route
-"44": IPv6-Frag
-"45": IDRP
-"46": RSVP
-"47": GRE
-"48": DSR
-"49": BNA
-"50": ESP
-"51": AH
-"52": I-NLSP
-"53": SWIPE
-"54": NARP
-"55": MOBILE
-"56": TLSP
-"57": SKIP
-"58": IPv6-ICMP
-"59": IPv6-NoNxt
-"60": IPv6-Opts
-"61": Undefined
-"62": CFTP
-"63": Undefined
-"64": SAT-EXPAK
-"65": KRYPTOLAN
-"66": RVD
-"67": IPPC
-"68": Undefined
-"69": SAT-MON
-"70": VISA
-"71": IPCV
-"72": CPNX
-"73": CPHB
-"74": WSN
-"75": PVP
-"76": BR-SAT-MON
-"77": SUN-ND
-"78": WB-MON
-"79": WB-EXPAK
-"80": ISO-IP
-"81": VMTP
-"82": SECURE-VMTP
-"83": VINES
-"84": TTP/IPTM
-"85": NSFNET-IGP
-"86": DGP
-"87": TCF
-"88": EIGRP
-"89": OSPFIGP
-"90": Sprite-RPC
-"91": LARP
-"92": MTP
-"93": AX.25
-"94": IPIP
-"95": MICP
-"96": SCC-SP
-"97": ETHERIP
-"98": ENCAP
-"99": Undefined
-"100": GMTP
-"101": IFMP
-"102": PNNI
-"103": PIM
-"104": ARIS
-"105": SCPS
-"106": QNX
-"107": A/N
-"108": IPComp
-"109": SNP
-"110": Compaq-Peer
-"111": IPX-in-IP
-"112": VRRP
-"113": PGM
-"114": Undefined
-"115": L2TP
-"116": DDX
-"117": IATP
-"118": STP
-"119": SRP
-"120": UTI
-"121": SMP
-"122": SM
-"123": PTP
-"124": ISIS over IPv4
-"125": FIRE
-"126": CRTP
-"127": CRUDP
-"128": SSCOPMCE
-"129": IPLT
-"130": SPS
-"131": PIPE
-"132": SCTP
-"133": FC
-"134": RSVP-E2E-IGNORE
-"135": Mobility Header
-"136": UDPLite
-"137": MPLS-in-IP
-"138": manet
-"139": HIP
-"140": Shim6
-"141": WESP
-"142": ROHC
-"143": Undefined
-"144": Undefined
-"145": Undefined
-"146": Undefined
-"147": Undefined
-"148": Undefined
-"149": Undefined
-"150": Undefined
-"151": Undefined
-"152": Undefined
-"153": Undefined
-"154": Undefined
-"155": Undefined
-"156": Undefined
-"157": Undefined
-"158": Undefined
-"159": Undefined
-"160": Undefined
-"161": Undefined
-"162": Undefined
-"163": Undefined
-"164": Undefined
-"165": Undefined
-"166": Undefined
-"167": Undefined
-"168": Undefined
-"169": Undefined
-"170": Undefined
-"171": Undefined
-"172": Undefined
-"173": Undefined
-"174": Undefined
-"175": Undefined
-"176": Undefined
-"177": Undefined
-"178": Undefined
-"179": Undefined
-"180": Undefined
-"181": Undefined
-"182": Undefined
-"183": Undefined
-"184": Undefined
-"185": Undefined
-"186": Undefined
-"187": Undefined
-"188": Undefined
-"189": Undefined
-"190": Undefined
-"191": Undefined
-"192": Undefined
-"193": Undefined
-"194": Undefined
-"195": Undefined
-"196": Undefined
-"197": Undefined
-"198": Undefined
-"199": Undefined
-"200": Undefined
-"201": Undefined
-"202": Undefined
-"203": Undefined
-"204": Undefined
-"205": Undefined
-"206": Undefined
-"207": Undefined
-"208": Undefined
-"209": Undefined
-"210": Undefined
-"211": Undefined
-"212": Undefined
-"213": Undefined
-"214": Undefined
-"215": Undefined
-"216": Undefined
-"217": Undefined
-"218": Undefined
-"219": Undefined
-"220": Undefined
-"221": Undefined
-"222": Undefined
-"223": Undefined
-"224": Undefined
-"225": Undefined
-"226": Undefined
-"227": Undefined
-"228": Undefined
-"229": Undefined
-"230": Undefined
-"231": Undefined
-"232": Undefined
-"233": Undefined
-"234": Undefined
-"235": Undefined
-"236": Undefined
-"237": Undefined
-"238": Undefined
-"239": Undefined
-"240": Undefined
-"241": Undefined
-"242": Undefined
-"243": Undefined
