From 6a7580404d49229cd73e1d1314300515ebed6566 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Feb 2020 13:08:14 -0500
Subject: [PATCH 1/6] directory cleanup - logstash pipeline rework

---
 pillar/logstash/eval.sls                      |  53 +++-
 pillar/masters/example.sls                    |  10 -
 pillar/nodes/example.sls                      |   5 -
 pillar/sensors/example.sls                    |  14 -
 salt/logstash/conf/conf.enabled.txt           |  17 --
 salt/logstash/conf/conf.enabled.txt.forward   |  17 --
 salt/logstash/conf/conf.enabled.txt.parser    |  85 ------
 salt/logstash/conf/conf.enabled.txt.search    | 107 -------
 salt/logstash/conf/conf.enabled.txt.so-eval   | 114 -------
 .../conf/conf.enabled.txt.so-eval.old         | 109 -------
 salt/logstash/conf/conf.enabled.txt.so-helix  |  47 ---
 salt/logstash/conf/conf.enabled.txt.so-master |  18 --
 .../conf/conf.enabled.txt.so-mastersearch     |  18 --
 salt/logstash/init.sls                        |  68 +----
 .../pipelines/config/0800_input_eval.conf     | 204 +++++++++++++
 .../config/1000_preprocess_log_elapsed.conf   |  13 +
 .../config/1001_preprocess_syslogng.conf      |  33 ++
 .../config/1002_preprocess_json.conf          |  18 ++
 .../config/1004_preprocess_syslog_types.conf  |  19 ++
 .../config/1026_preprocess_dhcp.conf          | 140 +++++++++
 .../config/1029_preprocess_esxi.conf          |  31 ++
 .../config/1030_preprocess_greensql.conf      |  21 ++
 .../pipelines/config/1031_preprocess_iis.conf |  21 ++
 .../config/1032_preprocess_mcafee.conf        |  26 ++
 .../config/1033_preprocess_snort.conf         | 181 +++++++++++
 .../config/1034_preprocess_syslog.conf        |  16 +
 .../pipelines/config/2000_network_flow.conf   |  59 ++++
 .../pipelines/config/6002_syslog.conf         |  11 +
 .../pipelines/config/6101_switch_brocade.conf |  33 ++
 .../config/6200_firewall_fortinet.conf        | 281 ++++++++++++++++++
 .../config/6201_firewall_pfsense.conf         |  56 ++++
 .../pipelines/config/6300_windows.conf        | 161 ++++++++++
 .../pipelines/config/6301_dns_windows.conf    |  49 +++
 .../pipelines/config/6400_suricata.conf       |  92 ++++++
 .../logstash/pipelines/config/6500_ossec.conf | 160 ++++++++++
 .../pipelines/config/6501_ossec_sysmon.conf   | 118 ++++++++
 .../pipelines/config/6502_ossec_autoruns.conf |  43 +++
 .../config/6600_winlogbeat_sysmon.conf        |  23 ++
 .../pipelines/config/6700_winlogbeat.conf     |  17 ++
 .../pipelines/config/7100_osquery_wel.conf    |  23 ++
 .../pipelines/config/7200_strelka.conf        |   8 +
 ...01_postprocess_common_ip_augmentation.conf |  58 ++++
 .../config/8007_postprocess_http.conf         |  27 ++
 .../config/8200_postprocess_tagging.conf      |  63 ++++
 .../config/8998_postprocess_log_elapsed.conf  |  19 ++
 .../config/8999_postprocess_rename_type.conf  |   8 +
 .../config/9000_output_bro.conf.jinja         |  32 ++
 .../config/9001_output_switch.conf.jinja      |  27 ++
 .../config/9002_output_import.conf.jinja      |  27 ++
 .../config/9004_output_flow.conf.jinja        |  27 ++
 .../config/9026_output_dhcp.conf.jinja        |  26 ++
 .../config/9029_output_esxi.conf.jinja        |  25 ++
 .../config/9030_output_greensql.conf.jinja    |  25 ++
 .../config/9031_output_iis.conf.jinja         |  26 ++
 .../config/9032_output_mcafee.conf.jinja      |  26 ++
 .../config/9033_output_snort.conf.jinja       |  29 ++
 .../config/9034_output_syslog.conf.jinja      |  28 ++
 .../config/9100_output_osquery.conf.jinja     |  32 ++
 .../config/9200_output_firewall.conf.jinja    |  29 ++
 .../config/9300_output_windows.conf.jinja     |  27 ++
 .../config/9301_output_dns_windows.conf.jinja |  27 ++
 .../config/9400_output_suricata.conf.jinja    |  28 ++
 .../config/9500_output_beats.conf.jinja       |  25 ++
 .../config/9600_output_ossec.conf.jinja       |  29 ++
 .../config/9700_ouptut_strelka.conf.jinja     |  30 ++
 65 files changed, 2622 insertions(+), 617 deletions(-)
 delete mode 100644 pillar/masters/example.sls
 delete mode 100644 pillar/nodes/example.sls
 delete mode 100644 pillar/sensors/example.sls
 delete mode 100644 salt/logstash/conf/conf.enabled.txt
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.forward
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.parser
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.search
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.so-eval
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.so-eval.old
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.so-helix
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.so-master
 delete mode 100644 salt/logstash/conf/conf.enabled.txt.so-mastersearch
 create mode 100644 salt/logstash/pipelines/config/0800_input_eval.conf
 create mode 100644 salt/logstash/pipelines/config/1000_preprocess_log_elapsed.conf
 create mode 100644 salt/logstash/pipelines/config/1001_preprocess_syslogng.conf
 create mode 100644 salt/logstash/pipelines/config/1002_preprocess_json.conf
 create mode 100644 salt/logstash/pipelines/config/1004_preprocess_syslog_types.conf
 create mode 100644 salt/logstash/pipelines/config/1026_preprocess_dhcp.conf
 create mode 100644 salt/logstash/pipelines/config/1029_preprocess_esxi.conf
 create mode 100644 salt/logstash/pipelines/config/1030_preprocess_greensql.conf
 create mode 100644 salt/logstash/pipelines/config/1031_preprocess_iis.conf
 create mode 100644 salt/logstash/pipelines/config/1032_preprocess_mcafee.conf
 create mode 100644 salt/logstash/pipelines/config/1033_preprocess_snort.conf
 create mode 100644 salt/logstash/pipelines/config/1034_preprocess_syslog.conf
 create mode 100644 salt/logstash/pipelines/config/2000_network_flow.conf
 create mode 100644 salt/logstash/pipelines/config/6002_syslog.conf
 create mode 100644 salt/logstash/pipelines/config/6101_switch_brocade.conf
 create mode 100644 salt/logstash/pipelines/config/6200_firewall_fortinet.conf
 create mode 100644 salt/logstash/pipelines/config/6201_firewall_pfsense.conf
 create mode 100644 salt/logstash/pipelines/config/6300_windows.conf
 create mode 100644 salt/logstash/pipelines/config/6301_dns_windows.conf
 create mode 100644 salt/logstash/pipelines/config/6400_suricata.conf
 create mode 100644 salt/logstash/pipelines/config/6500_ossec.conf
 create mode 100644 salt/logstash/pipelines/config/6501_ossec_sysmon.conf
 create mode 100644 salt/logstash/pipelines/config/6502_ossec_autoruns.conf
 create mode 100644 salt/logstash/pipelines/config/6600_winlogbeat_sysmon.conf
 create mode 100644 salt/logstash/pipelines/config/6700_winlogbeat.conf
 create mode 100644 salt/logstash/pipelines/config/7100_osquery_wel.conf
 create mode 100644 salt/logstash/pipelines/config/7200_strelka.conf
 create mode 100644 salt/logstash/pipelines/config/8001_postprocess_common_ip_augmentation.conf
 create mode 100644 salt/logstash/pipelines/config/8007_postprocess_http.conf
 create mode 100644 salt/logstash/pipelines/config/8200_postprocess_tagging.conf
 create mode 100644 salt/logstash/pipelines/config/8998_postprocess_log_elapsed.conf
 create mode 100644 salt/logstash/pipelines/config/8999_postprocess_rename_type.conf
 create mode 100644 salt/logstash/pipelines/config/9000_output_bro.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9001_output_switch.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9002_output_import.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9004_output_flow.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9026_output_dhcp.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9029_output_esxi.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9030_output_greensql.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9031_output_iis.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9032_output_mcafee.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9033_output_snort.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9034_output_syslog.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9100_output_osquery.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9200_output_firewall.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9300_output_windows.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9301_output_dns_windows.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9400_output_suricata.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9500_output_beats.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9600_output_ossec.conf.jinja
 create mode 100644 salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja

diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls
index 654afd2b3..c30e856d3 100644
--- a/pillar/logstash/eval.sls
+++ b/pillar/logstash/eval.sls
@@ -1,4 +1,55 @@
 logstash:
   pipelines:
     eval:
-      config: "/usr/share/logstash/pipelines/eval/*.conf"
+      config:
+        - 0800_input_eval.conf
+        - 1000_preprocess_log_elapsed.conf
+        - 1001_preprocess_syslogng.conf
+        - 1002_preprocess_json.conf
+        - 1004_preprocess_syslog_types.conf
+        - 1026_preprocess_dhcp.conf
+        - 1029_preprocess_esxi.conf
+        - 1030_preprocess_greensql.conf
+        - 1031_preprocess_iis.conf
+        - 1032_preprocess_mcafee.conf
+        - 1033_preprocess_snort.conf
+        - 1034_preprocess_syslog.conf
+        - 2000_network_flow.conf
+        - 6002_syslog.conf
+        - 6101_switch_brocade.conf
+        - 6200_firewall_fortinet.conf
+        - 6201_firewall_pfsense.conf
+        - 6300_windows.conf
+        - 6301_dns_windows.conf
+        - 6400_suricata.conf
+        - 6500_ossec.conf
+        - 6501_ossec_sysmon.conf
+        - 6502_ossec_autoruns.conf
+        - 6600_winlogbeat_sysmon.conf
+        - 6700_winlogbeat.conf
+        - 7100_osquery_wel.conf
+        - 7200_strelka.conf
+        - 8001_postprocess_common_ip_augmentation.conf
+        - 8007_postprocess_http.conf
+        - 8200_postprocess_tagging.conf
+        - 8998_postprocess_log_elapsed.conf
+        - 8999_postprocess_rename_type.conf
+        - 9000_output_bro.conf.jinja
+        - 9001_output_switch.conf.jinja
+        - 9002_output_import.conf.jinja
+        - 9004_output_flow.conf.jinja
+        - 9026_output_dhcp.conf.jinja
+        - 9029_output_esxi.conf.jinja
+        - 9030_output_greensql.conf.jinja
+        - 9031_output_iis.conf.jinja
+        - 9032_output_mcafee.conf.jinja
+        - 9033_output_snort.conf.jinja
+        - 9034_output_syslog.conf.jinja
+        - 9100_output_osquery.conf.jinja
+        - 9200_output_firewall.conf.jinja
+        - 9300_output_windows.conf.jinja
+        - 9301_output_dns_windows.conf.jinja
+        - 9400_output_suricata.conf.jinja
+        - 9500_output_beats.conf.jinja
+        - 9600_output_ossec.conf.jinja
+        - 9700_ouptut_strelka.conf.jinja
diff --git a/pillar/masters/example.sls b/pillar/masters/example.sls
deleted file mode 100644
index 28c9ed139..000000000
--- a/pillar/masters/example.sls
+++ /dev/null
@@ -1,10 +0,0 @@
-# Example Pillar file for a master
-master:
-  esaccessip: 127.0.0.1
-  esheap: CHANGEME
-  esclustername: {{ grains.host }}
-  freq: 0
-  domainstats: 0
-  lsheap: 1500m
-  lsaccessip: 127.0.0.1
-  elastalert: 1
\ No newline at end of file
diff --git a/pillar/nodes/example.sls b/pillar/nodes/example.sls
deleted file mode 100644
index 5516e7052..000000000
--- a/pillar/nodes/example.sls
+++ /dev/null
@@ -1,5 +0,0 @@
-# Example Pillar file for a sensor
-node:
-  ls_heapsize: CHANGEME
-  es_heapsize: CHANGEME
-  node_type: CHANGEME
diff --git a/pillar/sensors/example.sls b/pillar/sensors/example.sls
deleted file mode 100644
index 753acf1de..000000000
--- a/pillar/sensors/example.sls
+++ /dev/null
@@ -1,14 +0,0 @@
-# Example Pillar file for a sensor
-sensor:
-  interface: CHANGEME
-  bro_pins:
-    - 1
-    - 2
-    - 3
-    - 4
-  brobpf:
-  pcapbpf:
-  nidsbpf:
-  s3bucket:
-  s3key:
-
diff --git a/salt/logstash/conf/conf.enabled.txt b/salt/logstash/conf/conf.enabled.txt
deleted file mode 100644
index a4da29cad..000000000
--- a/salt/logstash/conf/conf.enabled.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
-/usr/share/logstash/pipeline.so/0001_input_json.conf
-/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
-/usr/share/logstash/pipeline.so/0003_input_syslog.conf
-/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.so/0006_input_beats.conf
-/usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.forward b/salt/logstash/conf/conf.enabled.txt.forward
deleted file mode 100644
index a4da29cad..000000000
--- a/salt/logstash/conf/conf.enabled.txt.forward
+++ /dev/null
@@ -1,17 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
-/usr/share/logstash/pipeline.so/0001_input_json.conf
-/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
-/usr/share/logstash/pipeline.so/0003_input_syslog.conf
-/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.so/0006_input_beats.conf
-/usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.parser b/salt/logstash/conf/conf.enabled.txt.parser
deleted file mode 100644
index 6fbf3ba45..000000000
--- a/salt/logstash/conf/conf.enabled.txt.parser
+++ /dev/null
@@ -1,85 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-# Please note that Bro config is commented out because we're moving that parsing to Elasticsearch ingest.
-/usr/share/logstash/pipeline.dynamic/0900_input_redis.conf
-/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
-/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
-#/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
-/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
-/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
-/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
-/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
-/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
-/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
-/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
-/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
-#/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
-#/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
-#/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
-#/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
-#/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
-#/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
-#/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
-#/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
-#/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
-#/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
-#/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
-#/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
-#/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
-#/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
-#/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
-#/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
-#/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
-#/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
-#/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
-#/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
-#/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
-#/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
-#/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
-#/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
-#/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
-#/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
-#/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
-#/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
-#/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
-#/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
-#/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
-#/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
-#/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
-/usr/share/logstash/pipeline.so/1998_test_data.conf
-/usr/share/logstash/pipeline.so/2000_network_flow.conf
-#/usr/share/logstash/pipeline.so/6000_bro.conf
-#/usr/share/logstash/pipeline.so/6001_bro_import.conf
-/usr/share/logstash/pipeline.so/6002_syslog.conf
-/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
-/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
-/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
-/usr/share/logstash/pipeline.so/6300_windows.conf
-/usr/share/logstash/pipeline.so/6301_dns_windows.conf
-/usr/share/logstash/pipeline.so/6400_suricata.conf
-/usr/share/logstash/pipeline.so/6500_ossec.conf
-/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
-/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
-#/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
-/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
-/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
-/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
-/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
-/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
-/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
-#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
-#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
-#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
-/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
-/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.search b/salt/logstash/conf/conf.enabled.txt.search
deleted file mode 100644
index dad8af484..000000000
--- a/salt/logstash/conf/conf.enabled.txt.search
+++ /dev/null
@@ -1,107 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-# Please note that Bro config is commented out because we're moving that parsing to Elasticsearch ingest.
-/usr/share/logstash/pipeline.dynamic/0900_input_redis.conf
-/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
-/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
-#/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
-/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
-/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
-/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
-/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
-/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
-/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
-/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
-/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
-#/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
-#/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
-#/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
-#/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
-#/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
-#/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
-#/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
-#/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
-#/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
-#/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
-#/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
-#/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
-#/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
-#/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
-#/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
-#/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
-#/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
-#/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
-#/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
-#/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
-#/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
-#/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
-#/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
-#/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
-#/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
-#/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
-#/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
-#/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
-#/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
-#/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
-#/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
-#/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
-#/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
-/usr/share/logstash/pipeline.so/1998_test_data.conf
-/usr/share/logstash/pipeline.so/2000_network_flow.conf
-#/usr/share/logstash/pipeline.so/6000_bro.conf
-#/usr/share/logstash/pipeline.so/6001_bro_import.conf
-/usr/share/logstash/pipeline.so/6002_syslog.conf
-/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
-/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
-/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
-/usr/share/logstash/pipeline.so/6300_windows.conf
-/usr/share/logstash/pipeline.so/6301_dns_windows.conf
-/usr/share/logstash/pipeline.so/6400_suricata.conf
-/usr/share/logstash/pipeline.so/6500_ossec.conf
-/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
-/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
-/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
-/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
-#/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
-/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
-#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
-#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
-/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
-#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
-/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
-#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
-#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
-#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
-/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
-/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
-/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
-/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
-/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
-/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
-/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
-/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
-/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
-/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
-/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
-/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
-/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
-/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
-/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
-/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
-/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
-/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
-/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
-/usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
-/usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
-/usr/share/logstash/pipeline.dynamic/9700_output_strelka.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval
deleted file mode 100644
index 49948728d..000000000
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ /dev/null
@@ -1,114 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-# Please note that Bro config is commented out because we're moving that parsing to Elasticsearch ingest.
-#/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
-#/usr/share/logstash/pipeline.so/0001_input_json.conf
-#/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
-#/usr/share/logstash/pipeline.so/0003_input_syslog.conf
-#/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
-/usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
-#/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
-#/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
-#/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
-#/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
-#/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
-/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
-#/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
-#/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
-#/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
-#/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
-/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
-#/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
-#/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
-#/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
-#/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
-#/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
-#/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
-#/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
-#/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
-#/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
-#/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
-#/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
-#/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
-#/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
-#/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
-#/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
-#/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
-#/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
-#/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
-#/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
-#/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
-#/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
-#/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
-#/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
-#/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
-#/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
-#/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
-#/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
-#/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
-#/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
-#/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
-#/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
-#/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
-#/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
-#/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
-#/usr/share/logstash/pipeline.so/1998_test_data.conf
-#/usr/share/logstash/pipeline.so/2000_network_flow.conf
-#/usr/share/logstash/pipeline.so/6000_bro.conf
-#/usr/share/logstash/pipeline.so/6001_bro_import.conf
-#/usr/share/logstash/pipeline.so/6002_syslog.conf
-#/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
-#/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
-#/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
-#/usr/share/logstash/pipeline.so/6300_windows.conf
-#/usr/share/logstash/pipeline.so/6301_dns_windows.conf
-#/usr/share/logstash/pipeline.so/6400_suricata.conf
-/usr/share/logstash/pipeline.so/6500_ossec.conf
-/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
-/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
-/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
-/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
-#/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
-/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
-#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
-#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
-/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
-#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
-/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
-#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
-#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
-#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
-#/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
-/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
-#/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
-/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
-#/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
-#/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
-#/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
-#/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
-#/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
-#/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
-/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
-#/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
-#/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
-#/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
-#/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
-/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
-/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
-/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
-#/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
-/usr/share/logstash/pipeline.dynamic/7100_osquery_wel.conf
-/usr/share/logstash/pipeline.dynamic/9100_output_osquery.conf
-/usr/share/logstash/pipeline.dynamic/9700_output_strelka.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval.old b/salt/logstash/conf/conf.enabled.txt.so-eval.old
deleted file mode 100644
index e5ce9c803..000000000
--- a/salt/logstash/conf/conf.enabled.txt.so-eval.old
+++ /dev/null
@@ -1,109 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
-/usr/share/logstash/pipeline.so/0001_input_json.conf
-/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
-/usr/share/logstash/pipeline.so/0003_input_syslog.conf
-/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.so/0008_input_eval.conf
-/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
-/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
-/usr/share/logstash/pipeline.so/1003_preprocess_bro.conf
-/usr/share/logstash/pipeline.so/1004_preprocess_syslog_types.conf
-/usr/share/logstash/pipeline.so/1026_preprocess_dhcp.conf
-/usr/share/logstash/pipeline.so/1029_preprocess_esxi.conf
-/usr/share/logstash/pipeline.so/1030_preprocess_greensql.conf
-/usr/share/logstash/pipeline.so/1031_preprocess_iis.conf
-/usr/share/logstash/pipeline.so/1032_preprocess_mcafee.conf
-/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
-/usr/share/logstash/pipeline.so/1034_preprocess_syslog.conf
-/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
-/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
-/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
-/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
-/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
-/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
-/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
-/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
-/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
-/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
-/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
-/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
-/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
-/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
-/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
-/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
-/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
-/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
-/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
-/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
-/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
-/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
-/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
-/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
-/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
-/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
-/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
-/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
-/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
-/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
-/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
-/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
-/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
-/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
-/usr/share/logstash/pipeline.so/1998_test_data.conf
-/usr/share/logstash/pipeline.so/2000_network_flow.conf
-/usr/share/logstash/pipeline.so/6000_bro.conf
-/usr/share/logstash/pipeline.so/6001_bro_import.conf
-/usr/share/logstash/pipeline.so/6002_syslog.conf
-/usr/share/logstash/pipeline.so/6101_switch_brocade.conf
-/usr/share/logstash/pipeline.so/6200_firewall_fortinet.conf
-/usr/share/logstash/pipeline.so/6201_firewall_pfsense.conf
-/usr/share/logstash/pipeline.so/6300_windows.conf
-/usr/share/logstash/pipeline.so/6301_dns_windows.conf
-/usr/share/logstash/pipeline.so/6400_suricata.conf
-/usr/share/logstash/pipeline.so/6500_ossec.conf
-/usr/share/logstash/pipeline.so/6501_ossec_sysmon.conf
-/usr/share/logstash/pipeline.so/6502_ossec_autoruns.conf
-/usr/share/logstash/pipeline.so/6600_winlogbeat_sysmon.conf
-/usr/share/logstash/pipeline.so/6700_winlogbeat.conf
-/usr/share/logstash/pipeline.so/8000_postprocess_bro_cleanup.conf
-/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
-#/usr/share/logstash/pipeline.so/8006_postprocess_dns.conf
-#/usr/share/logstash/pipeline.so/8007_postprocess_dns_top1m_tagging.conf
-/usr/share/logstash/pipeline.so/8007_postprocess_http.conf
-#/usr/share/logstash/pipeline.so/8008_postprocess_dns_whois_age.conf
-/usr/share/logstash/pipeline.so/8200_postprocess_tagging.conf
-#/usr/share/logstash/pipeline.so/8502_postprocess_freq_analysis_bro_dns.conf
-#/usr/share/logstash/pipeline.so/8503_postprocess_freq_analysis_bro_http.conf
-#/usr/share/logstash/pipeline.so/8504_postprocess_freq_analysis_bro_ssl.conf
-#/usr/share/logstash/pipeline.so/8505_postprocess_freq_analysis_bro_x509.conf
-/usr/share/logstash/pipeline.so/8998_postprocess_log_elapsed.conf
-/usr/share/logstash/pipeline.so/8999_postprocess_rename_type.conf
-/usr/share/logstash/pipeline.dynamic/9000_output_bro.conf
-/usr/share/logstash/pipeline.dynamic/9001_output_switch.conf
-/usr/share/logstash/pipeline.dynamic/9002_output_import.conf
-/usr/share/logstash/pipeline.dynamic/9004_output_flow.conf
-/usr/share/logstash/pipeline.dynamic/9026_output_dhcp.conf
-/usr/share/logstash/pipeline.dynamic/9029_output_esxi.conf
-/usr/share/logstash/pipeline.dynamic/9030_output_greensql.conf
-/usr/share/logstash/pipeline.dynamic/9031_output_iis.conf
-/usr/share/logstash/pipeline.dynamic/9032_output_mcafee.conf
-/usr/share/logstash/pipeline.dynamic/9033_output_snort.conf
-/usr/share/logstash/pipeline.dynamic/9034_output_syslog.conf
-/usr/share/logstash/pipeline.dynamic/9200_output_firewall.conf
-/usr/share/logstash/pipeline.dynamic/9300_output_windows.conf
-/usr/share/logstash/pipeline.dynamic/9301_output_dns_windows.conf
-/usr/share/logstash/pipeline.dynamic/9400_output_suricata.conf
-/usr/share/logstash/pipeline.dynamic/9500_output_beats.conf
-/usr/share/logstash/pipeline.dynamic/9600_output_ossec.conf
-/usr/share/logstash/pipeline.dynamic/9998_output_test_data.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-helix b/salt/logstash/conf/conf.enabled.txt.so-helix
deleted file mode 100644
index ec07b5a90..000000000
--- a/salt/logstash/conf/conf.enabled.txt.so-helix
+++ /dev/null
@@ -1,47 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
-/usr/share/logstash/pipeline.so/1033_preprocess_snort.conf
-/usr/share/logstash/pipeline.so/1100_preprocess_bro_conn.conf
-/usr/share/logstash/pipeline.so/1101_preprocess_bro_dhcp.conf
-/usr/share/logstash/pipeline.so/1102_preprocess_bro_dns.conf
-/usr/share/logstash/pipeline.so/1103_preprocess_bro_dpd.conf
-/usr/share/logstash/pipeline.so/1104_preprocess_bro_files.conf
-/usr/share/logstash/pipeline.so/1105_preprocess_bro_ftp.conf
-/usr/share/logstash/pipeline.so/1106_preprocess_bro_http.conf
-/usr/share/logstash/pipeline.so/1107_preprocess_bro_irc.conf
-/usr/share/logstash/pipeline.so/1108_preprocess_bro_kerberos.conf
-/usr/share/logstash/pipeline.so/1109_preprocess_bro_notice.conf
-/usr/share/logstash/pipeline.so/1110_preprocess_bro_rdp.conf
-/usr/share/logstash/pipeline.so/1111_preprocess_bro_signatures.conf
-/usr/share/logstash/pipeline.so/1112_preprocess_bro_smtp.conf
-/usr/share/logstash/pipeline.so/1113_preprocess_bro_snmp.conf
-/usr/share/logstash/pipeline.so/1114_preprocess_bro_software.conf
-/usr/share/logstash/pipeline.so/1115_preprocess_bro_ssh.conf
-/usr/share/logstash/pipeline.so/1116_preprocess_bro_ssl.conf
-/usr/share/logstash/pipeline.so/1117_preprocess_bro_syslog.conf
-/usr/share/logstash/pipeline.so/1118_preprocess_bro_tunnel.conf
-/usr/share/logstash/pipeline.so/1119_preprocess_bro_weird.conf
-/usr/share/logstash/pipeline.so/1121_preprocess_bro_mysql.conf
-/usr/share/logstash/pipeline.so/1122_preprocess_bro_socks.conf
-/usr/share/logstash/pipeline.so/1123_preprocess_bro_x509.conf
-/usr/share/logstash/pipeline.so/1124_preprocess_bro_intel.conf
-/usr/share/logstash/pipeline.so/1125_preprocess_bro_modbus.conf
-/usr/share/logstash/pipeline.so/1126_preprocess_bro_sip.conf
-/usr/share/logstash/pipeline.so/1127_preprocess_bro_radius.conf
-/usr/share/logstash/pipeline.so/1128_preprocess_bro_pe.conf
-/usr/share/logstash/pipeline.so/1129_preprocess_bro_rfb.conf
-/usr/share/logstash/pipeline.so/1130_preprocess_bro_dnp3.conf
-/usr/share/logstash/pipeline.so/1131_preprocess_bro_smb_files.conf
-/usr/share/logstash/pipeline.so/1132_preprocess_bro_smb_mapping.conf
-/usr/share/logstash/pipeline.so/1133_preprocess_bro_ntlm.conf
-/usr/share/logstash/pipeline.so/1134_preprocess_bro_dce_rpc.conf
-/usr/share/logstash/pipeline.so/8001_postprocess_common_ip_augmentation.conf
-/usr/share/logstash/pipeline.dynamic/9997_output_helix.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-master b/salt/logstash/conf/conf.enabled.txt.so-master
deleted file mode 100644
index 6464496fa..000000000
--- a/salt/logstash/conf/conf.enabled.txt.so-master
+++ /dev/null
@@ -1,18 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
-/usr/share/logstash/pipeline.so/0001_input_json.conf
-/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
-/usr/share/logstash/pipeline.so/0003_input_syslog.conf
-/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
-/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
-/usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-mastersearch b/salt/logstash/conf/conf.enabled.txt.so-mastersearch
deleted file mode 100644
index 6464496fa..000000000
--- a/salt/logstash/conf/conf.enabled.txt.so-mastersearch
+++ /dev/null
@@ -1,18 +0,0 @@
-# This is where can specify which LogStash configs get loaded.
-#
-# The custom folder on the master gets automatically synced to each logstash
-# node.
-#
-# To enable a custom configuration see the following example and uncomment:
-# /usr/share/logstash/pipeline.custom/1234_input_custom.conf
-##
-# All of the defaults are loaded.
-/usr/share/logstash/pipeline.so/0000_input_syslogng.conf
-/usr/share/logstash/pipeline.so/0001_input_json.conf
-/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
-/usr/share/logstash/pipeline.so/0003_input_syslog.conf
-/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
-/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
-/usr/share/logstash/pipeline.so/0007_input_import.conf
-/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 77a1e3ff4..a987e03ab 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -54,7 +54,7 @@
 