-"244": Undefined
-"245": Undefined
-"246": Undefined
-"247": Undefined
-"248": Undefined
-"249": Undefined
-"250": Undefined
-"251": Undefined
-"252": Undefined
-"253": Undefined
-"254": Undefined
-"255": Reserved
\ No newline at end of file
diff --git a/salt/logstash/files/dictionaries/iana_services.yaml b/salt/logstash/files/dictionaries/iana_services.yaml
deleted file mode 100644
index e948205c1..000000000
--- a/salt/logstash/files/dictionaries/iana_services.yaml
+++ /dev/null
@@ -1,345 +0,0 @@
-"1": tcpmux
-"2": nbp
-"4": echo
-"6": zip
-"7": echo
-"9": discard
-"11": systat
-"13": daytime
-"15": netstat
-"17": qotd
-"18": msp
-"19": chargen
-"20": ftp-data
-"21": ftp
-"22": ssh
-"23": telnet
-"25": smtp
-"37": time
-"39": rlp
-"42": nameserver
-"43": whois
-"49": tacacs
-"50": re-mail-ck
-"53": domain
-"57": mtp
-"65": tacacs-ds
-"67": bootps
-"68": bootpc
-"69": tftp
-"70": gopher
-"77": rje
-"79": finger
-"80": http
-"87": link
-"88": kerberos
-"95": supdup
-"98": linuxconf
-"101": hostnames
-"102": iso-tsap
-"104": acr-nema
-"105": csnet-ns
-"106": poppassd
-"107": rtelnet
-"109": pop2
-"110": pop3
-"111": sunrpc
-"113": auth
-"115": sftp
-"117": uucp-path
-"119": nntp
-"123": ntp
-"129": pwdgen
-"135": loc-srv
-"137": netbios-ns
-"138": netbios-dgm
-"139": netbios-ssn
-"143": imap2
-"161": snmp
-"162": snmp-trap
-"163": cmip-man
-"164": cmip-agent
-"174": mailq
-"177": xdmcp
-"178": nextstep
-"179": bgp
-"191": prospero
-"194": irc
-"199": smux
-"201": at-rtmp
-"202": at-nbp
-"204": at-echo
-"206": at-zis
-"209": qmtp
-"210": z3950
-"213": ipx
-"220": imap3
-"345": pawserv
-"346": zserv
-"347": fatserv
-"369": rpc2portmap
-"370": codaauth2
-"371": clearcase
-"372": ulistserv
-"389": ldap
-"406": imsp
-"427": svrloc
-"443": https
-"444": snpp
-"445": microsoft-ds
-"464": kpasswd
-"465": urd
-"487": saft
-"500": isakmp
-"512": exec
-"512": biff
-"513": login
-"513": who
-"514": shell
-"514": syslog
-"515": printer
-"517": talk
-"518": ntalk
-"520": route
-"525": timed
-"526": tempo
-"530": courier
-"531": conference
-"532": netnews
-"533": netwall
-"538": gdomap
-"540": uucp
-"543": klogin
-"544": kshell
-"546": dhcpv6-client
-"547": dhcpv6-server
-"548": afpovertcp
-"549": idfp
-"554": rtsp
-"556": remotefs
-"563": nntps
-"587": submission
-"607": nqs
-"610": npmp-local
-"611": npmp-gui
-"612": hmmp-ind
-"623": asf-rmcp
-"628": qmqp
-"631": ipp
-"636": ldaps
-"655": tinc
-"706": silc
-"749": kerberos-adm
-"750": kerberos4
-"751": kerberos-master
-"752": passwd-server
-"754": krb-prop
-"760": krbupdate
-"765": webster
-"775": moira-db
-"777": moira-update
-"779": moira-ureg
-"783": spamd
-"808": omirr
-"871": supfilesrv
-"873": rsync
-"901": swat
-"989": ftps-data
-"990": ftps
-"992": telnets
-"993": imaps
-"994": ircs
-"995": pop3s
-"1001": customs
-"1080": socks
-"1093": proofd
-"1094": rootd
-"1099": rmiregistry
-"1109": kpop
-"1127": supfiledbg
-"1178": skkserv
-"1194": openvpn
-"1210": predict
-"1214": kazaa
-"1236": rmtcfg
-"1241": nessus
-"1300": wipld
-"1313": xtel
-"1314": xtelw
-"1352": lotusnote
-"1433": ms-sql-s
-"1434": ms-sql-m
-"1524": ingreslock
-"1525": prospero-np
-"1529": support
-"1645": datametrics