 {% endif %}
 
-{% set pipelines = salt['pillar.get']('logstash:pipelines', {}) %}
+{% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %}
 
 # Create the logstash group
 logstashgroup:
@@ -105,43 +105,25 @@ lscusttemplatedir:
     - group: 939
     - makedirs: True
 
-{% for pl in pipelines %}
-
-ls_pipeline_{{pl}}:
-  file.recurse:
-    - name: /opt/so/conf/logstash/pipelines/{{pl}}
-    - source: salt://logstash/conf/pipelines/{{pl}}
+{% for PL in PIPELINES %}
+ls_pipeline_{{PL}}:
+  file.directory:
+    - name: /opt/so/conf/logstash/pipelines/{{PL}}
     - user: 931
     - group: 939
-    - maxdepth: 0
 
-ls_pipeline_{{pl}}_jinja:
-  file.recurse:
-    - name: /opt/so/conf/logstash/pipelines/{{pl}}
-    - source: salt://logstash/conf/pipelines/{{pl}}/templates
-    - user: 931
-    - group: 939
-    - template: jinja
-
-{% endfor %}
-
-lspipelinesyml:
+  {% for CONFIGFILE in PIPELINES.PL.config %}
+ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0]}}:
   file.managed:
-    - name: /opt/so/conf/logstash/etc/pipelines.yml
-    - source: salt://logstash/etc/pipelines.yml.jinja
-    - template: jinja
-    - defaults:
-        pipelines: {{ pipelines }}
-
-# Copy down all the configs including custom - TODO add watch restart
-lsetcsync:
-  file.recurse:
-    - name: /opt/so/conf/logstash/etc
-    - source: salt://logstash/etc
+    - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE}}
+    - source: salt://logstash/pipelines/config/{{CONFIGFILE}}
     - user: 931
     - group: 939
+    {% if 'jinja' in CONFIGFILE.split('.')[-1] %}
     - template: jinja
-    - exclude_pat: pipelines*
+    {% endif %}
+  {% endfor %}
+{% endfor %}
 
 lssync:
   file.recurse:
@@ -158,29 +140,6 @@ lscustsync:
     - user: 931
     - group: 939
 
-# Copy the config file for enabled logstash plugins/parsers
-lsconfsync:
-  file.managed:
-    - name: /opt/so/conf/logstash/conf.enabled.txt
-{% if grains.role == 'so-mastersearch' or grains.role == 'so-heavynode' %}
-    - source: salt://logstash/conf/conf.enabled.txt.so-master
-{% else %}
-    - source: salt://logstash/conf/conf.enabled.txt.{{ nodetype }}
-{% endif %}
-    - user: 931
-    - group: 939
-    - template: jinja
-
-{% if grains.role == 'so-mastersearch' %}
-lssearchsync:
-  file.managed:
-    - name: /opt/so/conf/logstash/conf.enabled.txt.search
-    - source: salt://logstash/conf/conf.enabled.txt.search
-    - user: 931
-    - group: 939
-    - template: jinja
-{% endif %}
-
 # Create the import directory
 importdir:
   file.directory:
@@ -249,7 +208,6 @@ so-logstash:
       {%- endif %}
     - watch:
       - file: /opt/so/conf/logstash/etc
-      - file: /opt/so/conf/logstash/conf.enabled.txt
       - file: /opt/so/conf/logstash/custom
       #- file: /opt/so/conf/logstash/rulesets
       - file: /opt/so/conf/logstash/dynamic
diff --git a/salt/logstash/pipelines/config/0800_input_eval.conf b/salt/logstash/pipelines/config/0800_input_eval.conf
new file mode 100644
index 000000000..b499c3b0f
--- /dev/null
+++ b/salt/logstash/pipelines/config/0800_input_eval.conf
@@ -0,0 +1,204 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/zeek/logs/current/conn*.log"
+		type => "bro_conn"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dce_rpc*.log"
+		type => "bro_dce_rpc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dhcp*.log"
+		type => "bro_dhcp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dnp3*.log"
+		type => "bro_dnp3"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dns*.log"
+		type => "bro_dns"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dpd*.log"
+		type => "bro_dpd"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/files*.log"
+		type => "bro_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ftp*.log"
+		type => "bro_ftp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/http*.log"
+		type => "bro_http"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/intel*.log"
+		type => "bro_intel"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/irc*.log"
+		type => "bro_irc"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/kerberos*.log"
+		type => "bro_kerberos"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/modbus*.log"
+		type => "bro_modbus"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/mysql*.log"
+		type => "bro_mysql"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/notice*.log"
+		type => "bro_notice"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ntlm*.log"
+		type => "bro_ntlm"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/pe*.log"
+		type => "bro_pe"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/radius*.log"
+		type => "bro_radius"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rdp*.log"
+		type => "bro_rdp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rfb*.log"
+		type => "bro_rfb"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/signatures*.log"
+		type => "bro_signatures"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/sip*.log"
+		type => "bro_sip"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_files*.log"
+		type => "bro_smb_files"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_mapping*.log"
+		type => "bro_smb_mapping"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smtp*.log"
+		type => "bro_smtp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/snmp*.log"
+		type => "bro_snmp"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/socks*.log"
+		type => "bro_socks"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/software*.log"
+		type => "bro_software"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssh*.log"
+		type => "bro_ssh"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssl*.log"
+		type => "bro_ssl"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/syslog*.log"
+		type => "bro_syslog"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/tunnel*.log"
+		type => "bro_tunnels"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/weird*.log"
+		type => "bro_weird"
+	    	tags => ["bro"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/x509*.log"
+		type => "bro_x509"
+	    	tags => ["bro"]
+	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archives.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+    tags => ["osquery"]
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1000_preprocess_log_elapsed.conf b/salt/logstash/pipelines/config/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/pipelines/config/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_start', Time.now.to_f)"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
diff --git a/salt/logstash/pipelines/config/1001_preprocess_syslogng.conf b/salt/logstash/pipelines/config/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..84bce8802
--- /dev/null
+++ b/salt/logstash/pipelines/config/1001_preprocess_syslogng.conf
@@ -0,0 +1,33 @@
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+		rename => { "MESSAGE" => "message" }
+		rename => { "PROGRAM" => "type" }
+		rename => { "FACILITY" => "syslog-facility" }
+		rename => { "FILE_NAME" => "syslog-file_name" }
+		rename => { "HOST" => "syslog-host" }
+		rename => { "HOST_FROM" => "syslog-host_from" }
+		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+		rename => { "PID" => "syslog-pid" }
+		rename => { "PRIORITY" => "syslog-priority" }
+		rename => { "SOURCEIP" => "syslog-sourceip" }
+		rename => { "TAGS" => "syslog-tags" }
+		lowercase => [ "syslog-host_from" ]
+		remove_field => [ "ISODATE" ]
+		remove_field => [ "SEQNUM" ]
+          	#add_tag => [ "conf_file_1001"]
+	}
+	if "bro_" in [type] {
+		mutate {
+			add_tag => [ "bro" ]
+		}
+	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
+		mutate {
+			add_tag => [ "syslog" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1002_preprocess_json.conf b/salt/logstash/pipelines/config/1002_preprocess_json.conf
new file mode 100644
index 000000000..ea7c677da
--- /dev/null
+++ b/salt/logstash/pipelines/config/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "json" in [tags]{
+    json {
+      source => "message"
+    }
+    mutate {
+      remove_tag => [ "json" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1002"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1004_preprocess_syslog_types.conf b/salt/logstash/pipelines/config/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..243abcc15
--- /dev/null
+++ b/salt/logstash/pipelines/config/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+  if "syslog" in [tags] {
+    if [host] == "172.16.1.1" {
+      mutate {
+        add_field => { "type" => "fortinet" }
+        add_tag => [ "firewall" ]
+      }
+    }
+    if [host] == "10.0.0.101" {
+      mutate {
+        add_field => { "type" => "brocade" }
+        add_tag => [ "switch" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1004"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1026_preprocess_dhcp.conf b/salt/logstash/pipelines/config/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..2f893cf7a
--- /dev/null
+++ b/salt/logstash/pipelines/config/1026_preprocess_dhcp.conf
@@ -0,0 +1,140 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/9/2016
+# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
+filter {
+  if [type] == "dhcp" {
+    mutate {
+      add_field => { "Hostname" => "%{host}" }
+    }
+    mutate {
+      strip => "message"
+    }
+	  # This is the initial parsing of the log
+      grok {
+        # Server 2008+
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+        # Server 2003
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+      }
+	  # This section below translates the message ID into something humans can understand.
+      if [id] == "00" {
+        mutate {
+          add_field => [ "event", "The log was started"]
+        }
+      }
+      if [id] == "01" {
+        mutate {
+          add_field => [ "event", "The log was stopped"]
+        }
+      }
+      if [id] == "02" {
+        mutate {
+          add_field => [ "event", "The log was temporarily paused due to low disk space"]
+        }
+      }
+      if [id] == "10" {
+        mutate {
+          add_field => [ "event", "A new IP address was leased to a client"]
+        }
+      }
+      if [id] == "11" {
+        mutate {
+          add_field => [ "event", "A lease was renewed by a client"]
+        }
+      }
+      if [id] == "12" {
+        mutate {
+          add_field => [ "event", "A lease was released by a client"]
+        }
+      }
+      if [id] == "13" {
+        mutate {
+          add_field => [ "event", "An IP address was found to be in use on the network"]
+        }
+      }
+      if [id] == "14" {
+        mutate {
+          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+        }
+      }
+      if [id] == "15" {
+        mutate {
+          add_field => [ "event", "A lease was denied"]
+        }
+      }
+      if [id] == "16" {
+        mutate {
+          add_field => [ "event", "A lease was deleted"]
+        }
+      }
+      if [id] == "17" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+        }
+      }
+      if [id] == "18" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records were deleted"]
+        }
+      }
+      if [id] == "20" {
+        mutate {
+          add_field => [ "event", "A BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "21" {
+        mutate {
+          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "22" {
+        mutate {
+          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+        }
+      }
+      if [id] == "23" {
+        mutate {
+          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+        }
+      }
+      if [id] == "24" {
+        mutate {
+          add_field => [ "event", "IP address cleanup operation has began"]
+        }
+      }
+      if [id] == "25" {
+        mutate {
+          add_field => [ "event", "IP address cleanup statistics"]
+        }
+      }
+      if [id] == "30" {
+        mutate {
+          add_field => [ "event", "DNS update request to the named DNS server"]
+        }
+      }
+      if [id] == "31" {
+        mutate {
+          add_field => [ "event", "DNS update failed"]
+        }
+      }
+      if [id] == "32" {
+        mutate {
+          add_field => [ "event", "DNS update successful"]
+        }
+      }
+      if [id] == "33" {
+        mutate {
+          add_field => [ "event", "Packet dropped due to NAP policy"]
+        }
+      }
+	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
+      #if "_grokparsefailure" not in [tags] { 
+      #  mutate {
+      #    remove_field => [ "message"]
+      #  }
+      #}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1029_preprocess_esxi.conf b/salt/logstash/pipelines/config/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/pipelines/config/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
+filter {
+  # This is an example of using an IP address range to classify a syslog message to a specific type of log
+  # This is helpful as so many devices only send logs via syslog
+  if [host] =~ "10\.[0-1]\.9\." {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [host] =~ "\.234$" {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [type] == "esxi" {
+     grok {
+          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+    }
+	mutate {
+		#add_tag => [ "conf_file_1029"]
+	}
+  }
+}
+
diff --git a/salt/logstash/pipelines/config/1030_preprocess_greensql.conf b/salt/logstash/pipelines/config/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/pipelines/config/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "greensql" {
+    # This section is parsing out the fields for GreenSQL syslog data
+    grok {
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+    }
+	# Remove the message field as it is unnecessary
+    #mutate {
+    #  remove_field => [ "message"]
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1030"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1031_preprocess_iis.conf b/salt/logstash/pipelines/config/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/pipelines/config/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "iis" {
+    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
+    json {
+      source => "message"
+    }
+    # This removes the message field as it is unneccesary and tags the packet as web
+    mutate {
+    #  remove_field => [ "message"]
+      add_tag => [ "web" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1031"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1032_preprocess_mcafee.conf b/salt/logstash/pipelines/config/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/pipelines/config/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+  if [type] == "mcafee" {
+    # NXLog should be sending the logs in JSON format so they auto parse
+    json {
+      source => "message"
+    }
+	# This section converts the UTC fields to the proper time format
+    date {
+      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "ReceivedUTC" ]
+    }
+    date {
+      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "DetectedUTC" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1032"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1033_preprocess_snort.conf b/salt/logstash/pipelines/config/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/pipelines/config/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+  if [type] == "ids" {
+    # This is the initial parsing of the log
+    if [engine] == "suricata" {
+        json {
+            source => "message"
+        }
+        mutate {
+	    rename => { "alert" => "orig_alert" } 
+            rename => { "[orig_alert][gid]" => "gid" }
+            rename => { "[orig_alert][signature_id]" => "sid" }
+            rename => { "[orig_alert][rev]" => "rev" }
+            rename => { "[orig_alert][signature]" => "alert" }
+            rename => { "[orig_alert][category]" => "classification" }
+            rename => { "[orig_alert][severity]" => "priority" }
+	    rename => { "[orig_alert][rule]" => "rule_signature" }
+            rename => { "app_proto" => "application_protocol" }
+            rename => { "dest_ip" => "destination_ip" }
+            rename => { "dest_port" => "destination_port" }
+            rename => { "in_iface" => "interface" }
+            rename => { "proto" => "protocol" }
+            rename => { "src_ip" => "source_ip" }
+            rename => { "src_port" => "source_port" }
+	    #rename => { "[fileinfo][filename]" => "filename" }
+            #rename => { "[fileinfo][gaps]" => "gaps" }
+            #rename => { "[fileinfo][size]" => "size" }
+            #rename => { "[fileinfo][state]" => "state" }
+            #rename => { "[fileinfo][stored]" => "stored" }
+            #rename => { "[fileinfo][tx_id]" => "tx_id" }
+            #rename => { "[flow][age]" => "duration" }
+            #rename => { "[flow][alerted]" => "flow_alerted" }
+            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+            #rename => { "[flow][end]" => "flow_end" }
+            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+            #rename => { "[flow][reason]" => "reason" }
+            #rename => { "[flow][start]" => "flow_start" }
+            #rename => { "[flow][state]" => "state" }
+            #rename => { "[netflow][age]" => "duration" }
+            #rename => { "[netflow][bytes]" => "bytes" }
+            #rename => { "[netflow][end]" => "netflow_end" }
+            #rename => { "[netflow][start]" => "netflow_start" }
+            #rename => { "[netflow][pkts]" => "packets" }
+            rename => { "[alert][action]" => "action" }
+            rename => { "[alert][category]" => "category" }
+            rename => { "[alert][gid]" => "gid" }
+            rename => { "[alert][rev]" => "rev" }
+            rename => { "[alert][severity]" => "severity" }
+            rename => { "[alert][signature]" => "signature" }
+            rename => { "[alert][signature_id]" => "sid" }
+	    #rename => { "[dns][aa]" => "aa" }
+            #rename => { "[dns][flags]" => "flags" }
+	    #rename => { "[dns][id]" => "id" }
+	    #rename => { "[dns][qr]" => "qr" }
+            #rename => { "[dns][rcode]" => "rcode_name" }
+	    #rename => { "[dns][rrname]" => "rrname" }
+	    #rename => { "[dns][rrtype]" => "rrtype" }
+            #rename => { "[dns][tx_id]" => "tx_id" }
+	    #rename => { "[dns][type]" => "record_type" }
+	    #rename => { "[dns][version]" => "version" }
+            rename => { "[http][hostname]" => "virtual_host" }
+            rename => { "[http][http_content_type]" => "content_type" }
+            rename => { "[http][http_port]" => "http_port" }
+            rename => { "[http][http_method]" => "method" }
+	    rename => { "[http][http_user_agent]" => "useragent" }
+            #rename => { "[http][length]" => "payload_length" }
+            #rename => { "[http][protocol]" => "http_version" }
+            rename => { "[http][status]" => "status_message" }
+            rename => { "[http][url]" => "url" }
+            #rename => { "[metadata][flowbits]" => "flowbits" }
+            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+            rename => { "[tls][subject]" => "certificate_common_name" }
+            rename => { "[tls][version]" => "tls_version" }
+	    rename => { "event_type" => "ids_event_type" }
+	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+	    remove_tag => [ "beats_input_codec_plain_applied" ]
+	    add_tag => [ "eve" ]
+             
+	}
+    } else {
+        grok {
+          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+                "message", "%{GREEDYDATA:alert}"]
+        }
+    }
+    if [timestamp] {
+        mutate {
+                add_field => { "logstash_timestamp" => "%{@timestamp}" }
+        }
+        mutate {
+                convert => { "logstash_timestamp" => "string" }
+        }
+        date {
+                match => [ "timestamp", "ISO8601" ]
+        }
+        mutate {
+                rename => { "logstash_timestamp" => "timestamp" }
+        }
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/1034_preprocess_syslog.conf b/salt/logstash/pipelines/config/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/pipelines/config/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+  if [type] == "syslog" { 
+    # This drops syslog messages regarding license messages.  You may want to comment it out.
+    #if [message] =~ "license" {
+    #  drop { }
+    #}
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	}
+  }  
+}
diff --git a/salt/logstash/pipelines/config/2000_network_flow.conf b/salt/logstash/pipelines/config/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/pipelines/config/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "sflow" {
+    if [message] =~ /CNTR/ {
+      drop { }
+    }
+
+    grok {
+      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+    }
+
+    if "_grokparsefailure" in [tags] {
+      drop { }
+    }
+
+    mutate {
+      add_field => {
+        "[source_hostname]" => "%{source_ip}"
+        "[destination_hostname]" => "%{destination_ip}"
+        "[sflow_source_hostname]" => "%{sflow_source_ip}"
+      }
+    }
+
+    translate {
+      field => "[source_port]"
+      destination => "[source_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[destination_port]"
+      destination => "[destination_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[protocol]"
+      destination => "[protocol_name]"
+      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+    }
+
+    translate {
+      field => "[tcp_flags]"
+      destination => "[tcp_flag]"
+      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+    }
+
+    mutate {
+      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+    }
+	mutate {
+		#add_tag => [ "conf_file_2000"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6002_syslog.conf b/salt/logstash/pipelines/config/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/pipelines/config/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+  if "syslog" in [tags] {
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	  #add_tag => [ "conf_file_6002"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6101_switch_brocade.conf b/salt/logstash/pipelines/config/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/pipelines/config/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "brocade" {
+    grok {
+      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+    }
+    grok {
+      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+    }
+    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+      grok {
+        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+      }
+      mutate {
+        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+      }
+    }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      timezone => "America/Chicago"
+      remove_field => "syslog_timestamp"
+      remove_field => "received_at"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6101"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6200_firewall_fortinet.conf b/salt/logstash/pipelines/config/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/pipelines/config/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "fortinet" {
+    mutate {
+      gsub => [ "message", "= ", "=NA " ]
+    }
+
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+       tag_on_failure => []
+    }
+    grok {
+       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+       tag_on_failure => []
+    }
+    kv {
+      source => "kv"
+      exclude_keys => [ "type" ]
+    }
+    mutate {
+      gsub => [ "log", "= ", "=NA " ]
+    }
+    kv {
+      source => "log"
+      target => "SubLog"
+    }
+    grok {
+       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+       tag_on_failure => [ "" ]
+    }
+    mutate {
+      rename => {  "action" => "action" }
+      rename => {  "addr" => "addr_ip" }
+      rename => {  "age" => "age" }
+      rename => {  "assigned" => "assigned_ip" }
+      rename => {  "assignip" => "assign_ip" }
+      rename => {  "ap" => "access_point" }
+      rename => {  "app" => "application" }
+      rename => {  "appcat" => "application_category" }
+      rename => {  "applist" => "application_list" }
+      rename => {  "apprisk" => "application_risk" }
+      rename => {  "approfile" => "accessPoint_profile" }
+      rename => {  "apscan" => "access_point_scan" }
+      rename => {  "apstatus" => "acces_point_status" }
+      rename => {  "aptype" => "access_point_type" }
+      rename => {  "authproto" => "authentication_protocol" }
+      rename => {  "bandwidth" => "bandwidth" }
+      rename => {  "banned_src" => "banned_source" }
+      rename => {  "cat" => "category" }
+      rename => {  "catdesc" => "category_description" }
+      rename => {  "cfgattr" => "configuration_attribute" }
+      rename => {  "cfgobj" => "configuration_object" }
+      rename => {  "cfgpath" => "configuration_path" }
+      rename => {  "cfgtid" => "configuration_transaction_id" }
+      rename => {  "channel" => "channel" }
+      rename => {  "community" => "community" }
+      rename => {  "cookies" => "cookies" }
+      rename => {  "craction" => "cr_action" }
+      rename => {  "crlevel" => "cr_level" }
+      rename => {  "crscore" => "cr_score" }
+      rename => {  "datarange" => "data_range" }
+      rename => {  "desc" => "description" }
+      rename => {  "detectionmethod" => "detection_method" }
+      rename => {  "devid" => "device_id" }
+      rename => {  "devname" => "device_name" }
+      rename => {  "devtype" => "device_type" }
+      rename => {  "dhcp_msg" => "dhcp_message" }
+      rename => {  "disklograte" => "disk_lograte" }
+      rename => {  "dstcountry" => "destination_country" }
+      rename => {  "dstintf" => "destination_interface" }
+      rename => {  "dstip" => "destination_ip" }
+      rename => {  "dstport" => "destination_port" }
+      rename => {  "duration" => "elapsed_time" }
+      rename => {  "error_num" => "error_number" }
+      rename => {  "espauth" => "esp_authentication" }
+      rename => {  "esptransform" => "esp_transform" }
+      rename => {  "eventid" => "event_id" }
+      rename => {  "eventtype" => "event_type" }
+      rename => {  "fazlograte" => "faz_lograte" }
+      rename => {  "filename" => "file_name" }
+      rename => {  "filesize" => "file_size" }
+      rename => {  "filetype" => "file_type" }
+      rename => {  "hostname" => "hostname" }
+      rename => {  "ip" => "source_ip" }
+      rename => {  "localip" => "source_ip" }
+      rename => {  "locip" => "local_ip" }
+      rename => {  "locport" => "source_port" }
+      rename => {  "logid" => "log_id" }
+      rename => {  "logver" => "log_version" }
+      rename => {  "manuf" => "manufacturer" }
+      rename => {  "mem" => "memory" }
+      rename => {  "meshmode" => "mesh_mode" }
+      rename => {  "msg" => "message" }
+      rename => {  "nextstat" => "next_stat" }
+      rename => {  "onwire" => "on_wire" }
+      rename => {  "osname" => "os_name" }
+      rename => {  "osversion" => "unauthenticated_user" }
+      rename => {  "outintf" => "outbound_interface" }
+      rename => {  "peer_notif" => "peer_notification" }
+      rename => {  "phase2_name" => "phase2_name" }
+      rename => {  "policyid" => "policy_id" }
+      rename => {  "policytype" => "policy_type" }
+      rename => {  "port" => "port" }
+      rename => {  "probeproto" => "probe_protocol" }
+      rename => {  "proto" => "protocol_number" }
+      rename => {  "radioband" => "radio_band" }
+      rename => {  "radioidclosest" => "radio_id_closest" }
+      rename => {  "radioiddetected" => "radio_id_detected" }
+      rename => {  "rcvd" => "bytes_received" }
+      rename => {  "rcvdbyte" => "bytes_received" }
+      rename => {  "rcvdpkt" => "packets_received" }
+      rename => {  "remip" => "destination_ip" }
+      rename => {  "remport" => "remote_port" }
+      rename => {  "reqtype" => "request_type" }
+      rename => {  "scantime" => "scan_time" }
+      rename => {  "securitymode" => "security_mode" }
+      rename => {  "sent" => "bytes_sent" }
+      rename => {  "sentbyte" => "bytes_sent" }
+      rename => {  "sentpkt" => "packets_sent" }
+      rename => {  "session_id" => "session_id" }
+      rename => {  "setuprate" => "setup_rate" }
+      rename => {  "sn" => "serial" }
+      rename => {  "snclosest" => "serial_closest_access_point" }
+      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+      rename => {  "snmeshparent" => "serial_mesh_parent" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "stacount" => "station_count" }
+      rename => {  "stamac" => "static_mac" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "sn" => "serial" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "total" => "total_bytes" }
+      rename => {  "totalsession" => "total_sessions" }
+      rename => {  "trandisp" => "nat_translation_type" }
+      rename => {  "tranip" => "nat_destination_ip" }
+      rename => {  "tranport" => "nat_destination_port" }
+      rename => {  "transip" => "nat_source_ip" }
+      rename => {  "transport" => "nat_source_port" }
+      rename => {  "tunnelid" => "tunnel_id" }
+      rename => {  "tunnelip" => "tunnel_ip" }
+      rename => {  "tunneltype" => "tunnel_type" }
+      rename => {  "unauthuser" => "unauthenticated_user_source" }
+      rename => {  "unauthusersource" => "os_version" }
+      rename => {  "vendorurl" => "vendor_url" }
+      rename => {  "vpntunnel" => "vpn_tunnel" }
+      rename => {  "vulncat" => "vulnerability_category" }
+      rename => {  "vulncmt" => "vulnerability_count" }
+      rename => {  "vulnid" => "vulnerability_id" }
+      rename => {  "vulnname" => "vulnerability_name" }
+      rename => {  "vulnref" => "vulnerability_reference" }
+      rename => {  "vulnscore" => "vulnerability_score" }
+      rename => {  "xauthgroup" => "x_authentication_group" }
+      rename => {  "xauthuser" => "x_authentication_user" }
+      rename => {  "[SubLog][appid]" => "sub_application_id" }
+      rename => {  "[SubLog][devid]" => "sub_device_id" }
+      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
+      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
+      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
+      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
+      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
+      rename => {  "[SubLog][date]" => "sub_date" }
+      rename => {  "[SubLog][time]" => "sub_time" }
+      rename => {  "[SubLog][srcport]" => "sub_source_port" }
+      rename => {  "[SubLog][subtype]" => "sub_subtype" }
+      rename => {  "[SubLog][devname]" => "sub_device_name" }
+      rename => {  "[SubLog][itime]" => "sub_itime" }
+      rename => {  "[SubLog][level]" => "sub_level" }
+      rename => {  "[SubLog][logid]" => "sub_log_id" }
+      rename => {  "[SubLog][logver]" => "sub_log_version" }
+      rename => {  "[SubLog][type]" => "sub_event_type" }
+      rename => {  "[SubLog][vd]" => "sub_vd" }
+      rename => {  "[SubLog][action]" => "sub_action" }
+      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
+      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
+      rename => {  "[SubLog][reason]" => "sub_reason" }
+      rename => {  "[SubLog][service]" => "sub_service" }
+      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
+      rename => {  "[SubLog][src]" => "sub_source_ip" }
+      rename => {  "[SubLog][status]" => "sub_status" }
+      rename => {  "[SubLog][ui]" => "sub_ui" }
+      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+      strip => [ "bytes_sent", "bytes_received" ]
+      convert => [ "bytes_sent", "integer" ]
+      convert => [ "bytes_received", "integer" ]
+      convert => [ "cr_score", "integer" ]
+      convert => [ "cr_action", "integer" ]
+      convert => [ "elapsed_time", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "local_port", "integer" ]
+      convert => [ "remote_port", "integer" ]
+      convert => [ "packets_sent", "integer" ]
+      convert => [ "packets_received", "integer" ]
+      convert => [ "port", "integer" ]
+      convert => [ "ProtocolNumber", "integer" ]
+      convert => [ "XAuthUser", "string" ]
+      remove_field => [ "kv", "log" ]
+    }
+    if [tunnel_ip] == "N/A" {
+      mutate {
+        remove_field => [ "tunnel_ip" ]
+      }
+    }
+    if [nat_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+      }
+    }
+    if [sub_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+      }
+    }
+    if [nat_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+      }
+    }
+    if [sub_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+      }
+    }
+    if [addr_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{addr_ip}" ] }
+      }
+    }
+    if [assign_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assign_ip}" ] }
+      }
+    }
+    if [assigned_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assigned_ip}" ] }
+      }
+    }
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+    }
+    if [date] and [time] {
+      mutate {
+        add_field => { "receive_time" => "%{date} %{time}" }
+        remove_field => [ "date", "time" ]
+      }
+      date {
+        timezone => "America/Chicago"
+        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+        target => "receive_time"
+      }
+      mutate {
+        rename => { "receive_time" => "@timestamp" }
+      }
+    } else {
+      mutate {
+        add_tag => [ "missing_date" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6200"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6201_firewall_pfsense.conf b/salt/logstash/pipelines/config/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/pipelines/config/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+  if [type] == "filterlog" {
+    dissect {
+      mapping => {
+        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+      }
+    }
+    if [ip_version] == "4" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [ip_version] == "6" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [protocol] == "tcp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+      	}
+      }
+    }
+    if [protocol] == "udp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+      	}
+      }
+    }
+    if [protocol] == "Options" {
+      mutate {
+	  copy => { "ip_sub_msg" => "options" }
+        }
+      mutate {
+          split => { "options" => "," }
+        }
+    }
+    mutate {
+      convert 		=> [ "destination_port", "integer" ]
+      convert 		=> [ "source_port", "integer" ]    
+      convert 		=> [ "ip_version", "integer" ]
+      replace 		=> { "type" => "firewall" }
+      add_tag		=> [ "pfsense","firewall" ]
+      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/6300_windows.conf b/salt/logstash/pipelines/config/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/pipelines/config/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "windows" {
+#    json {
+#      source => "message"
+#    }
+    date {
+      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+      remove_field => [ "EventTime" ]
+    }
+    if [EventID] == 4634 {
+      mutate {
+        add_tag => [ "logoff" ]
+      }
+    }
+    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+      mutate {
+        add_tag => [ "logon" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+      mutate {
+        add_tag => [ "logon_failure" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+      mutate {
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 5152 { drop {} }
+    if [EventID] == 4688 { drop {} }
+    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+    # Whitelist/Blacklist check
+    if [EventID] == 7045 {
+      translate {
+        field => "ServiceName"
+        destination => "ServiceCheck"
+        dictionary_path => "/lib/dictionaries/services.yaml"
+      }
+    }
+    if [EventID] == 7045 and !([ServiceCheck]) {
+      mutate {
+        add_tag => [ "alert_data","new_service" ] 
+      }
+    }
+    if [ServiceCheck] == 'whitelist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "whitelist" ]
+      }
+    }
+    if [ServiceCheck] == 'blacklist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "blacklist" ]
+      }
+    }
+    if [EventID] == 5158 {
+      if [Application] == "System" { drop {} }
+      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+      if [Application] =~ "mcafee" { drop {} }
+      if [Application] =~ "carestream" { drop {} }
+      if [Application] =~ "Softdent" { drop {} }
+    }
+    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+    if [EventID] == 4690 { drop {} }
+    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+    if [EventID] == 5447 { drop {} }
+
+    mutate {
+      rename => [ "AccountName", "user" ]
+      rename => [ "AccountType", "account_type" ]
+      rename => [ "ActivityID", "activity_id" ]
+      rename => [ "Category", "category" ]
+      rename => [ "ClientAddress", "client_ip" ]
+      rename => [ "Channel", "channel" ]
+      rename => [ "DCIPAddress", "domain_controller_ip" ]
+      rename => [ "DCName", "domain_controller_name" ]
+      rename => [ "EventID", "event_id" ]
+      rename => [ "EventReceivedTime", "event_received_time" ]
+      rename => [ "EventType", "event_type" ]
+      rename => [ "GatewayIPAddress", "gateway_ip" ]
+      rename => [ "IPAddress", "client_ip" ]
+      rename => [ "Ipaddress", "client_ip" ]
+      rename => [ "IpAddress", "client_ip" ]
+      rename => [ "IPPort", "source_port" ]
+      rename => [ "OpcodeValue", "opcode_value" ]
+      rename => [ "PreAuthType", "preauthentication_type" ]
+      rename => [ "PrincipleSAMName", "user" ]
+      rename => [ "ProcessID", "process_id" ]
+      rename => [ "ProviderGUID", "providerguid" ]
+      rename => [ "RecordNumber", "record_number" ]
+      rename => [ "RemoteAddress", "destination_ip" ]
+      rename => [ "ServiceName", "service_name" ]
+      rename => [ "ServiceID", "service_id" ]
+      rename => [ "SeverityValue", "severity_value" ]
+      rename => [ "SourceAddress", "client_ip" ]
+      rename => [ "SourceModuleName", "source_module_name" ]
+      rename => [ "SourceModuleType", "source_module_type" ]
+      rename => [ "SourceName", "source_name" ]
+      rename => [ "SubjectUserName", "user" ]
+      rename => [ "TaskName", "task_name" ]
+      rename => [ "TargetDomainName", "target_domain_name" ]
+      rename => [ "TargetUserName", "user" ]
+      rename => [ "ThreadID", "thread_id" ]
+      rename => [ "User_ID", "user" ]
+      rename => [ "UserID", "user" ]
+      rename => [ "username", "user" ]
+    }
+    # For any accounts that are service accounts or special accounts add the tag of service_account
+    # This example applies the tag to any username that starts with SVC_.  If you use a different
+    # standard change this.
+    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+      mutate {
+        add_tag => [ "service_account" ]
+      }
+    }
+    # This looks for events that are typically noisy but may be of use for deep dive investigations
+    # A tag of noise is added to quickly filter out noise
+    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+      mutate {
+        add_tag => [ "noise" ]
+      }
+    }
+    #Identify machine accounts
+    if [user] =~ /\$/ {
+      mutate {
+        add_tag => [ "machine", "noise" ]
+      }
+    }
+    # Lower case all field names
+    ruby {
+      code => "
+        event_hash = event.to_hash
+        new_event = {}
+        event_hash.keys.each do |key|
+        new_event[key.downcase] = event[key]
+        end
+        event.instance_variable_set(:@data, new_event)"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6300"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6301_dns_windows.conf b/salt/logstash/pipelines/config/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/pipelines/config/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "dns" and "bro" not in [tags] {
+    json {
+      source => "message"
+    }
+    # strip whitespace from message field
+    mutate {
+      strip => "message"
+    }
+    # If the message is blank, drop the log
+    if [Message] =~ /^$/ {
+      drop {  }
+    } else {
+      if [type] == "dns" {
+  	  # This section is lookup for a match against the log and parsing out the fields
+        grok {
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          remove_field => [ "Message" ]
+        }
+  	  # This section attempts to convert the dns_domain into the traditional domain.com format
+        mutate {
+          gsub => [ "dns_domain", "(\(\d+\))", "." ]
+        }
+        grok {
+          match => { "dns_domain" => "\.%{DATA:query}\.$" }
+          remove_field => [ "dns_domain" ]
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6301"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6400_suricata.conf b/salt/logstash/pipelines/config/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/pipelines/config/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+  if [type] == "suricata" {
+    if "test_data" not in [tags] {
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+    } else {
+      mutate {
+        remove_field => [ "netflow.start","netflow.end","timestamp" ]
+      }
+    }
+    if [event_type] == "fileinfo" {
+      ruby {
+        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
+      }
+    }
+	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
+    mutate {
+      rename => [ "src_ip", "source_ip" ]
+      rename => [ "dest_ip", "destination_ip" ]
+      rename => [ "src_port", "source_port" ]
+      rename => [ "dest_port", "destination_port" ]
+    }
+	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
+    if [event_type] == "alert" {
+      if [alert][severity] == 1 {
+        mutate {
+          add_field => { "severity" => "High" }
+        }
+      }
+      if [alert][severity] == 2 {
+        mutate {
+          add_field => { "severity" => "Medium" }
+        }
+      }
+      if [alert][severity] == 3 {
+        mutate {
+          add_field => { "severity" => "Low" }
+        }
+      }
+	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "GPL " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Snort GPL" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "ET " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Emerging Threats" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # This section adds URLs to lookup information about a rule online
+      if [rule_type] == "Snort GPL" {
+        mutate {
+          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+        }
+      }
+      if [rule_type] == "Emerging Threats" {
+        mutate {
+          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+        }
+      }
+    }
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+    #  mutate {
+    #    remove_field => [ "message" ]
+    #  }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6400"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6500_ossec.conf b/salt/logstash/pipelines/config/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/pipelines/config/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+  # OSSEC Alerts
+  if [type] == "ossec" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+        if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate {
+                replace => { "type" => "sysmon" }
+                add_tag => [ "ossec" ]
+            }
+        }
+        if [message] =~ "AR-LOG" {
+            mutate {
+                replace => { "type" => "autoruns" }
+                add_tag => [ "ossec" ]
+            }
+        }
+		
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+			rename => { "rule" => "wazuh-rule" }
+			rename => { "[wazuh-rule][level]" => "alert_level" }
+			rename => { "[wazuh-rule][description]" => "description" }
+			rename => { "[data][srcuser]" => "username" }
+			rename => { "[data][dstuser]" => "escalated_user" }
+			rename => { "[data][command]" => "command" }
+			rename => { "[predecoder][program_name]" => "process" }
+			
+                }
+                # Wazuh 3.8.2
+                if [data][EventChannel] {
+        		mutate {
+				rename => { "[data][EventChannel][EventData][User]" => "username" }
+        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+			}
+		}
+                # Wazuh 3.9.2
+		if [data][win] {
+                        mutate {
+				rename => { "[data][win][eventdata][user]" => "username" }
+                        	rename => { "[data][win][system][eventID]" => "event_id" }
+                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
+                        }
+		}
+	} else {
+		grok {
+			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+		}
+	}
+	
+	# Add tag for OSSEC alerts
+	if [alert_level] {
+            mutate {
+		add_tag => [ "alert" ]
+	    }
+        }
+
+	translate {
+		field => "alert_level"
+
+		destination => "classification"
+
+		dictionary => [
+               	    "1", "None",
+		    "2", "System low priority notification",
+		    "3", "Successful/authorized event",
+		    "4", "System low priority error",
+		    "5", "User generated error",
+		    "6", "Low relevance attack",
+		    "7", '"Bad word" matching',
+		    "8", "First time seen",
+		    "9", "Error from invalid source",
+		    "10", "Multiple user generated errors",
+		    "11", "Integrity checking warning",
+		    "12", "High importance event",
+		    "13", "Unusal error (high importance)",
+		    "14", "High importance security event",
+		    "15", "Severe attack"
+               	]
+	}
+  }
+
+  # OSSEC Archive Logs
+  if [type] == "ossec_archive" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+	if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate { 
+                replace => { "type" => "sysmon" } 
+                add_tag => [ "ossec" ] 
+	    }
+        }
+	if [message] =~ "AR-LOG" {
+            mutate { 
+                replace => { "type" => "autoruns" } 
+                add_tag => [ "ossec" ]
+            }
+        }
+
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+                        rename => [ "rule", "wazuh-rule" ]
+                        rename => [ "[wazuh-rule][level]", "alert_level" ]
+                        rename => [ "[wazuh-rule][description]", "description" ]
+                        rename => [ "[data][srcuser]", "username" ]
+                        rename => [ "[data][dstuser]", "escalated_user" ]
+                        rename => [ "[data][command]", "command" ]
+                        rename => [ "[predecoder][program_name]", "process" ]
+                }
+	} else {
+		grok {
+			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+			remove_field => [ "ossec_timestamp" ]
+		}
+		mutate {
+			convert => [ "status_code", "integer" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/6501_ossec_sysmon.conf b/salt/logstash/pipelines/config/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/pipelines/config/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "sysmon" or "sysmon" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      #mutate { replace => { "type" => "sysmon" } }
+      grok {
+      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+      }
+      mutate {
+        convert => ["event_id", "integer"]
+        remove_field => ["timestamp"]
+        remove_field => ["year"]
+      }
+      if [event_id] == 1 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_creation"]
+        }
+      }
+      if [event_id] == 3 {
+        mutate {
+          remove_field => ["source_ip"]
+        }
+        grok {
+        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          convert => ["source_port", "integer"]
+          convert => ["destination_port", "integer"]
+          add_tag => ["network_connection"]
+        }
+      }
+      if [event_id] == 5 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_termination"]
+        }
+      }
+      if [event_id] == 11 {
+        grok {
+          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["file_created"]
+        }
+      }
+      mutate {
+        remove_field => ["rest_of_msg"]
+      }
+    } else {
+      mutate {
+	rename => { "[data][srcuser]" => "username" }
+        rename => { "[data][id]" => "event_id" }
+        rename => { "[data][dstport]" => "destination_port" }
+        rename => { "[data][dstip]" => "destination_ip" }
+        rename => { "[data][srcip]" => "source_ip" }
+        rename => { "[data][sysmon][image]" => "image_path" }
+        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+      }
+      # Wazuh 3.8.2  
+      if [data][EventChannel] {
+        mutate {
+           rename => { "[data][EventChannel][EventData][User]" => "username" }
+           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+	}
+      }
+      # Wazuh 3.9.2
+      if [data][win] {
+        mutate {
+          rename => { "[data][win][eventdata][user]" => "username" }
+          rename => { "[data][win][system][eventID]" => "event_id" }
+          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+          rename => { "[data][win][eventdata][image]" => "image_path" }
+          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+        }
+      }    
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/6502_ossec_autoruns.conf b/salt/logstash/pipelines/config/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/pipelines/config/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+  if [type] == "autoruns" or "autoruns" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      grok {
+        match => [
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+    #csv {
+#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+#      separator => "|"
+#      }
+      mutate {
+        remove_field => [ "year" ]
+        remove_field => [ "timestamp" ]
+      }
+    } else {
+        grok {
+        match => [
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+      mutate {
+        # Rename fields
+      }
+    }
+    date {
+      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+      target => "image_timestamp"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/6600_winlogbeat_sysmon.conf b/salt/logstash/pipelines/config/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/pipelines/config/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+      mutate {
+        replace => { "type" => "sysmon" }
+        rename => { "[event_data][User]" => "username" }
+        rename => { "[event_data][DestinationPort]" => "destination_port" }
+        rename => { "[event_data][DestinationIp]" => "destination_ip" }
+        rename => { "[event_data][SourceIp]" => "source_ip" }
+        rename => { "[event_data][Image]" => "image_path" }
+        rename => { "[event_data][ParentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[event_data][SourceHostname]" => "source_hostname" }
+        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+	rename => { "[event_data][TargetFilename]" => "target_filename" }
+      }
+  }
+}
diff --git a/salt/logstash/pipelines/config/6700_winlogbeat.conf b/salt/logstash/pipelines/config/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/pipelines/config/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+  if "beat" in [tags] {
+      mutate {
+	# As of beats 6.3.0, host is now an object:
+	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+	# This creates a conflict with our existing host string.
+	# So let's rename the host object to beat_host.
+        rename => { "host" => "beat_host" }
+      }
+  }
+}
diff --git a/salt/logstash/pipelines/config/7100_osquery_wel.conf b/salt/logstash/pipelines/config/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/pipelines/config/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/pipelines/config/7200_strelka.conf b/salt/logstash/pipelines/config/7200_strelka.conf
new file mode 100644
index 000000000..b2b57bf05
--- /dev/null
+++ b/salt/logstash/pipelines/config/7200_strelka.conf
@@ -0,0 +1,8 @@
+filter {
+  if [type] =~ "strelka" {
+    json {
+      source => "message"
+    }
+  }
+}
+
diff --git a/salt/logstash/pipelines/config/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/pipelines/config/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/pipelines/config/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/pipelines/config/8007_postprocess_http.conf b/salt/logstash/pipelines/config/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/pipelines/config/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_http" {
+    if [uri] {
+      ruby {
+        code => "event.set('uri_length', event.get('uri').length)"
+      }
+    }
+    if [virtual_host] {
+      ruby {
+        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+      }
+    }
+    if [useragent] {
+      ruby {
+        code => "event.set('useragent_length', event.get('useragent').length)"
+      }
+    }
+	mutate {
+	  ##add_tag => [ "conf_file_8007"]
+	}
+  }
+}
diff --git a/salt/logstash/pipelines/config/8200_postprocess_tagging.conf b/salt/logstash/pipelines/config/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/pipelines/config/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [destination_ip] {
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_destination" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_destination" ]
+      }
+    }
+    if "internal_destination" not in [tags] {
+      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+  }
+  if [source_ip] {
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_source" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_source" ]
+      }
+    }
+    if "internal_source" not in [tags] {
+      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+	mutate {
+		##add_tag => [ "conf_file_8200"]
+	}
+  }
+  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+      mutate {
+          remove_tag => [ "syslog" ]
+      }
+  }
+}
diff --git a/salt/logstash/pipelines/config/8998_postprocess_log_elapsed.conf b/salt/logstash/pipelines/config/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/pipelines/config/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_end', Time.now.to_f)"
+  }
+  ruby {
+    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
diff --git a/salt/logstash/pipelines/config/8999_postprocess_rename_type.conf b/salt/logstash/pipelines/config/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/pipelines/config/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/salt/logstash/pipelines/config/9000_output_bro.conf.jinja b/salt/logstash/pipelines/config/9000_output_bro.conf.jinja
new file mode 100644
index 000000000..2beafc8be
--- /dev/null
+++ b/salt/logstash/pipelines/config/9000_output_bro.conf.jinja
@@ -0,0 +1,32 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set NAME = grains.host -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  add_field => { "sensor_name" => "{{ NAME }}" }
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      pipeline => "%{event_type}"
+      hosts => "{{ ES }}"
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/9001_output_switch.conf.jinja
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/pipelines/config/9001_output_switch.conf.jinja
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/9002_output_import.conf.jinja
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/pipelines/config/9002_output_import.conf.jinja
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/9004_output_flow.conf.jinja
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/pipelines/config/9004_output_flow.conf.jinja
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/9026_output_dhcp.conf.jinja
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/pipelines/config/9026_output_dhcp.conf.jinja
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/9029_output_esxi.conf.jinja
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/pipelines/config/9029_output_esxi.conf.jinja
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/9030_output_greensql.conf.jinja
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/pipelines/config/9030_output_greensql.conf.jinja
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/9031_output_iis.conf.jinja
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/pipelines/config/9031_output_iis.conf.jinja
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/9032_output_mcafee.conf.jinja
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/pipelines/config/9032_output_mcafee.conf.jinja
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/9033_output_snort.conf.jinja
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/pipelines/config/9033_output_snort.conf.jinja
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "ids" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "ids" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/9034_output_syslog.conf.jinja
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/pipelines/config/9034_output_syslog.conf.jinja
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja
new file mode 100644
index 000000000..132f0eb66
--- /dev/null
+++ b/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja
@@ -0,0 +1,32 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Security Onion Solutions
+# Last Update: 2/3/2020
+# Output to ES for osquery tagged logs - EVAL install
+
+
+filter {
+    if "osquery" in [tags] {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+                }
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/9200_output_firewall.conf.jinja
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/pipelines/config/9200_output_firewall.conf.jinja
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/9300_output_windows.conf.jinja
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/pipelines/config/9300_output_windows.conf.jinja
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/9301_output_dns_windows.conf.jinja
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/pipelines/config/9301_output_dns_windows.conf.jinja
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja
new file mode 100644
index 000000000..1de235444
--- /dev/null
+++ b/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- set NAME = grains.host -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  add_field => { "sensor_name" => "{{ NAME }}" }
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/9500_output_beats.conf.jinja
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/pipelines/config/9500_output_beats.conf.jinja
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9500"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/9600_output_ossec.conf.jinja
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/pipelines/config/9600_output_ossec.conf.jinja
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja b/salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja
new file mode 100644
index 000000000..c562cedc7
--- /dev/null
+++ b/salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja
@@ -0,0 +1,30 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if [event_type] =~ "strelka" {
+    mutate {
+          ##add_tag => [ "conf_file_9000"]
+        }
+  }
+}
+output {
+  if [event_type] =~ "strelka" {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-strelka-%{+YYYY.MM.dd}"
+      template_name => "logstash-strelka"
+      template => "/logstash-strelka-template.json"
+      template_overwrite => true
+    }
+  }
+}
+