-"1646": sa-msg-port
-"1649": kermit
-"1677": groupwise
-"1701": l2f
-"1812": radius
-"1813": radius-acct
-"1863": msnp
-"1957": unix-status
-"1958": log-server
-"1959": remoteping
-"2000": cisco-sccp
-"2003": cfinger
-"2010": search
-"2010": pipe-server
-"2049": nfs
-"2053": knetd
-"2086": gnunet
-"2101": rtcm-sc104
-"2102": zephyr-srv
-"2103": zephyr-clt
-"2104": zephyr-hm
-"2105": eklogin
-"2111": kx
-"2119": gsigatekeeper
-"2121": iprop
-"2121": frox
-"2135": gris
-"2150": ninstall
-"2401": cvspserver
-"2430": venus
-"2431": venus-se
-"2432": codasrv
-"2433": codasrv-se
-"2583": mon
-"2600": zebrasrv
-"2601": zebra
-"2602": ripd
-"2603": ripngd
-"2604": ospfd
-"2605": bgpd
-"2606": ospf6d
-"2607": ospfapi
-"2608": isisd
-"2628": dict
-"2792": f5-globalsite
-"2811": gsiftp
-"2947": gpsd
-"2988": afbackup
-"2989": afmbackup
-"3050": gds-db
-"3130": icpv2
-"3260": iscsi-target
-"3306": mysql
-"3493": nut
-"3632": distcc
-"3689": daap
-"3690": svn
-"4031": suucp
-"4094": sysrqd
-"4190": sieve
-"4224": xtell
-"4353": f5-iquery
-"4369": epmd
-"4373": remctl
-"4500": ipsec-nat-t
-"4557": fax
-"4559": hylafax
-"4569": iax
-"4600": distmp3
-"4691": mtn
-"4899": radmin-port
-"4949": munin
-"5002": rfe
-"5050": mmcc
-"5051": enbd-cstatd
-"5052": enbd-sstatd
-"5060": sip
-"5061": sip-tls
-"5151": pcrd
-"5190": aol
-"5222": xmpp-client
-"5269": xmpp-server
-"5308": cfengine
-"5353": mdns
-"5354": noclog
-"5355": hostmon
-"5432": postgresql
-"5555": rplay
-"5556": freeciv
-"5666": nrpe
-"5667": nsca
-"5672": amqp
-"5674": mrtd
-"5675": bgpsim
-"5680": canna
-"5688": ggz
-"6000": x11
-"6001": x11-1
-"6002": x11-2
-"6003": x11-3
-"6004": x11-4
-"6005": x11-5
-"6006": x11-6
-"6007": x11-7
-"6346": gnutella-svc
-"6347": gnutella-rtr
-"6444": sge-qmaster
-"6445": sge-execd
-"6446": mysql-proxy
-"6514": syslog-tls
-"6566": sane-port
-"6667": ircd
-"7000": afs3-fileserver
-"7001": afs3-callback
-"7002": afs3-prserver
-"7003": afs3-vlserver
-"7004": afs3-kaserver
-"7005": afs3-volser
-"7006": afs3-errors
-"7007": afs3-bos
-"7008": afs3-update
-"7009": afs3-rmtsys
-"7100": font-service
-"8021": zope-ftp
-"8080": http-alt
-"8081": tproxy
-"8088": omniorb
-"8990": clc-build-daemon
-"9098": xinetd
-"9101": bacula-dir
-"9102": bacula-fd
-"9103": bacula-sd
-"9359": mandelspawn
-"9418": git
-"9667": xmms2
-"9673": zope
-"10000": webmin
-"10050": zabbix-agent
-"10051": zabbix-trapper
-"10080": amanda
-"10081": kamanda
-"10082": amandaidx
-"10083": amidxtape
-"10809": nbd
-"11112": dicom
-"11201": smsqp
-"11371": hkp
-"13720": bprd
-"13721": bpdbm
-"13722": bpjava-msvc
-"13724": vnetd
-"13782": bpcd
-"13783": vopied
-"15345": xpilot
-"17001": sgi-cmsd
-"17002": sgi-crsd
-"17003": sgi-gcd
-"17004": sgi-cad
-"17500": db-lsp
-"20011": isdnlog
-"20012": vboxd
-"22125": dcap
-"22128": gsidcap
-"22273": wnn6
-"24554": binkp
-"27374": asp
-"30865": csync2
-"57000": dircproxy
-"60177": tfido
-"60179": fido
\ No newline at end of file
diff --git a/salt/logstash/files/dictionaries/services.yaml b/salt/logstash/files/dictionaries/services.yaml
deleted file mode 100644
index 7c615b7c3..000000000
--- a/salt/logstash/files/dictionaries/services.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-"Windows Update": whitelist