From c396342aeac7e7f252a77fd89ee9eba81913b86c Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Feb 2020 13:46:52 -0500
Subject: [PATCH 2/6] fix syntax error with new ls pipeline config

---
 salt/logstash/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index a987e03ab..d23983b4b 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -112,7 +112,7 @@ ls_pipeline_{{PL}}:
     - user: 931
     - group: 939
 
-  {% for CONFIGFILE in PIPELINES.PL.config %}
+  {% for CONFIGFILE in PIPELINES[PL].config %}
 ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0]}}:
   file.managed:
     - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE}}

From 408b3695e0c5bce1bdced5abcb1353799fb07c64 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Feb 2020 14:12:18 -0500
Subject: [PATCH 3/6] add back deleted states to logstash state

---
 salt/logstash/init.sls | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index d23983b4b..3637cfe46 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -125,6 +125,24 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0]}}:
   {% endfor %}
 {% endfor %}
 
+lspipelinesyml:
+  file.managed:
+    - name: /opt/so/conf/logstash/etc/pipelines.yml
+    - source: salt://logstash/etc/pipelines.yml.jinja
+    - template: jinja
+    - defaults:
+        pipelines: {{ pipelines }}
+
+# Copy down all the configs including custom - TODO add watch restart
+lsetcsync:
+  file.recurse:
+    - name: /opt/so/conf/logstash/etc
+    - source: salt://logstash/etc
+    - user: 931
+    - group: 939
+    - template: jinja
+    - exclude_pat: pipelines*
+
 lssync:
   file.recurse:
     - name: /opt/so/conf/logstash/dynamic

From 54e94676fe3145435208361fd30497af18502780 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Feb 2020 14:59:39 -0500
Subject: [PATCH 4/6] fix pipelines variable

---
 salt/logstash/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 3637cfe46..6467ec908 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -131,7 +131,7 @@ lspipelinesyml:
     - source: salt://logstash/etc/pipelines.yml.jinja
     - template: jinja
     - defaults:
-        pipelines: {{ pipelines }}
+        pipelines: {{ PIPELINES }}
 
 # Copy down all the configs including custom - TODO add watch restart
 lsetcsync:

From 7604853c599fdd97cc99a979d76737aabdb3c625 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 19 Feb 2020 16:02:24 -0500
Subject: [PATCH 5/6] fix logic for logstash pipelines

---
 salt/logstash/etc/pipelines.yml.jinja |  2 +-
 salt/logstash/init.sls                | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/salt/logstash/etc/pipelines.yml.jinja b/salt/logstash/etc/pipelines.yml.jinja
index 07eeacfaf..3ee7a0d3b 100644
--- a/salt/logstash/etc/pipelines.yml.jinja
+++ b/salt/logstash/etc/pipelines.yml.jinja
@@ -1,4 +1,4 @@
 {%- for pl in pipelines %}
 - pipeline.id: {{ pl }}
-  path.config: "{{ pipelines[pl].config }}"
+  path.config: "/usr/share/logstash/pipelines/{{ pl }}/"
 {% endfor -%}
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 6467ec908..0b80caacf 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -115,13 +115,15 @@ ls_pipeline_{{PL}}:
   {% for CONFIGFILE in PIPELINES[PL].config %}
 ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0]}}:
   file.managed:
-    - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE}}
     - source: salt://logstash/pipelines/config/{{CONFIGFILE}}
+    {% if 'jinja' in CONFIGFILE.split('.')[-1] %}
+    - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE | replace(".jinja", "")}}
+    - template: jinja
+    {% else %}
+    - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE}}
+    {% endif %}
     - user: 931
     - group: 939
-    {% if 'jinja' in CONFIGFILE.split('.')[-1] %}
-    - template: jinja
-    {% endif %}
   {% endfor %}
 {% endfor %}
 

From 2b34bdece97548af2fae4cbd6233f65f8e733c9b Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 20 Feb 2020 16:47:40 -0500
Subject: [PATCH 6/6] logstash cleanup -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/326

---
 pillar/logstash/helix.sls                     |  40 ++-
 pillar/logstash/master.sls                    |   4 +-
 pillar/logstash/search.sls                    |  53 +++-
 .../conf/pipelines/eval/0800_input_eval.conf  | 204 -------------
 .../eval/1000_preprocess_log_elapsed.conf     |  13 -
 .../eval/1001_preprocess_syslogng.conf        |  33 --
 .../pipelines/eval/1002_preprocess_json.conf  |  18 --
 .../eval/1004_preprocess_syslog_types.conf    |  19 --
 .../pipelines/eval/1026_preprocess_dhcp.conf  | 140 ---------
 .../pipelines/eval/1029_preprocess_esxi.conf  |  31 --
 .../eval/1030_preprocess_greensql.conf        |  21 --
 .../pipelines/eval/1031_preprocess_iis.conf   |  21 --
 .../eval/1032_preprocess_mcafee.conf          |  26 --
 .../pipelines/eval/1033_preprocess_snort.conf | 181 -----------
 .../eval/1034_preprocess_syslog.conf          |  16 -
 .../pipelines/eval/2000_network_flow.conf     |  59 ----
 .../conf/pipelines/eval/6002_syslog.conf      |  11 -
 .../pipelines/eval/6101_switch_brocade.conf   |  33 --
 .../eval/6200_firewall_fortinet.conf          | 281 ------------------
 .../pipelines/eval/6201_firewall_pfsense.conf |  56 ----
 .../conf/pipelines/eval/6300_windows.conf     | 161 ----------
 .../conf/pipelines/eval/6301_dns_windows.conf |  49 ---
 .../conf/pipelines/eval/6400_suricata.conf    |  92 ------
 .../conf/pipelines/eval/6500_ossec.conf       | 160 ----------
 .../pipelines/eval/6501_ossec_sysmon.conf     | 118 --------
 .../pipelines/eval/6502_ossec_autoruns.conf   |  43 ---
 .../eval/6600_winlogbeat_sysmon.conf          |  23 --
 .../conf/pipelines/eval/6700_winlogbeat.conf  |  17 --
 .../conf/pipelines/eval/7100_osquery_wel.conf |  23 --
 .../conf/pipelines/eval/7200_strelka.conf     |   8 -
 ...01_postprocess_common_ip_augmentation.conf |  58 ----
 .../pipelines/eval/8007_postprocess_http.conf |  27 --
 .../eval/8200_postprocess_tagging.conf        |  63 ----
 .../eval/8998_postprocess_log_elapsed.conf    |  19 --
 .../eval/8999_postprocess_rename_type.conf    |   8 -
 .../eval/templates/9000_output_bro.conf       |  32 --
 .../eval/templates/9001_output_switch.conf    |  27 --
 .../eval/templates/9002_output_import.conf    |  27 --
 .../eval/templates/9004_output_flow.conf      |  27 --
 .../eval/templates/9026_output_dhcp.conf      |  26 --
 .../eval/templates/9029_output_esxi.conf      |  25 --
 .../eval/templates/9030_output_greensql.conf  |  25 --
 .../eval/templates/9031_output_iis.conf       |  26 --
 .../eval/templates/9032_output_mcafee.conf    |  26 --
 .../eval/templates/9033_output_snort.conf     |  29 --
 .../eval/templates/9034_output_syslog.conf    |  28 --
 .../eval/templates/9100_output_osquery.conf   |  32 --
 .../eval/templates/9200_output_firewall.conf  |  29 --
 .../eval/templates/9300_output_windows.conf   |  27 --
 .../templates/9301_output_dns_windows.conf    |  27 --
 .../eval/templates/9400_output_suricata.conf  |  28 --
 .../eval/templates/9500_output_beats.conf     |  25 --
 .../eval/templates/9600_output_ossec.conf     |  29 --
 .../helix/1033_preprocess_snort.conf          | 181 -----------
 ...01_postprocess_common_ip_augmentation.conf |  58 ----
 .../pipelines/master/0010_input_hhbeats.conf  |  40 ---
 .../search/1000_preprocess_log_elapsed.conf   |  13 -
 .../search/1001_preprocess_syslogng.conf      |  33 --
 .../search/1002_preprocess_json.conf          |  18 --
 .../search/1004_preprocess_syslog_types.conf  |  19 --
 .../search/1026_preprocess_dhcp.conf          | 140 ---------
 .../search/1029_preprocess_esxi.conf          |  31 --
 .../search/1030_preprocess_greensql.conf      |  21 --
 .../pipelines/search/1031_preprocess_iis.conf |  21 --
 .../search/1032_preprocess_mcafee.conf        |  26 --
 .../search/1033_preprocess_snort.conf         | 181 -----------
 .../search/1034_preprocess_syslog.conf        |  16 -
 .../pipelines/search/2000_network_flow.conf   |  59 ----
 .../conf/pipelines/search/6002_syslog.conf    |  11 -
 .../pipelines/search/6101_switch_brocade.conf |  33 --
 .../search/6200_firewall_fortinet.conf        | 281 ------------------
 .../search/6201_firewall_pfsense.conf         |  56 ----
 .../conf/pipelines/search/6300_windows.conf   | 161 ----------
 .../pipelines/search/6301_dns_windows.conf    |  49 ---
 .../conf/pipelines/search/6400_suricata.conf  |  92 ------
 .../conf/pipelines/search/6500_ossec.conf     | 160 ----------
 .../pipelines/search/6501_ossec_sysmon.conf   | 118 --------
 .../pipelines/search/6502_ossec_autoruns.conf |  43 ---
 .../search/6600_winlogbeat_sysmon.conf        |  23 --
 .../pipelines/search/6700_winlogbeat.conf     |  17 --
 .../pipelines/search/7100_osquery_wel.conf    |  23 --
 .../conf/pipelines/search/7200_strelka.conf   |   8 -
 ...01_postprocess_common_ip_augmentation.conf |  58 ----
 .../search/8007_postprocess_http.conf         |  27 --
 .../search/8200_postprocess_tagging.conf      |  63 ----
 .../search/8998_postprocess_log_elapsed.conf  |  19 --
 .../search/8999_postprocess_rename_type.conf  |   8 -
 .../search/templates/9000_output_bro.conf     |  31 --
 .../search/templates/9001_output_switch.conf  |  27 --
 .../search/templates/9002_output_import.conf  |  27 --
 .../search/templates/9004_output_flow.conf    |  27 --
 .../search/templates/9026_output_dhcp.conf    |  26 --
 .../search/templates/9029_output_esxi.conf    |  25 --
 .../templates/9030_output_greensql.conf       |  25 --
 .../search/templates/9031_output_iis.conf     |  26 --
 .../search/templates/9032_output_mcafee.conf  |  26 --
 .../search/templates/9033_output_snort.conf   |  29 --
 .../search/templates/9034_output_syslog.conf  |  28 --
 .../search/templates/9100_output_osquery.conf |  19 --
 .../templates/9200_output_firewall.conf       |  29 --
 .../search/templates/9300_output_windows.conf |  27 --
 .../templates/9301_output_dns_windows.conf    |  27 --
 .../templates/9400_output_suricata.conf       |  27 --
 .../search/templates/9500_output_beats.conf   |  25 --
 .../search/templates/9600_output_ossec.conf   |  29 --
 .../search/templates/9700_output_strelka.conf |  30 --
 .../config}/0010_input_hhbeats.conf           |   0
 .../config/0900_input_redis.conf.jinja}       |   0
 .../config}/1100_preprocess_bro_conn.conf     |   0
 .../config}/1101_preprocess_bro_dhcp.conf     |   0
 .../config}/1102_preprocess_bro_dns.conf      |   0
 .../config}/1103_preprocess_bro_dpd.conf      |   0
 .../config}/1104_preprocess_bro_files.conf    |   0
 .../config}/1105_preprocess_bro_ftp.conf      |   0
 .../config}/1106_preprocess_bro_http.conf     |   0
 .../config}/1107_preprocess_bro_irc.conf      |   0
 .../config}/1108_preprocess_bro_kerberos.conf |   0
 .../config}/1109_preprocess_bro_notice.conf   |   0
 .../config}/1110_preprocess_bro_rdp.conf      |   0
 .../1111_preprocess_bro_signatures.conf       |   0
 .../config}/1112_preprocess_bro_smtp.conf     |   0
 .../config}/1113_preprocess_bro_snmp.conf     |   0
 .../config}/1114_preprocess_bro_software.conf |   0
 .../config}/1115_preprocess_bro_ssh.conf      |   0
 .../config}/1116_preprocess_bro_ssl.conf      |   0
 .../config}/1117_preprocess_bro_syslog.conf   |   0
 .../config}/1118_preprocess_bro_tunnel.conf   |   0
 .../config}/1119_preprocess_bro_weird.conf    |   0
 .../config}/1121_preprocess_bro_mysql.conf    |   0
 .../config}/1122_preprocess_bro_socks.conf    |   0
 .../config}/1123_preprocess_bro_x509.conf     |   0
 .../config}/1124_preprocess_bro_intel.conf    |   0
 .../config}/1125_preprocess_bro_modbus.conf   |   0
 .../config}/1126_preprocess_bro_sip.conf      |   0
 .../config}/1127_preprocess_bro_radius.conf   |   0
 .../config}/1128_preprocess_bro_pe.conf       |   0
 .../config}/1129_preprocess_bro_rfb.conf      |   0
 .../config}/1130_preprocess_bro_dnp3.conf     |   0
 .../1131_preprocess_bro_smb_files.conf        |   0
 .../1132_preprocess_bro_smb_mapping.conf      |   0
 .../config}/1133_preprocess_bro_ntlm.conf     |   0
 .../config}/1134_preprocess_bro_dce_rpc.conf  |   0
 .../config}/6000_bro.conf                     |   0
 .../config}/6001_bro_import.conf              |   0
 .../config}/8000_postprocess_bro_cleanup.conf |   0
 .../config}/8006_postprocess_dns.conf         |   0
 .../config/9000_output_bro.conf.jinja         |   3 +-
 .../config/9100_output_osquery.conf.jinja     |  21 +-
 .../config/9400_output_suricata.conf.jinja    |   3 +-
 .../config/9700_ouptut_strelka.conf.jinja     |  30 --
 .../config/9700_output_strelka.conf.jinja}    |   0
 .../config/9997_output_helix.conf.jinja}      |   0
 .../config/9999_output_redis.conf.jinja}      |   0
 153 files changed, 100 insertions(+), 5198 deletions(-)
 delete mode 100644 salt/logstash/conf/pipelines/eval/0800_input_eval.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/2000_network_flow.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6002_syslog.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6300_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6400_suricata.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6500_ossec.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/7200_strelka.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
 delete mode 100644 salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
 delete mode 100644 salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
 delete mode 100644 salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
 delete mode 100644 salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/2000_network_flow.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6002_syslog.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6300_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6301_dns_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6400_suricata.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6500_ossec.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/7200_strelka.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
 delete mode 100644 salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/0010_input_hhbeats.conf (100%)
 rename salt/logstash/{conf/pipelines/search/templates/0900_input_redis.conf => pipelines/config/0900_input_redis.conf.jinja} (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1100_preprocess_bro_conn.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1101_preprocess_bro_dhcp.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1102_preprocess_bro_dns.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1103_preprocess_bro_dpd.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1104_preprocess_bro_files.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1105_preprocess_bro_ftp.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1106_preprocess_bro_http.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1107_preprocess_bro_irc.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1108_preprocess_bro_kerberos.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1109_preprocess_bro_notice.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1110_preprocess_bro_rdp.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1111_preprocess_bro_signatures.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1112_preprocess_bro_smtp.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1113_preprocess_bro_snmp.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1114_preprocess_bro_software.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1115_preprocess_bro_ssh.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1116_preprocess_bro_ssl.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1117_preprocess_bro_syslog.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1118_preprocess_bro_tunnel.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1119_preprocess_bro_weird.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1121_preprocess_bro_mysql.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1122_preprocess_bro_socks.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1123_preprocess_bro_x509.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1124_preprocess_bro_intel.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1125_preprocess_bro_modbus.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1126_preprocess_bro_sip.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1127_preprocess_bro_radius.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1128_preprocess_bro_pe.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1129_preprocess_bro_rfb.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1130_preprocess_bro_dnp3.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1131_preprocess_bro_smb_files.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1132_preprocess_bro_smb_mapping.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1133_preprocess_bro_ntlm.conf (100%)
 rename salt/logstash/{conf/pipelines/helix => pipelines/config}/1134_preprocess_bro_dce_rpc.conf (100%)
 rename salt/logstash/{conf/pipelines => pipelines/config}/6000_bro.conf (100%)
 rename salt/logstash/{conf/pipelines => pipelines/config}/6001_bro_import.conf (100%)
 rename salt/logstash/{conf/pipelines => pipelines/config}/8000_postprocess_bro_cleanup.conf (100%)
 rename salt/logstash/{conf/pipelines => pipelines/config}/8006_postprocess_dns.conf (100%)
 delete mode 100644 salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja
 rename salt/logstash/{conf/pipelines/eval/templates/9700_ouptut_strelka.conf => pipelines/config/9700_output_strelka.conf.jinja} (100%)
 rename salt/logstash/{conf/pipelines/helix/templates/9997_output_helix.conf => pipelines/config/9997_output_helix.conf.jinja} (100%)
 rename salt/logstash/{conf/pipelines/master/templates/9999_output_redis.conf => pipelines/config/9999_output_redis.conf.jinja} (100%)