-"SEC555 Service": whitelist
-"Evil Service": blacklist
diff --git a/salt/logstash/files/dictionaries/tcp_flags.yaml b/salt/logstash/files/dictionaries/tcp_flags.yaml
deleted file mode 100644
index c15f6b0c3..000000000
--- a/salt/logstash/files/dictionaries/tcp_flags.yaml
+++ /dev/null
@@ -1,64 +0,0 @@
-"0x00": NULL
-"0x01": FIN
-"0x02": SYN
-"0x03": FIN-SYN
-"0x08": PSH
-"0x09": FIN-PSH
-"0x0A": SYN-PSH
-"0x0B": FIN-SYN-PSH
-"0x10": ACK
-"0x11": FIN-ACK
-"0x12": SYN-ACK
-"0x13": FIN-SYN-ACK
-"0x18": PSH-ACK
-"0x19": FIN-PSH-ACK
-"0x1A": SYN-PSH-ACK
-"0x1B": FIN-SYN-PSH-ACK
-"0x40": ECE
-"0x41": FIN-ECE
-"0x42": SYN-ECE
-"0x43": FIN-SYN-ECE
-"0x48": PSH-ECE
-"0x49": FIN-PSH-ECE
-"0x4A": SYN-PSH-ECE
-"0x4B": FIN-SYN-PSH-ECE
-"0x50": ACK-ECE
-"0x51": FIN-ACK-ECE
-"0x52": SYN-ACK-ECE
-"0x53": FIN-SYN-ACK-ECE
-"0x58": PSH-ACK-ECE
-"0x59": FIN-PSH-ACK-ECE
-"0x5A": SYN-PSH-ACK-ECE
-"0x5B": FIN-SYN-PSH-ACK-ECE
-"0x80": CWR
-"0x81": FIN-CWR
-"0x82": SYN-CWR
-"0x83": FIN-SYN-CWR
-"0x88": PSH-CWR
-"0x89": FIN-PSH-CWR
-"0x8A": SYN-PSH-CWR
-"0x8B": FIN-SYN-PSH-CWR
-"0x90": ACK-CWR
-"0x91": FIN-ACK-CWR
-"0x92": SYN-ACK-CWR
-"0x93": FIN-SYN-ACK-CWR
-"0x98": PSH-ACK-CWR
-"0x99": FIN-PSH-ACK-CWR
-"0x9A": SYN-PSH-ACK-CWR
-"0x9B": FIN-SYN-PSH-ACK-CWR
-"0xC0": ECE-CWR
-"0xC1": FIN-ECE-CWR
-"0xC2": SYN-ECE-CWR
-"0xC3": FIN-SYN-ECE-CWR
-"0xC8": PSH-ECE-CWR
-"0xC9": FIN-PSH-ECE-CWR
-"0xCA": SYN-PSH-ECE-CWR
-"0xCB": FIN-SYN-PSH-ECE-CWR
-"0xD0": ACK-ECE-CWR
-"0xD1": FIN-ACK-ECE-CWR
-"0xD2": SYN-ACK-ECE-CWR
-"0xD3": FIN-SYN-ACK-ECE-CWR
-"0xD8": PSH-ACK-ECE-CWR
-"0xD9": FIN-PSH-ACK-ECE-CWR
-"0xDA": SYN-PSH-ACK-ECE-CWR
-"0xDB": FIN-SYN-PSH-ACK-ECE-CWR
\ No newline at end of file
diff --git a/salt/logstash/files/logstash.yml b/salt/logstash/files/logstash.yml
index aa7e7acc7..0b40497de 100644
--- a/salt/logstash/files/logstash.yml
+++ b/salt/logstash/files/logstash.yml
@@ -1,4 +1,14 @@
-path.config: /usr/share/logstash/pipeline
+{%- set freq = salt['pillar.get']('master:freq', '0') %}
+{%- set domainstats = salt['pillar.get']('master:domainstats', '0') %}
+{%- if freq == '0' and domainstats == '0' }
+path.config: {/usr/share/logstash/pipeline,/usr/share/logstash/custom}
+{%- if freq == '1' and domainstats == '0' }
+path.config: {/usr/share/logstash/pipeline,/usr/share/logstash/custom,/usr/share/logstash/freq}
+{%- if freq == '0' and domainstats == '1' }
+path.config: {/usr/share/logstash/pipeline,/usr/share/logstash/custom,/usr/share/logstash/domainstats}
+{%- if freq == '1' and domainstats == '1' }
+path.config: {/usr/share/logstash/pipeline,/usr/share/logstash/custom,/usr/share/logstash/freq,/usr/share/logstash/domainstats}
+{%- endif %}
 http.host: 0.0.0.0
 queue.type: persisted
 queue.max_bytes: 1gb
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 0ae8d4643..5b9eec3d2 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -75,8 +75,8 @@ so-logstash:
     - hostname: logstash
     - user: logstash
     - environment:
-      - LS_JAVA_OPTS="-Xms{{ lsheap }} -Xmx{{ lsheap }}"
-    - ports:
+      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
+    - port_bindings:
       - 5044
       - 6050
       - 6051