diff --git a/pillar/logstash/helix.sls b/pillar/logstash/helix.sls
index e396a7aad..cdde880e1 100644
--- a/pillar/logstash/helix.sls
+++ b/pillar/logstash/helix.sls
@@ -1,4 +1,42 @@
 logstash:
   pipelines:
     helix:
-      config: "/usr/share/logstash/pipelines/helix/*.conf"
+      config:
+        - 0010_input_hhbeats.conf
+        - 1033_preprocess_snort.conf
+        - 1100_preprocess_bro_conn.conf
+        - 1101_preprocess_bro_dhcp.conf
+        - 1102_preprocess_bro_dns.conf
+        - 1103_preprocess_bro_dpd.conf
+        - 1104_preprocess_bro_files.conf
+        - 1105_preprocess_bro_ftp.conf
+        - 1106_preprocess_bro_http.conf
+        - 1107_preprocess_bro_irc.conf
+        - 1108_preprocess_bro_kerberos.conf
+        - 1109_preprocess_bro_notice.conf
+        - 1110_preprocess_bro_rdp.conf
+        - 1111_preprocess_bro_signatures.conf
+        - 1112_preprocess_bro_smtp.conf
+        - 1113_preprocess_bro_snmp.conf
+        - 1114_preprocess_bro_software.conf
+        - 1115_preprocess_bro_ssh.conf
+        - 1116_preprocess_bro_ssl.conf
+        - 1117_preprocess_bro_syslog.conf
+        - 1118_preprocess_bro_tunnel.conf
+        - 1119_preprocess_bro_weird.conf
+        - 1121_preprocess_bro_mysql.conf
+        - 1122_preprocess_bro_socks.conf
+        - 1123_preprocess_bro_x509.conf
+        - 1124_preprocess_bro_intel.conf
+        - 1125_preprocess_bro_modbus.conf
+        - 1126_preprocess_bro_sip.conf
+        - 1127_preprocess_bro_radius.conf
+        - 1128_preprocess_bro_pe.conf
+        - 1129_preprocess_bro_rfb.conf
+        - 1130_preprocess_bro_dnp3.conf
+        - 1131_preprocess_bro_smb_files.conf
+        - 1132_preprocess_bro_smb_mapping.conf
+        - 1133_preprocess_bro_ntlm.conf
+        - 1134_preprocess_bro_dce_rpc.conf
+        - 8001_postprocess_common_ip_augmentation.conf
+        - 9997_output_helix.conf.jinja
diff --git a/pillar/logstash/master.sls b/pillar/logstash/master.sls
index 3be98f6b9..f3ad90d7e 100644
--- a/pillar/logstash/master.sls
+++ b/pillar/logstash/master.sls
@@ -1,4 +1,6 @@
 logstash:
   pipelines:
     master:
-      config: "/usr/share/logstash/pipelines/master/*.conf"
+      config:
+        - 0010_input_hhbeats.conf
+        - 9999_output_redis.conf.jinja
diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls
index 0eca8571f..3db36320f 100644
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -1,4 +1,55 @@
 logstash:
   pipelines:
     search:
-      config: "/usr/share/logstash/pipelines/search/*.conf"
+      config:
+        - 1000_preprocess_log_elapsed.conf
+        - 1001_preprocess_syslogng.conf
+        - 1002_preprocess_json.conf
+        - 1004_preprocess_syslog_types.conf
+        - 1026_preprocess_dhcp.conf
+        - 1029_preprocess_esxi.conf
+        - 1030_preprocess_greensql.conf
+        - 1031_preprocess_iis.conf
+        - 1032_preprocess_mcafee.conf
+        - 1033_preprocess_snort.conf
+        - 1034_preprocess_syslog.conf
+        - 2000_network_flow.conf
+        - 6002_syslog.conf
+        - 6101_switch_brocade.conf
+        - 6200_firewall_fortinet.conf
+        - 6201_firewall_pfsense.conf
+        - 6300_windows.conf
+        - 6301_dns_windows.conf
+        - 6400_suricata.conf
+        - 6500_ossec.conf
+        - 6501_ossec_sysmon.conf
+        - 6502_ossec_autoruns.conf
+        - 6600_winlogbeat_sysmon.conf
+        - 6700_winlogbeat.conf
+        - 7100_osquery_wel.conf
+        - 7200_strelka.conf
+        - 8001_postprocess_common_ip_augmentation.conf
+        - 8007_postprocess_http.conf
+        - 8200_postprocess_tagging.conf
+        - 8998_postprocess_log_elapsed.conf
+        - 8999_postprocess_rename_type.conf
+        - 0900_input_redis.conf.jinja
+        - 9000_output_bro.conf.jinja
+        - 9001_output_switch.conf.jinja
+        - 9002_output_import.conf.jinja
+        - 9004_output_flow.conf.jinja
+        - 9026_output_dhcp.conf.jinja
+        - 9029_output_esxi.conf.jinja
+        - 9030_output_greensql.conf.jinja
+        - 9031_output_iis.conf.jinja
+        - 9032_output_mcafee.conf.jinja
+        - 9033_output_snort.conf.jinja
+        - 9034_output_syslog.conf.jinja
+        - 9100_output_osquery.conf.jinja
+        - 9200_output_firewall.conf.jinja
+        - 9300_output_windows.conf.jinja
+        - 9301_output_dns_windows.conf.jinja
+        - 9400_output_suricata.conf.jinja
+        - 9500_output_beats.conf.jinja
+        - 9600_output_ossec.conf.jinja
+        - 9700_output_strelka.conf.jinja
diff --git a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
deleted file mode 100644
index b499c3b0f..000000000
--- a/salt/logstash/conf/pipelines/eval/0800_input_eval.conf
+++ /dev/null
@@ -1,204 +0,0 @@
-# Updated by: Mike Reeves
-# Last Update: 11/1/2018
-
-input {
-  file {
-	  path => "/suricata/eve.json"
-		type => "ids"
-                add_field => { "engine" => "suricata" }
-	}
-	file {
-		path => "/nsm/zeek/logs/current/conn*.log"
-		type => "bro_conn"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/dce_rpc*.log"
-		type => "bro_dce_rpc"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/dhcp*.log"
-		type => "bro_dhcp"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/dnp3*.log"
-		type => "bro_dnp3"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/dns*.log"
-		type => "bro_dns"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/dpd*.log"
-		type => "bro_dpd"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/files*.log"
-		type => "bro_files"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/ftp*.log"
-		type => "bro_ftp"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/http*.log"
-		type => "bro_http"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/intel*.log"
-		type => "bro_intel"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/irc*.log"
-		type => "bro_irc"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/kerberos*.log"
-		type => "bro_kerberos"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/modbus*.log"
-		type => "bro_modbus"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/mysql*.log"
-		type => "bro_mysql"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/notice*.log"
-		type => "bro_notice"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/ntlm*.log"
-		type => "bro_ntlm"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/pe*.log"
-		type => "bro_pe"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/radius*.log"
-		type => "bro_radius"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/rdp*.log"
-		type => "bro_rdp"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/rfb*.log"
-		type => "bro_rfb"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/signatures*.log"
-		type => "bro_signatures"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/sip*.log"
-		type => "bro_sip"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/smb_files*.log"
-		type => "bro_smb_files"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/smb_mapping*.log"
-		type => "bro_smb_mapping"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/smtp*.log"
-		type => "bro_smtp"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/snmp*.log"
-		type => "bro_snmp"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/socks*.log"
-		type => "bro_socks"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/software*.log"
-		type => "bro_software"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/ssh*.log"
-		type => "bro_ssh"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/ssl*.log"
-		type => "bro_ssl"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/syslog*.log"
-		type => "bro_syslog"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/tunnel*.log"
-		type => "bro_tunnels"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/weird*.log"
-		type => "bro_weird"
-	    	tags => ["bro"]
-	}
-	file {
-		path => "/nsm/zeek/logs/current/x509*.log"
-		type => "bro_x509"
-	    	tags => ["bro"]
-	}
-  file {
-    path => "/wazuh/alerts/alerts.json"
-    type => "ossec"
-  }
-  file {
-    path => "/wazuh/archives/archives.json"
-    type => "ossec_archive"
-  }
-  file {
-    path => "/osquery/logs/result.log"
-    type => "osquery"
-    tags => ["osquery"]
-  }
-  file {
-    path => "/strelka/strelka.log"
-    type => "strelka"
-  }
-}
-filter {
-  if "import" in [tags] {
-	mutate {
-	  #add_tag => [ "conf_file_0007"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
deleted file mode 100644
index d098eb11a..000000000
--- a/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_start', Time.now.to_f)"
-  }
-  mutate {
-    #add_tag => [ "conf_file_1000"]
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
deleted file mode 100644
index 84bce8802..000000000
--- a/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Updated by: Doug Burks and Wes Lambert
-# Last Update: 10/30/2018
-
-filter {
-  if "syslogng" in [tags] {
-	mutate {
-		rename => { "MESSAGE" => "message" }
-		rename => { "PROGRAM" => "type" }
-		rename => { "FACILITY" => "syslog-facility" }
-		rename => { "FILE_NAME" => "syslog-file_name" }
-		rename => { "HOST" => "syslog-host" }
-		rename => { "HOST_FROM" => "syslog-host_from" }
-		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
-		rename => { "PID" => "syslog-pid" }
-		rename => { "PRIORITY" => "syslog-priority" }
-		rename => { "SOURCEIP" => "syslog-sourceip" }
-		rename => { "TAGS" => "syslog-tags" }
-		lowercase => [ "syslog-host_from" ]
-		remove_field => [ "ISODATE" ]
-		remove_field => [ "SEQNUM" ]
-          	#add_tag => [ "conf_file_1001"]
-	}
-	if "bro_" in [type] {
-		mutate {
-			add_tag => [ "bro" ]
-		}
-	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
-		mutate {
-			add_tag => [ "syslog" ]
-		}
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
deleted file mode 100644
index ea7c677da..000000000
--- a/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "json" in [tags]{
-    json {
-      source => "message"
-    }
-    mutate {
-      remove_tag => [ "json" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1002"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
deleted file mode 100644
index 243abcc15..000000000
--- a/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-filter {
-  if "syslog" in [tags] {
-    if [host] == "172.16.1.1" {
-      mutate {
-        add_field => { "type" => "fortinet" }
-        add_tag => [ "firewall" ]
-      }
-    }
-    if [host] == "10.0.0.101" {
-      mutate {
-        add_field => { "type" => "brocade" }
-        add_tag => [ "switch" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1004"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
deleted file mode 100644
index 2f893cf7a..000000000
--- a/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
+++ /dev/null
@@ -1,140 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolutions.com
-# Last Update: 12/9/2016
-# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
-filter {
-  if [type] == "dhcp" {
-    mutate {
-      add_field => { "Hostname" => "%{host}" }
-    }
-    mutate {
-      strip => "message"
-    }
-	  # This is the initial parsing of the log
-      grok {
-        # Server 2008+
-        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
-        # Server 2003
-        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
-        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
-      }
-	  # This section below translates the message ID into something humans can understand.
-      if [id] == "00" {
-        mutate {
-          add_field => [ "event", "The log was started"]
-        }
-      }
-      if [id] == "01" {
-        mutate {
-          add_field => [ "event", "The log was stopped"]
-        }
-      }
-      if [id] == "02" {
-        mutate {
-          add_field => [ "event", "The log was temporarily paused due to low disk space"]
-        }
-      }
-      if [id] == "10" {
-        mutate {
-          add_field => [ "event", "A new IP address was leased to a client"]
-        }
-      }
-      if [id] == "11" {
-        mutate {
-          add_field => [ "event", "A lease was renewed by a client"]
-        }
-      }
-      if [id] == "12" {
-        mutate {
-          add_field => [ "event", "A lease was released by a client"]
-        }
-      }
-      if [id] == "13" {
-        mutate {
-          add_field => [ "event", "An IP address was found to be in use on the network"]
-        }
-      }
-      if [id] == "14" {
-        mutate {
-          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
-        }
-      }
-      if [id] == "15" {
-        mutate {
-          add_field => [ "event", "A lease was denied"]
-        }
-      }
-      if [id] == "16" {
-        mutate {
-          add_field => [ "event", "A lease was deleted"]
-        }
-      }
-      if [id] == "17" {
-        mutate {
-          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
-        }
-      }
-      if [id] == "18" {
-        mutate {
-          add_field => [ "event", "A lease was expired and DNS records were deleted"]
-        }
-      }
-      if [id] == "20" {
-        mutate {
-          add_field => [ "event", "A BOOTP address was leased to a client"]
-        }
-      }
-      if [id] == "21" {
-        mutate {
-          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
-        }
-      }
-      if [id] == "22" {
-        mutate {
-          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
-        }
-      }
-      if [id] == "23" {
-        mutate {
-          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
-        }
-      }
-      if [id] == "24" {
-        mutate {
-          add_field => [ "event", "IP address cleanup operation has began"]
-        }
-      }
-      if [id] == "25" {
-        mutate {
-          add_field => [ "event", "IP address cleanup statistics"]
-        }
-      }
-      if [id] == "30" {
-        mutate {
-          add_field => [ "event", "DNS update request to the named DNS server"]
-        }
-      }
-      if [id] == "31" {
-        mutate {
-          add_field => [ "event", "DNS update failed"]
-        }
-      }
-      if [id] == "32" {
-        mutate {
-          add_field => [ "event", "DNS update successful"]
-        }
-      }
-      if [id] == "33" {
-        mutate {
-          add_field => [ "event", "Packet dropped due to NAP policy"]
-        }
-      }
-	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
-      #if "_grokparsefailure" not in [tags] { 
-      #  mutate {
-      #    remove_field => [ "message"]
-      #  }
-      #}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
deleted file mode 100644
index 18120d00d..000000000
--- a/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
-filter {
-  # This is an example of using an IP address range to classify a syslog message to a specific type of log
-  # This is helpful as so many devices only send logs via syslog
-  if [host] =~ "10\.[0-1]\.9\." {
-    mutate {
-      replace => ["type", "esxi"]
-    }
-  }
-  if [host] =~ "\.234$" {
-    mutate {
-      replace => ["type", "esxi"]
-    }
-  }
-  if [type] == "esxi" {
-     grok {
-          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
-
-#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
-    }
-	mutate {
-		#add_tag => [ "conf_file_1029"]
-	}
-  }
-}
-
diff --git a/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
deleted file mode 100644
index adea86053..000000000
--- a/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "greensql" {
-    # This section is parsing out the fields for GreenSQL syslog data
-    grok {
-      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
-      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
-    }
-	# Remove the message field as it is unnecessary
-    #mutate {
-    #  remove_field => [ "message"]
-    #}
-	mutate {
-		#add_tag => [ "conf_file_1030"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
deleted file mode 100644
index 9bcd33a3e..000000000
--- a/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "iis" {
-    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
-    json {
-      source => "message"
-    }
-    # This removes the message field as it is unneccesary and tags the packet as web
-    mutate {
-    #  remove_field => [ "message"]
-      add_tag => [ "web" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1031"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
deleted file mode 100644
index de5466288..000000000
--- a/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This file looks for McAfee EPO logs
-filter {
-  if [type] == "mcafee" {
-    # NXLog should be sending the logs in JSON format so they auto parse
-    json {
-      source => "message"
-    }
-	# This section converts the UTC fields to the proper time format
-    date {
-      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
-      target => [ "ReceivedUTC" ]
-    }
-    date {
-      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
-      target => [ "DetectedUTC" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1032"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
deleted file mode 100644
index 897a8ae4b..000000000
--- a/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
+++ /dev/null
@@ -1,181 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 3/15/2018
-
-filter {
-  if [type] == "ids" {
-    # This is the initial parsing of the log
-    if [engine] == "suricata" {
-        json {
-            source => "message"
-        }
-        mutate {
-	    rename => { "alert" => "orig_alert" } 
-            rename => { "[orig_alert][gid]" => "gid" }
-            rename => { "[orig_alert][signature_id]" => "sid" }
-            rename => { "[orig_alert][rev]" => "rev" }
-            rename => { "[orig_alert][signature]" => "alert" }
-            rename => { "[orig_alert][category]" => "classification" }
-            rename => { "[orig_alert][severity]" => "priority" }
-	    rename => { "[orig_alert][rule]" => "rule_signature" }
-            rename => { "app_proto" => "application_protocol" }
-            rename => { "dest_ip" => "destination_ip" }
-            rename => { "dest_port" => "destination_port" }
-            rename => { "in_iface" => "interface" }
-            rename => { "proto" => "protocol" }
-            rename => { "src_ip" => "source_ip" }
-            rename => { "src_port" => "source_port" }
-	    #rename => { "[fileinfo][filename]" => "filename" }
-            #rename => { "[fileinfo][gaps]" => "gaps" }
-            #rename => { "[fileinfo][size]" => "size" }
-            #rename => { "[fileinfo][state]" => "state" }
-            #rename => { "[fileinfo][stored]" => "stored" }
-            #rename => { "[fileinfo][tx_id]" => "tx_id" }
-            #rename => { "[flow][age]" => "duration" }
-            #rename => { "[flow][alerted]" => "flow_alerted" }
-            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
-            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
-            #rename => { "[flow][end]" => "flow_end" }
-            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
-            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
-            #rename => { "[flow][reason]" => "reason" }
-            #rename => { "[flow][start]" => "flow_start" }
-            #rename => { "[flow][state]" => "state" }
-            #rename => { "[netflow][age]" => "duration" }
-            #rename => { "[netflow][bytes]" => "bytes" }
-            #rename => { "[netflow][end]" => "netflow_end" }
-            #rename => { "[netflow][start]" => "netflow_start" }
-            #rename => { "[netflow][pkts]" => "packets" }
-            rename => { "[alert][action]" => "action" }
-            rename => { "[alert][category]" => "category" }
-            rename => { "[alert][gid]" => "gid" }
-            rename => { "[alert][rev]" => "rev" }
-            rename => { "[alert][severity]" => "severity" }
-            rename => { "[alert][signature]" => "signature" }
-            rename => { "[alert][signature_id]" => "sid" }
-	    #rename => { "[dns][aa]" => "aa" }
-            #rename => { "[dns][flags]" => "flags" }
-	    #rename => { "[dns][id]" => "id" }
-	    #rename => { "[dns][qr]" => "qr" }
-            #rename => { "[dns][rcode]" => "rcode_name" }
-	    #rename => { "[dns][rrname]" => "rrname" }
-	    #rename => { "[dns][rrtype]" => "rrtype" }
-            #rename => { "[dns][tx_id]" => "tx_id" }
-	    #rename => { "[dns][type]" => "record_type" }
-	    #rename => { "[dns][version]" => "version" }
-            rename => { "[http][hostname]" => "virtual_host" }
-            rename => { "[http][http_content_type]" => "content_type" }
-            rename => { "[http][http_port]" => "http_port" }
-            rename => { "[http][http_method]" => "method" }
-	    rename => { "[http][http_user_agent]" => "useragent" }
-            #rename => { "[http][length]" => "payload_length" }
-            #rename => { "[http][protocol]" => "http_version" }
-            rename => { "[http][status]" => "status_message" }
-            rename => { "[http][url]" => "url" }
-            #rename => { "[metadata][flowbits]" => "flowbits" }
-            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
-            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
-            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
-            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
-            rename => { "[tls][subject]" => "certificate_common_name" }
-            rename => { "[tls][version]" => "tls_version" }
-	    rename => { "event_type" => "ids_event_type" }
-	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
-	    remove_tag => [ "beats_input_codec_plain_applied" ]
-	    add_tag => [ "eve" ]
-             
-	}
-    } else {
-        grok {
-          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
-		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
-                "message", "%{GREEDYDATA:alert}"]
-        }
-    }
-    if [timestamp] {
-        mutate {
-                add_field => { "logstash_timestamp" => "%{@timestamp}" }
-        }
-        mutate {
-                convert => { "logstash_timestamp" => "string" }
-        }
-        date {
-                match => [ "timestamp", "ISO8601" ]
-        }
-        mutate {
-                rename => { "logstash_timestamp" => "timestamp" }
-        }
-    }
-	
-	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
-    if [alert] =~ "GPL " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "GPL\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Snort GPL" }
-        lowercase => [ "category"]
-        }
-    }
-	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-    if [alert] =~ "ET " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "ET\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Emerging Threats" }
-        lowercase => [ "category"]
-      }
-    }
-	# I recommend changing the field types below to integer so searches can do greater than or less than
-	# and also so math functions can be ran against them
-    mutate {
-      convert => [ "source_port", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "gid", "integer" ]
-      convert => [ "sid", "integer" ]
-    #  remove_field => [ "message"]
-    }
-	# This will translate the priority field into a severity field of either High, Medium, or Low
-	if [priority] == 1 {
-      mutate {
-        add_field => { "severity" => "High" }
-      }
-    }
-    if [priority] == 2 {
-      mutate {
-        add_field => { "severity" => "Medium" }
-      }
-    }
-    if [priority] == 3 {
-      mutate {
-        add_field => { "severity" => "Low" }
-      }
-    }
-    # This section adds URLs to lookup information about a rule online
-    if [sid] and [sid] > 0 and [sid] < 1000000 {
-      mutate {
-        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
-      }
-    }
-    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
-      mutate {
-        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
-      }
-    }
-#	mutate {
-		#add_tag => [ "conf_file_1033"]
-#	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
deleted file mode 100644
index 998109685..000000000
--- a/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/22/2017
-
-filter {
-  if [type] == "syslog" { 
-    # This drops syslog messages regarding license messages.  You may want to comment it out.
-    #if [message] =~ "license" {
-    #  drop { }
-    #}
-	mutate {
-		#convert => [ "status_code", "integer" ]
-	}
-  }  
-}
diff --git a/salt/logstash/conf/pipelines/eval/2000_network_flow.conf b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
deleted file mode 100644
index 40a060955..000000000
--- a/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "sflow" {
-    if [message] =~ /CNTR/ {
-      drop { }
-    }
-
-    grok {
-      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
-    }
-
-    if "_grokparsefailure" in [tags] {
-      drop { }
-    }
-
-    mutate {
-      add_field => {
-        "[source_hostname]" => "%{source_ip}"
-        "[destination_hostname]" => "%{destination_ip}"
-        "[sflow_source_hostname]" => "%{sflow_source_ip}"
-      }
-    }
-
-    translate {
-      field => "[source_port]"
-      destination => "[source_service]"
-      dictionary_path => "/lib/dictionaries/iana_services.yaml"
-    }
-
-    translate {
-      field => "[destination_port]"
-      destination => "[destination_service]"
-      dictionary_path => "/lib/dictionaries/iana_services.yaml"
-    }
-
-    translate {
-      field => "[protocol]"
-      destination => "[protocol_name]"
-      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
-    }
-
-    translate {
-      field => "[tcp_flags]"
-      destination => "[tcp_flag]"
-      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
-    }
-
-    mutate {
-      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
-    }
-	mutate {
-		#add_tag => [ "conf_file_2000"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6002_syslog.conf b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
deleted file mode 100644
index f82f81a25..000000000
--- a/salt/logstash/conf/pipelines/eval/6002_syslog.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-#
-filter {
-  if "syslog" in [tags] {
-	mutate {
-		#convert => [ "status_code", "integer" ]
-	  #add_tag => [ "conf_file_6002"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
deleted file mode 100644
index dd2f3126c..000000000
--- a/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "brocade" {
-    grok {
-      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
-    }
-    grok {
-      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
-      add_field => [ "received_at", "%{@timestamp}" ]
-    }
-    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
-      grok {
-        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
-      }
-      mutate {
-        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
-      }
-    }
-    date {
-      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
-      timezone => "America/Chicago"
-      remove_field => "syslog_timestamp"
-      remove_field => "received_at"
-    }
-	mutate {
-		#add_tag => [ "conf_file_6101"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
deleted file mode 100644
index b33c89bb8..000000000
--- a/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
+++ /dev/null
@@ -1,281 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "fortinet" {
-    mutate {
-      gsub => [ "message", "= ", "=NA " ]
-    }
-
-    grok {
-       match => ["message", "type=%{DATA:event_type}\s+"]
-       tag_on_failure => []
-    }
-    grok {
-       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
-       tag_on_failure => []
-    }
-    kv {
-      source => "kv"
-      exclude_keys => [ "type" ]
-    }
-    mutate {
-      gsub => [ "log", "= ", "=NA " ]
-    }
-    kv {
-      source => "log"
-      target => "SubLog"
-    }
-    grok {
-       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
-       tag_on_failure => [ "" ]
-    }
-    mutate {
-      rename => {  "action" => "action" }
-      rename => {  "addr" => "addr_ip" }
-      rename => {  "age" => "age" }
-      rename => {  "assigned" => "assigned_ip" }
-      rename => {  "assignip" => "assign_ip" }
-      rename => {  "ap" => "access_point" }
-      rename => {  "app" => "application" }
-      rename => {  "appcat" => "application_category" }
-      rename => {  "applist" => "application_list" }
-      rename => {  "apprisk" => "application_risk" }
-      rename => {  "approfile" => "accessPoint_profile" }
-      rename => {  "apscan" => "access_point_scan" }
-      rename => {  "apstatus" => "acces_point_status" }
-      rename => {  "aptype" => "access_point_type" }
-      rename => {  "authproto" => "authentication_protocol" }
-      rename => {  "bandwidth" => "bandwidth" }
-      rename => {  "banned_src" => "banned_source" }
-      rename => {  "cat" => "category" }
-      rename => {  "catdesc" => "category_description" }
-      rename => {  "cfgattr" => "configuration_attribute" }
-      rename => {  "cfgobj" => "configuration_object" }
-      rename => {  "cfgpath" => "configuration_path" }
-      rename => {  "cfgtid" => "configuration_transaction_id" }
-      rename => {  "channel" => "channel" }
-      rename => {  "community" => "community" }
-      rename => {  "cookies" => "cookies" }
-      rename => {  "craction" => "cr_action" }
-      rename => {  "crlevel" => "cr_level" }
-      rename => {  "crscore" => "cr_score" }
-      rename => {  "datarange" => "data_range" }
-      rename => {  "desc" => "description" }
-      rename => {  "detectionmethod" => "detection_method" }
-      rename => {  "devid" => "device_id" }
-      rename => {  "devname" => "device_name" }
-      rename => {  "devtype" => "device_type" }
-      rename => {  "dhcp_msg" => "dhcp_message" }
-      rename => {  "disklograte" => "disk_lograte" }
-      rename => {  "dstcountry" => "destination_country" }
-      rename => {  "dstintf" => "destination_interface" }
-      rename => {  "dstip" => "destination_ip" }
-      rename => {  "dstport" => "destination_port" }
-      rename => {  "duration" => "elapsed_time" }
-      rename => {  "error_num" => "error_number" }
-      rename => {  "espauth" => "esp_authentication" }
-      rename => {  "esptransform" => "esp_transform" }
-      rename => {  "eventid" => "event_id" }
-      rename => {  "eventtype" => "event_type" }
-      rename => {  "fazlograte" => "faz_lograte" }
-      rename => {  "filename" => "file_name" }
-      rename => {  "filesize" => "file_size" }
-      rename => {  "filetype" => "file_type" }
-      rename => {  "hostname" => "hostname" }
-      rename => {  "ip" => "source_ip" }
-      rename => {  "localip" => "source_ip" }
-      rename => {  "locip" => "local_ip" }
-      rename => {  "locport" => "source_port" }
-      rename => {  "logid" => "log_id" }
-      rename => {  "logver" => "log_version" }
-      rename => {  "manuf" => "manufacturer" }
-      rename => {  "mem" => "memory" }
-      rename => {  "meshmode" => "mesh_mode" }
-      rename => {  "msg" => "message" }
-      rename => {  "nextstat" => "next_stat" }
-      rename => {  "onwire" => "on_wire" }
-      rename => {  "osname" => "os_name" }
-      rename => {  "osversion" => "unauthenticated_user" }
-      rename => {  "outintf" => "outbound_interface" }
-      rename => {  "peer_notif" => "peer_notification" }
-      rename => {  "phase2_name" => "phase2_name" }
-      rename => {  "policyid" => "policy_id" }
-      rename => {  "policytype" => "policy_type" }
-      rename => {  "port" => "port" }
-      rename => {  "probeproto" => "probe_protocol" }
-      rename => {  "proto" => "protocol_number" }
-      rename => {  "radioband" => "radio_band" }
-      rename => {  "radioidclosest" => "radio_id_closest" }
-      rename => {  "radioiddetected" => "radio_id_detected" }
-      rename => {  "rcvd" => "bytes_received" }
-      rename => {  "rcvdbyte" => "bytes_received" }
-      rename => {  "rcvdpkt" => "packets_received" }
-      rename => {  "remip" => "destination_ip" }
-      rename => {  "remport" => "remote_port" }
-      rename => {  "reqtype" => "request_type" }
-      rename => {  "scantime" => "scan_time" }
-      rename => {  "securitymode" => "security_mode" }
-      rename => {  "sent" => "bytes_sent" }
-      rename => {  "sentbyte" => "bytes_sent" }
-      rename => {  "sentpkt" => "packets_sent" }
-      rename => {  "session_id" => "session_id" }
-      rename => {  "setuprate" => "setup_rate" }
-      rename => {  "sn" => "serial" }
-      rename => {  "snclosest" => "serial_closest_access_point" }
-      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
-      rename => {  "snmeshparent" => "serial_mesh_parent" }
-      rename => {  "srccountry" => "source_country" }
-      rename => {  "srcip" => "source_ip" }
-      rename => {  "srcmac" => "source_mac" }
-      rename => {  "srcname" => "source_name" }
-      rename => {  "srcintf" => "source_interface" }
-      rename => {  "srcport" => "source_port" }
-      rename => {  "stacount" => "station_count" }
-      rename => {  "stamac" => "static_mac" }
-      rename => {  "srccountry" => "source_country" }
-      rename => {  "srcip" => "source_ip" }
-      rename => {  "srcmac" => "source_mac" }
-      rename => {  "srcname" => "source_name" }
-      rename => {  "sn" => "serial" }
-      rename => {  "srcintf" => "source_interface" }
-      rename => {  "srcport" => "source_port" }
-      rename => {  "total" => "total_bytes" }
-      rename => {  "totalsession" => "total_sessions" }
-      rename => {  "trandisp" => "nat_translation_type" }
-      rename => {  "tranip" => "nat_destination_ip" }
-      rename => {  "tranport" => "nat_destination_port" }
-      rename => {  "transip" => "nat_source_ip" }
-      rename => {  "transport" => "nat_source_port" }
-      rename => {  "tunnelid" => "tunnel_id" }
-      rename => {  "tunnelip" => "tunnel_ip" }
-      rename => {  "tunneltype" => "tunnel_type" }
-      rename => {  "unauthuser" => "unauthenticated_user_source" }
-      rename => {  "unauthusersource" => "os_version" }
-      rename => {  "vendorurl" => "vendor_url" }
-      rename => {  "vpntunnel" => "vpn_tunnel" }
-      rename => {  "vulncat" => "vulnerability_category" }
-      rename => {  "vulncmt" => "vulnerability_count" }
-      rename => {  "vulnid" => "vulnerability_id" }
-      rename => {  "vulnname" => "vulnerability_name" }
-      rename => {  "vulnref" => "vulnerability_reference" }
-      rename => {  "vulnscore" => "vulnerability_score" }
-      rename => {  "xauthgroup" => "x_authentication_group" }
-      rename => {  "xauthuser" => "x_authentication_user" }
-      rename => {  "[SubLog][appid]" => "sub_application_id" }
-      rename => {  "[SubLog][devid]" => "sub_device_id" }
-      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
-      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
-      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
-      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
-      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
-      rename => {  "[SubLog][date]" => "sub_date" }
-      rename => {  "[SubLog][time]" => "sub_time" }
-      rename => {  "[SubLog][srcport]" => "sub_source_port" }
-      rename => {  "[SubLog][subtype]" => "sub_subtype" }
-      rename => {  "[SubLog][devname]" => "sub_device_name" }
-      rename => {  "[SubLog][itime]" => "sub_itime" }
-      rename => {  "[SubLog][level]" => "sub_level" }
-      rename => {  "[SubLog][logid]" => "sub_log_id" }
-      rename => {  "[SubLog][logver]" => "sub_log_version" }
-      rename => {  "[SubLog][type]" => "sub_event_type" }
-      rename => {  "[SubLog][vd]" => "sub_vd" }
-      rename => {  "[SubLog][action]" => "sub_action" }
-      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
-      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
-      rename => {  "[SubLog][reason]" => "sub_reason" }
-      rename => {  "[SubLog][service]" => "sub_service" }
-      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
-      rename => {  "[SubLog][src]" => "sub_source_ip" }
-      rename => {  "[SubLog][status]" => "sub_status" }
-      rename => {  "[SubLog][ui]" => "sub_ui" }
-      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
-      strip => [ "bytes_sent", "bytes_received" ]
-      convert => [ "bytes_sent", "integer" ]
-      convert => [ "bytes_received", "integer" ]
-      convert => [ "cr_score", "integer" ]
-      convert => [ "cr_action", "integer" ]
-      convert => [ "elapsed_time", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "source_port", "integer" ]
-      convert => [ "local_port", "integer" ]
-      convert => [ "remote_port", "integer" ]
-      convert => [ "packets_sent", "integer" ]
-      convert => [ "packets_received", "integer" ]
-      convert => [ "port", "integer" ]
-      convert => [ "ProtocolNumber", "integer" ]
-      convert => [ "XAuthUser", "string" ]
-      remove_field => [ "kv", "log" ]
-    }
-    if [tunnel_ip] == "N/A" {
-      mutate {
-        remove_field => [ "tunnel_ip" ]
-      }
-    }
-    if [nat_destination_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
-        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
-      }
-    }
-    if [sub_destination_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
-        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
-      }
-    }
-    if [nat_source_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{nat_source_ip}" ] }
-        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
-      }
-    }
-    if [sub_source_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{sub_source_ip}" ] }
-        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
-      }
-    }
-    if [addr_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{addr_ip}" ] }
-      }
-    }
-    if [assign_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{assign_ip}" ] }
-      }
-    }
-    if [assigned_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{assigned_ip}" ] }
-      }
-    }
-    grok {
-       match => ["message", "type=%{DATA:event_type}\s+"]
-    }
-    if [date] and [time] {
-      mutate {
-        add_field => { "receive_time" => "%{date} %{time}" }
-        remove_field => [ "date", "time" ]
-      }
-      date {
-        timezone => "America/Chicago"
-        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
-        target => "receive_time"
-      }
-      mutate {
-        rename => { "receive_time" => "@timestamp" }
-      }
-    } else {
-      mutate {
-        add_tag => [ "missing_date" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6200"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
deleted file mode 100644
index acd08eba0..000000000
--- a/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
+++ /dev/null
@@ -1,56 +0,0 @@
-# Author: Wes Lambert
-# Updated by: Doug Burks
-
-filter {
-  if [type] == "filterlog" {
-    dissect {
-      mapping => {
-        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
-      }
-    }
-    if [ip_version] == "4" {
-      dissect {
-      	mapping => {
-        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
-      	}
-      }
-    }
-    if [ip_version] == "6" {
-      dissect {
-      	mapping => {
-        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
-      	}
-      }
-    }
-    if [protocol] == "tcp" {
-      dissect {
-      	mapping => {
-        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
-      	}
-      }
-    }
-    if [protocol] == "udp" {
-      dissect {
-      	mapping => {
-        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
-      	}
-      }
-    }
-    if [protocol] == "Options" {
-      mutate {
-	  copy => { "ip_sub_msg" => "options" }
-        }
-      mutate {
-          split => { "options" => "," }
-        }
-    }
-    mutate {
-      convert 		=> [ "destination_port", "integer" ]
-      convert 		=> [ "source_port", "integer" ]    
-      convert 		=> [ "ip_version", "integer" ]
-      replace 		=> { "type" => "firewall" }
-      add_tag		=> [ "pfsense","firewall" ]
-      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6300_windows.conf b/salt/logstash/conf/pipelines/eval/6300_windows.conf
deleted file mode 100644
index 34450af2b..000000000
--- a/salt/logstash/conf/pipelines/eval/6300_windows.conf
+++ /dev/null
@@ -1,161 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "windows" {
-#    json {
-#      source => "message"
-#    }
-    date {
-      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
-      remove_field => [ "EventTime" ]
-    }
-    if [EventID] == 4634 {
-      mutate {
-        add_tag => [ "logoff" ]
-      }
-    }
-    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
-      mutate {
-        add_tag => [ "logon" ]
-        add_tag => [ "alert_data" ]
-      }
-    }
-    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
-      mutate {
-        add_tag => [ "logon_failure" ]
-        add_tag => [ "alert_data" ]
-      }
-    }
-    # Critical event IDs to monitor
-    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
-      mutate {
-        add_tag => [ "alert_data" ]
-      }
-    }
-    # Critical event IDs to monitor
-    if [EventID] == 5152 { drop {} }
-    if [EventID] == 4688 { drop {} }
-    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
-    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
-    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
-    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
-    # Whitelist/Blacklist check
-    if [EventID] == 7045 {
-      translate {
-        field => "ServiceName"
-        destination => "ServiceCheck"
-        dictionary_path => "/lib/dictionaries/services.yaml"
-      }
-    }
-    if [EventID] == 7045 and !([ServiceCheck]) {
-      mutate {
-        add_tag => [ "alert_data","new_service" ] 
-      }
-    }
-    if [ServiceCheck] == 'whitelist' {
-      mutate {
-        remove_field => [ "ServiceCheck" ]
-        add_tag => [ "whitelist" ]
-      }
-    }
-    if [ServiceCheck] == 'blacklist' {
-      mutate {
-        remove_field => [ "ServiceCheck" ]
-        add_tag => [ "blacklist" ]
-      }
-    }
-    if [EventID] == 5158 {
-      if [Application] == "System" { drop {} }
-      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
-      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
-      if [Application] =~ "mcafee" { drop {} }
-      if [Application] =~ "carestream" { drop {} }
-      if [Application] =~ "Softdent" { drop {} }
-    }
-    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
-    if [EventID] == 4690 { drop {} }
-    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
-    if [EventID] == 5447 { drop {} }
-
-    mutate {
-      rename => [ "AccountName", "user" ]
-      rename => [ "AccountType", "account_type" ]
-      rename => [ "ActivityID", "activity_id" ]
-      rename => [ "Category", "category" ]
-      rename => [ "ClientAddress", "client_ip" ]
-      rename => [ "Channel", "channel" ]
-      rename => [ "DCIPAddress", "domain_controller_ip" ]
-      rename => [ "DCName", "domain_controller_name" ]
-      rename => [ "EventID", "event_id" ]
-      rename => [ "EventReceivedTime", "event_received_time" ]
-      rename => [ "EventType", "event_type" ]
-      rename => [ "GatewayIPAddress", "gateway_ip" ]
-      rename => [ "IPAddress", "client_ip" ]
-      rename => [ "Ipaddress", "client_ip" ]
-      rename => [ "IpAddress", "client_ip" ]
-      rename => [ "IPPort", "source_port" ]
-      rename => [ "OpcodeValue", "opcode_value" ]
-      rename => [ "PreAuthType", "preauthentication_type" ]
-      rename => [ "PrincipleSAMName", "user" ]
-      rename => [ "ProcessID", "process_id" ]
-      rename => [ "ProviderGUID", "providerguid" ]
-      rename => [ "RecordNumber", "record_number" ]
-      rename => [ "RemoteAddress", "destination_ip" ]
-      rename => [ "ServiceName", "service_name" ]
-      rename => [ "ServiceID", "service_id" ]
-      rename => [ "SeverityValue", "severity_value" ]
-      rename => [ "SourceAddress", "client_ip" ]
-      rename => [ "SourceModuleName", "source_module_name" ]
-      rename => [ "SourceModuleType", "source_module_type" ]
-      rename => [ "SourceName", "source_name" ]
-      rename => [ "SubjectUserName", "user" ]
-      rename => [ "TaskName", "task_name" ]
-      rename => [ "TargetDomainName", "target_domain_name" ]
-      rename => [ "TargetUserName", "user" ]
-      rename => [ "ThreadID", "thread_id" ]
-      rename => [ "User_ID", "user" ]
-      rename => [ "UserID", "user" ]
-      rename => [ "username", "user" ]
-    }
-    # For any accounts that are service accounts or special accounts add the tag of service_account
-    # This example applies the tag to any username that starts with SVC_.  If you use a different
-    # standard change this.
-    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
-      mutate {
-        add_tag => [ "service_account" ]
-      }
-    }
-    # This looks for events that are typically noisy but may be of use for deep dive investigations
-    # A tag of noise is added to quickly filter out noise
-    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
-      mutate {
-        add_tag => [ "noise" ]
-      }
-    }
-    #Identify machine accounts
-    if [user] =~ /\$/ {
-      mutate {
-        add_tag => [ "machine", "noise" ]
-      }
-    }
-    # Lower case all field names
-    ruby {
-      code => "
-        event_hash = event.to_hash
-        new_event = {}
-        event_hash.keys.each do |key|
-        new_event[key.downcase] = event[key]
-        end
-        event.instance_variable_set(:@data, new_event)"
-    }
-	mutate {
-		#add_tag => [ "conf_file_6300"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
deleted file mode 100644
index 1ef5077a6..000000000
--- a/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
+++ /dev/null
@@ -1,49 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "dns" and "bro" not in [tags] {
-    json {
-      source => "message"
-    }
-    # strip whitespace from message field
-    mutate {
-      strip => "message"
-    }
-    # If the message is blank, drop the log
-    if [Message] =~ /^$/ {
-      drop {  }
-    } else {
-      if [type] == "dns" {
-  	  # This section is lookup for a match against the log and parsing out the fields
-        grok {
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          remove_field => [ "Message" ]
-        }
-  	  # This section attempts to convert the dns_domain into the traditional domain.com format
-        mutate {
-          gsub => [ "dns_domain", "(\(\d+\))", "." ]
-        }
-        grok {
-          match => { "dns_domain" => "\.%{DATA:query}\.$" }
-          remove_field => [ "dns_domain" ]
-        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6301"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6400_suricata.conf b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
deleted file mode 100644
index 11f185ddf..000000000
--- a/salt/logstash/conf/pipelines/eval/6400_suricata.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This conf file is based on accepting logs for suricata json events
-filter {
-  if [type] == "suricata" {
-    if "test_data" not in [tags] {
-      date {
-        match => [ "timestamp", "ISO8601" ]
-      }
-    } else {
-      mutate {
-        remove_field => [ "netflow.start","netflow.end","timestamp" ]
-      }
-    }
-    if [event_type] == "fileinfo" {
-      ruby {
-        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
-      }
-    }
-	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
-    mutate {
-      rename => [ "src_ip", "source_ip" ]
-      rename => [ "dest_ip", "destination_ip" ]
-      rename => [ "src_port", "source_port" ]
-      rename => [ "dest_port", "destination_port" ]
-    }
-	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
-    if [event_type] == "alert" {
-      if [alert][severity] == 1 {
-        mutate {
-          add_field => { "severity" => "High" }
-        }
-      }
-      if [alert][severity] == 2 {
-        mutate {
-          add_field => { "severity" => "Medium" }
-        }
-      }
-      if [alert][severity] == 3 {
-        mutate {
-          add_field => { "severity" => "Low" }
-        }
-      }
-	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
-      if [alert][signature] =~ "GPL " {
-	    # This will parse out the category type from the alert
-        grok {
-          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
-        }
-		# This will store the category
-        mutate {
-          add_field => { "rule_type" => "Snort GPL" }
-          lowercase => [ "category" ]
-        }
-      }
-	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-      if [alert][signature] =~ "ET " {
-	    # This will parse out the category type from the alert
-        grok {
-          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
-        }
-		# This will store the category
-        mutate {
-          add_field => { "rule_type" => "Emerging Threats" }
-          lowercase => [ "category" ]
-        }
-      }
-	  # This section adds URLs to lookup information about a rule online
-      if [rule_type] == "Snort GPL" {
-        mutate {
-          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
-        }
-      }
-      if [rule_type] == "Emerging Threats" {
-        mutate {
-          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
-        }
-      }
-    }
-    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
-    #  mutate {
-    #    remove_field => [ "message" ]
-    #  }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6400"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6500_ossec.conf b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
deleted file mode 100644
index 292fea49b..000000000
--- a/salt/logstash/conf/pipelines/eval/6500_ossec.conf
+++ /dev/null
@@ -1,160 +0,0 @@
-# Author: Wes Lambert
-#
-# Last Update: 09/19/2018
-#
-# This conf file is based on accepting logs from OSSEC
-
-filter {
-  # OSSEC Alerts
-  if [type] == "ossec" {
-        
-	# Sysmon/Autoruns logs transported by OSSEC
-        if [message] =~ "Microsoft-Windows-Sysmon" {
-            mutate {
-                replace => { "type" => "sysmon" }
-                add_tag => [ "ossec" ]
-            }
-        }
-        if [message] =~ "AR-LOG" {
-            mutate {
-                replace => { "type" => "autoruns" }
-                add_tag => [ "ossec" ]
-            }
-        }
-		
-	# If message looks like json, try to parse it as such. Otherwise, grok.
-        if [message] =~ /^{.*}$/ {
-                json {
-                        source => "message"
-                }
-		mutate {
-			rename => { "rule" => "wazuh-rule" }
-			rename => { "[wazuh-rule][level]" => "alert_level" }
-			rename => { "[wazuh-rule][description]" => "description" }
-			rename => { "[data][srcuser]" => "username" }
-			rename => { "[data][dstuser]" => "escalated_user" }
-			rename => { "[data][command]" => "command" }
-			rename => { "[predecoder][program_name]" => "process" }
-			
-                }
-                # Wazuh 3.8.2
-                if [data][EventChannel] {
-        		mutate {
-				rename => { "[data][EventChannel][EventData][User]" => "username" }
-        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
-        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
-        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
-        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
-        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
-        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
-        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
-			}
-		}
-                # Wazuh 3.9.2
-		if [data][win] {
-                        mutate {
-				rename => { "[data][win][eventdata][user]" => "username" }
-                        	rename => { "[data][win][system][eventID]" => "event_id" }
-                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
-                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
-                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
-                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
-                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
-                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
-                        }
-		}
-	} else {
-		grok {
-			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
-				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
-		}
-	}
-	
-	# Add tag for OSSEC alerts
-	if [alert_level] {
-            mutate {
-		add_tag => [ "alert" ]
-	    }
-        }
-
-	translate {
-		field => "alert_level"
-
-		destination => "classification"
-
-		dictionary => [
-               	    "1", "None",
-		    "2", "System low priority notification",
-		    "3", "Successful/authorized event",
-		    "4", "System low priority error",
-		    "5", "User generated error",
-		    "6", "Low relevance attack",
-		    "7", '"Bad word" matching',
-		    "8", "First time seen",
-		    "9", "Error from invalid source",
-		    "10", "Multiple user generated errors",
-		    "11", "Integrity checking warning",
-		    "12", "High importance event",
-		    "13", "Unusal error (high importance)",
-		    "14", "High importance security event",
-		    "15", "Severe attack"
-               	]
-	}
-  }
-
-  # OSSEC Archive Logs
-  if [type] == "ossec_archive" {
-        
-	# Sysmon/Autoruns logs transported by OSSEC
-	if [message] =~ "Microsoft-Windows-Sysmon" {
-            mutate { 
-                replace => { "type" => "sysmon" } 
-                add_tag => [ "ossec" ] 
-	    }
-        }
-	if [message] =~ "AR-LOG" {
-            mutate { 
-                replace => { "type" => "autoruns" } 
-                add_tag => [ "ossec" ]
-            }
-        }
-
-	# If message looks like json, try to parse it as such. Otherwise, grok.
-        if [message] =~ /^{.*}$/ {
-                json {
-                        source => "message"
-                }
-		mutate {
-                        rename => [ "rule", "wazuh-rule" ]
-                        rename => [ "[wazuh-rule][level]", "alert_level" ]
-                        rename => [ "[wazuh-rule][description]", "description" ]
-                        rename => [ "[data][srcuser]", "username" ]
-                        rename => [ "[data][dstuser]", "escalated_user" ]
-                        rename => [ "[data][command]", "command" ]
-                        rename => [ "[predecoder][program_name]", "process" ]
-                }
-	} else {
-		grok {
-			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
-				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
-				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
-				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
-				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
-			remove_field => [ "ossec_timestamp" ]
-		}
-		mutate {
-			convert => [ "status_code", "integer" ]
-		}
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
deleted file mode 100644
index 6ebf10487..000000000
--- a/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
+++ /dev/null
@@ -1,118 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# This conf file is based on accepting Sysmon logs from OSSEC
-#
-# Parse using grok
-filter {
-  # OSSEC Logs and Alerts
-  if [type] == "sysmon" or "sysmon" in [tags] {
-    if [message] !~ /^{.*}$/ {
-      #mutate { replace => { "type" => "sysmon" } }
-      grok {
-      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
-        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
-      }
-      mutate {
-        convert => ["event_id", "integer"]
-        remove_field => ["timestamp"]
-        remove_field => ["year"]
-      }
-      if [event_id] == 1 {
-        grok {
-          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
-		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
-		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          add_tag => ["process_creation"]
-        }
-      }
-      if [event_id] == 3 {
-        mutate {
-          remove_field => ["source_ip"]
-        }
-        grok {
-        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          convert => ["source_port", "integer"]
-          convert => ["destination_port", "integer"]
-          add_tag => ["network_connection"]
-        }
-      }
-      if [event_id] == 5 {
-        grok {
-          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          add_tag => ["process_termination"]
-        }
-      }
-      if [event_id] == 11 {
-        grok {
-          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          add_tag => ["file_created"]
-        }
-      }
-      mutate {
-        remove_field => ["rest_of_msg"]
-      }
-    } else {
-      mutate {
-	rename => { "[data][srcuser]" => "username" }
-        rename => { "[data][id]" => "event_id" }
-        rename => { "[data][dstport]" => "destination_port" }
-        rename => { "[data][dstip]" => "destination_ip" }
-        rename => { "[data][srcip]" => "source_ip" }
-        rename => { "[data][sysmon][image]" => "image_path" }
-        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
-        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
-        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
-        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
-      }
-      # Wazuh 3.8.2  
-      if [data][EventChannel] {
-        mutate {
-           rename => { "[data][EventChannel][EventData][User]" => "username" }
-           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
-           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
-           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
-           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
-           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
-           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
-           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
-           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
-           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
-           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
-	}
-      }
-      # Wazuh 3.9.2
-      if [data][win] {
-        mutate {
-          rename => { "[data][win][eventdata][user]" => "username" }
-          rename => { "[data][win][system][eventID]" => "event_id" }
-          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
-          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
-          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
-          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
-          rename => { "[data][win][eventdata][image]" => "image_path" }
-          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
-          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
-          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
-          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
-        }
-      }    
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
deleted file mode 100644
index 5d7207891..000000000
--- a/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
+++ /dev/null
@@ -1,43 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Updated by: Dustin Lee
-# Last Update: 06/13/2019
-#
-# This conf file is based on accepting Autoruns logs from OSSEC
-#
-# Parse using grok
-filter {
-  if [type] == "autoruns" or "autoruns" in [tags] {
-    if [message] !~ /^{.*}$/ {
-      grok {
-        match => [
-            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
-            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
-        ]
-      }
-    #csv {
-#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
-#      separator => "|"
-#      }
-      mutate {
-        remove_field => [ "year" ]
-        remove_field => [ "timestamp" ]
-      }
-    } else {
-        grok {
-        match => [
-            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
-            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
-        ]
-      }
-      mutate {
-        # Rename fields
-      }
-    }
-    date {
-      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
-      target => "image_timestamp"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
deleted file mode 100644
index 200b58497..000000000
--- a/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Wes Lambert
-#
-# Last Update: 09/24/2018
-#
-# This conf file is based on accepting Sysmon logs from winlogbeat
-
-filter {
-  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
-      mutate {
-        replace => { "type" => "sysmon" }
-        rename => { "[event_data][User]" => "username" }
-        rename => { "[event_data][DestinationPort]" => "destination_port" }
-        rename => { "[event_data][DestinationIp]" => "destination_ip" }
-        rename => { "[event_data][SourceIp]" => "source_ip" }
-        rename => { "[event_data][Image]" => "image_path" }
-        rename => { "[event_data][ParentImage]" => "parent_image_path" }
-        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
-        rename => { "[event_data][SourceHostname]" => "source_hostname" }
-        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
-	rename => { "[event_data][TargetFilename]" => "target_filename" }
-      }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
deleted file mode 100644
index 222757956..000000000
--- a/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Author: Doug Burks
-#
-# Last Update: 09/24/2018
-#
-# This conf file is for beat data
-
-filter {
-  if "beat" in [tags] {
-      mutate {
-	# As of beats 6.3.0, host is now an object:
-	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
-	# This creates a conflict with our existing host string.
-	# So let's rename the host object to beat_host.
-        rename => { "host" => "beat_host" }
-      }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
deleted file mode 100644
index b4d77d83f..000000000
--- a/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Josh Brower
-# Last Update: 12/28/2018
-# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
-
-filter {
-  if "osquery" in [tags] and [osquery][columns][eventid] {
-
-        mutate {
-     gsub => ["[osquery][columns][data]", "\\x0A", ""]
-    }
-
-        json {
-      source => "[osquery][columns][data]"
-      target => "[osquery][columns][data]"
-     }
-
-        mutate {
-     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
-     remove_field => ["[osquery][columns][data]"]
-        }
-
-  }
-}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/7200_strelka.conf b/salt/logstash/conf/pipelines/eval/7200_strelka.conf
deleted file mode 100644
index b2b57bf05..000000000
--- a/salt/logstash/conf/pipelines/eval/7200_strelka.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-filter {
-  if [type] =~ "strelka" {
-    json {
-      source => "message"
-    }
-  }
-}
-
diff --git a/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
deleted file mode 100644
index d28449da6..000000000
--- a/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/20/2017
-
-filter {
-  if [source_ip] {
-    if [source_ip] == "-" {
-      mutate {
-        replace => { "source_ip" => "0.0.0.0" }
-      }
-    }
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
-	mutate {
-	}
-      } else {
-        geoip {
-          source => "[source_ip]"
-          target => "source_geo"
-        }
-      }
-    if [source_ip] {
-      mutate {
-        add_field => { "ips" => "%{source_ip}" }
-        add_field => { "source_ips" => [ "%{source_ip}" ] }
-      }
-    }
-  }
-  if [destination_ip] {
-    if [destination_ip] == "-" {
-      mutate {
-        replace => { "destination_ip" => "0.0.0.0" }
-      }
-    }
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
-      mutate {
-      }
-    }
-    else {
-      geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-      }
-    }
-  }
-  if [destination_ip] {
-    mutate {
-      add_field => { "ips" => "%{destination_ip}" }
-      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
-    }
-  }
-}
-  #if [source_ip] or [destination_ip] {
-  #  mutate {
-	  #add_tag => [ "conf_file_8001"]
-  #	}
-  #}
-
diff --git a/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
deleted file mode 100644
index b9c9d224b..000000000
--- a/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-
-filter {
-  if [type] == "bro_http" {
-    if [uri] {
-      ruby {
-        code => "event.set('uri_length', event.get('uri').length)"
-      }
-    }
-    if [virtual_host] {
-      ruby {
-        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
-      }
-    }
-    if [useragent] {
-      ruby {
-        code => "event.set('useragent_length', event.get('useragent').length)"
-      }
-    }
-	mutate {
-	  ##add_tag => [ "conf_file_8007"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
deleted file mode 100644
index e698b3ce3..000000000
--- a/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [destination_ip] {
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_destination" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_destination" ]
-      }
-    }
-    if "internal_destination" not in [tags] {
-      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-  }
-  if [source_ip] {
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_source" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_source" ]
-      }
-    }
-    if "internal_source" not in [tags] {
-      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-	mutate {
-		##add_tag => [ "conf_file_8200"]
-	}
-  }
-  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
-      mutate {
-          remove_tag => [ "syslog" ]
-      }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
deleted file mode 100644
index 478c6b0e0..000000000
--- a/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_end', Time.now.to_f)"
-  }
-  ruby {
-    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
-  }
-  mutate {
-    remove_field => [ 'task_start', 'task_end' ]
-  }
-  mutate {
-	#add_tag => [ "conf_file_8998"]
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
deleted file mode 100644
index 383fd9827..000000000
--- a/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# Author: Doug Burks
-# Last Update: 12/10/2017
-
-filter {
-    mutate {
-	  rename => [ "type", "event_type" ]
-	}
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
deleted file mode 100644
index 2beafc8be..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- set NAME = grains.host -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-
-filter {
-  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-    mutate {
-	  add_field => { "sensor_name" => "{{ NAME }}" }
-	}
-  }
-}
-output {
-  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      pipeline => "%{event_type}"
-      hosts => "{{ ES }}"
-      index => "logstash-bro-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
deleted file mode 100644
index 949a738ab..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "switch" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9001"]
-	}
-  }
-}
-output {
-  if "switch" in [tags] and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-switch-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
deleted file mode 100644
index 88fbc7551..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-
-filter {
-  if "import" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9002"]
-	}
-  }
-}
-output {
-  if "import" in [tags] and "test_data" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-import-%{+YYYY.MM.dd}"
-      template_name => "logstash-*"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
deleted file mode 100644
index 3dbd34f16..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "sflow" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9004"]
-	}
-  }
-}
-output {
-  if [event_type] == "sflow" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-flow-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
deleted file mode 100644
index a63ac5f98..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "dhcp" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9026"]
-	}
-  }
-}
-output {
-  if [event_type] == "dhcp" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
deleted file mode 100644
index 229de6b9c..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "esxi" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9029"]
-	}
-  }
-}
-output {
-  if [event_type] == "esxi" and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
deleted file mode 100644
index a6d16b95d..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "greensql" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9030"]
-	}
-  }
-}
-output {
-  if [event_type] == "greensql" and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
deleted file mode 100644
index 6650d8a7d..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "iis" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9031"]
-	}
-  }
-}
-output {
-  if [event_type] == "iis" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
deleted file mode 100644
index ca982967d..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "mcafee" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9032"]
-	}
-  }
-}
-output {
-  if [event_type] == "mcafee" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
deleted file mode 100644
index 6c310b91e..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "ids" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9033"]
-	}
-  }
-}
-output {
-    if [event_type] == "ids" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-ids-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
deleted file mode 100644
index 56a6527b8..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-filter {
-  if "syslog" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9034"]
-	}
-  }
-}
-output {
-  if "syslog" in [tags] and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-syslog-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
deleted file mode 100644
index 132f0eb66..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Security Onion Solutions
-# Last Update: 2/3/2020
-# Output to ES for osquery tagged logs - EVAL install
-
-
-filter {
-    if "osquery" in [tags] {
-    mutate {
-      rename => { "host" => "beat_host" }
-      remove_tag => ["beat"]
-                }
-   json {
-    source => "message"
-    target => "osquery"
-        }
-  }
-}
-
-output {
-  if "osquery" in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-osquery-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
deleted file mode 100644
index b2ad43963..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "firewall" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9200"]
-	}
-  }
-}
-output {
-  if "firewall" in [tags] and "test_data" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-firewall-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
deleted file mode 100644
index d3f9d1919..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "windows" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9300"]
-	}
-  }
-}
-output {
-  if [event_type] == "windows" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-windows-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
deleted file mode 100644
index 8a56b7044..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "dns" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9301"]
-	}
-  }
-}
-output {
-  if [event_type] == "dns" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
deleted file mode 100644
index 1de235444..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- set NAME = grains.host -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "suricata" and "test_data" not in [tags] {
-    mutate {
-	  add_field => { "sensor_name" => "{{ NAME }}" }
-	}
-  }
-}
-output {
-  if [event_type] == "suricata" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-ids-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
deleted file mode 100644
index 30900cb93..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Wes Lambert
-# Last Update: 09/14/2018
-filter {
-  if "beat" in [tags] {
-    mutate {
-          ##add_tag => [ "conf_file_9500"]
-        }
-  }
-}
-output {
-  if "beat" in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-beats-%{+YYYY.MM.dd}"
-      template_name => "logstash-beats"
-      template => "/beats-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
deleted file mode 100644
index 71d0c28aa..000000000
--- a/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 9/19/2018
-
-filter {
-  if [event_type] =~ "ossec" {
-    mutate {
-          ##add_tag => [ "conf_file_9600"]
-        }
-  }
-}
-
-output {
-  if [event_type] =~ "ossec" or "ossec" in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-ossec-%{+YYYY.MM.dd}"
-      template_name => "logstash-ossec"
-      template => "/logstash-ossec-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
deleted file mode 100644
index 897a8ae4b..000000000
--- a/salt/logstash/conf/pipelines/helix/1033_preprocess_snort.conf
+++ /dev/null
@@ -1,181 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 3/15/2018
-
-filter {
-  if [type] == "ids" {
-    # This is the initial parsing of the log
-    if [engine] == "suricata" {
-        json {
-            source => "message"
-        }
-        mutate {
-	    rename => { "alert" => "orig_alert" } 
-            rename => { "[orig_alert][gid]" => "gid" }
-            rename => { "[orig_alert][signature_id]" => "sid" }
-            rename => { "[orig_alert][rev]" => "rev" }
-            rename => { "[orig_alert][signature]" => "alert" }
-            rename => { "[orig_alert][category]" => "classification" }
-            rename => { "[orig_alert][severity]" => "priority" }
-	    rename => { "[orig_alert][rule]" => "rule_signature" }
-            rename => { "app_proto" => "application_protocol" }
-            rename => { "dest_ip" => "destination_ip" }
-            rename => { "dest_port" => "destination_port" }
-            rename => { "in_iface" => "interface" }
-            rename => { "proto" => "protocol" }
-            rename => { "src_ip" => "source_ip" }
-            rename => { "src_port" => "source_port" }
-	    #rename => { "[fileinfo][filename]" => "filename" }
-            #rename => { "[fileinfo][gaps]" => "gaps" }
-            #rename => { "[fileinfo][size]" => "size" }
-            #rename => { "[fileinfo][state]" => "state" }
-            #rename => { "[fileinfo][stored]" => "stored" }
-            #rename => { "[fileinfo][tx_id]" => "tx_id" }
-            #rename => { "[flow][age]" => "duration" }
-            #rename => { "[flow][alerted]" => "flow_alerted" }
-            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
-            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
-            #rename => { "[flow][end]" => "flow_end" }
-            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
-            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
-            #rename => { "[flow][reason]" => "reason" }
-            #rename => { "[flow][start]" => "flow_start" }
-            #rename => { "[flow][state]" => "state" }
-            #rename => { "[netflow][age]" => "duration" }
-            #rename => { "[netflow][bytes]" => "bytes" }
-            #rename => { "[netflow][end]" => "netflow_end" }
-            #rename => { "[netflow][start]" => "netflow_start" }
-            #rename => { "[netflow][pkts]" => "packets" }
-            rename => { "[alert][action]" => "action" }
-            rename => { "[alert][category]" => "category" }
-            rename => { "[alert][gid]" => "gid" }
-            rename => { "[alert][rev]" => "rev" }
-            rename => { "[alert][severity]" => "severity" }
-            rename => { "[alert][signature]" => "signature" }
-            rename => { "[alert][signature_id]" => "sid" }
-	    #rename => { "[dns][aa]" => "aa" }
-            #rename => { "[dns][flags]" => "flags" }
-	    #rename => { "[dns][id]" => "id" }
-	    #rename => { "[dns][qr]" => "qr" }
-            #rename => { "[dns][rcode]" => "rcode_name" }
-	    #rename => { "[dns][rrname]" => "rrname" }
-	    #rename => { "[dns][rrtype]" => "rrtype" }
-            #rename => { "[dns][tx_id]" => "tx_id" }
-	    #rename => { "[dns][type]" => "record_type" }
-	    #rename => { "[dns][version]" => "version" }
-            rename => { "[http][hostname]" => "virtual_host" }
-            rename => { "[http][http_content_type]" => "content_type" }
-            rename => { "[http][http_port]" => "http_port" }
-            rename => { "[http][http_method]" => "method" }
-	    rename => { "[http][http_user_agent]" => "useragent" }
-            #rename => { "[http][length]" => "payload_length" }
-            #rename => { "[http][protocol]" => "http_version" }
-            rename => { "[http][status]" => "status_message" }
-            rename => { "[http][url]" => "url" }
-            #rename => { "[metadata][flowbits]" => "flowbits" }
-            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
-            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
-            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
-            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
-            rename => { "[tls][subject]" => "certificate_common_name" }
-            rename => { "[tls][version]" => "tls_version" }
-	    rename => { "event_type" => "ids_event_type" }
-	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
-	    remove_tag => [ "beats_input_codec_plain_applied" ]
-	    add_tag => [ "eve" ]
-             
-	}
-    } else {
-        grok {
-          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
-		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
-                "message", "%{GREEDYDATA:alert}"]
-        }
-    }
-    if [timestamp] {
-        mutate {
-                add_field => { "logstash_timestamp" => "%{@timestamp}" }
-        }
-        mutate {
-                convert => { "logstash_timestamp" => "string" }
-        }
-        date {
-                match => [ "timestamp", "ISO8601" ]
-        }
-        mutate {
-                rename => { "logstash_timestamp" => "timestamp" }
-        }
-    }
-	
-	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
-    if [alert] =~ "GPL " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "GPL\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Snort GPL" }
-        lowercase => [ "category"]
-        }
-    }
-	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-    if [alert] =~ "ET " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "ET\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Emerging Threats" }
-        lowercase => [ "category"]
-      }
-    }
-	# I recommend changing the field types below to integer so searches can do greater than or less than
-	# and also so math functions can be ran against them
-    mutate {
-      convert => [ "source_port", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "gid", "integer" ]
-      convert => [ "sid", "integer" ]
-    #  remove_field => [ "message"]
-    }
-	# This will translate the priority field into a severity field of either High, Medium, or Low
-	if [priority] == 1 {
-      mutate {
-        add_field => { "severity" => "High" }
-      }
-    }
-    if [priority] == 2 {
-      mutate {
-        add_field => { "severity" => "Medium" }
-      }
-    }
-    if [priority] == 3 {
-      mutate {
-        add_field => { "severity" => "Low" }
-      }
-    }
-    # This section adds URLs to lookup information about a rule online
-    if [sid] and [sid] > 0 and [sid] < 1000000 {
-      mutate {
-        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
-      }
-    }
-    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
-      mutate {
-        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
-      }
-    }
-#	mutate {
-		#add_tag => [ "conf_file_1033"]
-#	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
deleted file mode 100644
index d28449da6..000000000
--- a/salt/logstash/conf/pipelines/helix/8001_postprocess_common_ip_augmentation.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/20/2017
-
-filter {
-  if [source_ip] {
-    if [source_ip] == "-" {
-      mutate {
-        replace => { "source_ip" => "0.0.0.0" }
-      }
-    }
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
-	mutate {
-	}
-      } else {
-        geoip {
-          source => "[source_ip]"
-          target => "source_geo"
-        }
-      }
-    if [source_ip] {
-      mutate {
-        add_field => { "ips" => "%{source_ip}" }
-        add_field => { "source_ips" => [ "%{source_ip}" ] }
-      }
-    }
-  }
-  if [destination_ip] {
-    if [destination_ip] == "-" {
-      mutate {
-        replace => { "destination_ip" => "0.0.0.0" }
-      }
-    }
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
-      mutate {
-      }
-    }
-    else {
-      geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-      }
-    }
-  }
-  if [destination_ip] {
-    mutate {
-      add_field => { "ips" => "%{destination_ip}" }
-      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
-    }
-  }
-}
-  #if [source_ip] or [destination_ip] {
-  #  mutate {
-	  #add_tag => [ "conf_file_8001"]
-  #	}
-  #}
-
diff --git a/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
deleted file mode 100644
index 6b7667f5c..000000000
--- a/salt/logstash/conf/pipelines/master/0010_input_hhbeats.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-input {
-  beats {
-    port => "5644"
-    ssl => true
-    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
-    ssl_certificate => "/usr/share/logstash/filebeat.crt"
-    ssl_key => "/usr/share/logstash/filebeat.key"
-    tags => [ "beat" ]
-  }
-}
-filter {
-  if [type] == "ids" or [type] =~ "bro" {
-    mutate {
-      rename => { "host" => "beat_host" }
-      remove_tag => ["beat"]
-      add_field => { "sensor_name" => "%{[beat][name]}" }
-      add_field => { "syslog-host_from" => "%{[beat][name]}" }
-      remove_field => [ "beat", "prospector", "input", "offset" ]
-    }
-  }
-  if [type] =~ "ossec" {
-    mutate {
-      rename => { "host" => "beat_host" }
-      remove_tag => ["beat"]
-      add_field => { "syslog-host_from" => "%{[beat][name]}" }
-      remove_field => [ "beat", "prospector", "input", "offset" ]
-    }
-   }
-    if [type] == "osquery" {
-    mutate {
-      rename => { "host" => "beat_host" }
-      remove_tag => ["beat"]
-      add_tag => ["osquery"]
-        	}
-   json {
-    source => "message"
-    target => "osquery"
-        }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
deleted file mode 100644
index d098eb11a..000000000
--- a/salt/logstash/conf/pipelines/search/1000_preprocess_log_elapsed.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_start', Time.now.to_f)"
-  }
-  mutate {
-    #add_tag => [ "conf_file_1000"]
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
deleted file mode 100644
index 84bce8802..000000000
--- a/salt/logstash/conf/pipelines/search/1001_preprocess_syslogng.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Updated by: Doug Burks and Wes Lambert
-# Last Update: 10/30/2018
-
-filter {
-  if "syslogng" in [tags] {
-	mutate {
-		rename => { "MESSAGE" => "message" }
-		rename => { "PROGRAM" => "type" }
-		rename => { "FACILITY" => "syslog-facility" }
-		rename => { "FILE_NAME" => "syslog-file_name" }
-		rename => { "HOST" => "syslog-host" }
-		rename => { "HOST_FROM" => "syslog-host_from" }
-		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
-		rename => { "PID" => "syslog-pid" }
-		rename => { "PRIORITY" => "syslog-priority" }
-		rename => { "SOURCEIP" => "syslog-sourceip" }
-		rename => { "TAGS" => "syslog-tags" }
-		lowercase => [ "syslog-host_from" ]
-		remove_field => [ "ISODATE" ]
-		remove_field => [ "SEQNUM" ]
-          	#add_tag => [ "conf_file_1001"]
-	}
-	if "bro_" in [type] {
-		mutate {
-			add_tag => [ "bro" ]
-		}
-	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
-		mutate {
-			add_tag => [ "syslog" ]
-		}
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
deleted file mode 100644
index ea7c677da..000000000
--- a/salt/logstash/conf/pipelines/search/1002_preprocess_json.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "json" in [tags]{
-    json {
-      source => "message"
-    }
-    mutate {
-      remove_tag => [ "json" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1002"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
deleted file mode 100644
index 243abcc15..000000000
--- a/salt/logstash/conf/pipelines/search/1004_preprocess_syslog_types.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-filter {
-  if "syslog" in [tags] {
-    if [host] == "172.16.1.1" {
-      mutate {
-        add_field => { "type" => "fortinet" }
-        add_tag => [ "firewall" ]
-      }
-    }
-    if [host] == "10.0.0.101" {
-      mutate {
-        add_field => { "type" => "brocade" }
-        add_tag => [ "switch" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_1004"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
deleted file mode 100644
index 2f893cf7a..000000000
--- a/salt/logstash/conf/pipelines/search/1026_preprocess_dhcp.conf
+++ /dev/null
@@ -1,140 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolutions.com
-# Last Update: 12/9/2016
-# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
-filter {
-  if [type] == "dhcp" {
-    mutate {
-      add_field => { "Hostname" => "%{host}" }
-    }
-    mutate {
-      strip => "message"
-    }
-	  # This is the initial parsing of the log
-      grok {
-        # Server 2008+
-        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
-        # Server 2003
-        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
-        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
-      }
-	  # This section below translates the message ID into something humans can understand.
-      if [id] == "00" {
-        mutate {
-          add_field => [ "event", "The log was started"]
-        }
-      }
-      if [id] == "01" {
-        mutate {
-          add_field => [ "event", "The log was stopped"]
-        }
-      }
-      if [id] == "02" {
-        mutate {
-          add_field => [ "event", "The log was temporarily paused due to low disk space"]
-        }
-      }
-      if [id] == "10" {
-        mutate {
-          add_field => [ "event", "A new IP address was leased to a client"]
-        }
-      }
-      if [id] == "11" {
-        mutate {
-          add_field => [ "event", "A lease was renewed by a client"]
-        }
-      }
-      if [id] == "12" {
-        mutate {
-          add_field => [ "event", "A lease was released by a client"]
-        }
-      }
-      if [id] == "13" {
-        mutate {
-          add_field => [ "event", "An IP address was found to be in use on the network"]
-        }
-      }
-      if [id] == "14" {
-        mutate {
-          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
-        }
-      }
-      if [id] == "15" {
-        mutate {
-          add_field => [ "event", "A lease was denied"]
-        }
-      }
-      if [id] == "16" {
-        mutate {
-          add_field => [ "event", "A lease was deleted"]
-        }
-      }
-      if [id] == "17" {
-        mutate {
-          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
-        }
-      }
-      if [id] == "18" {
-        mutate {
-          add_field => [ "event", "A lease was expired and DNS records were deleted"]
-        }
-      }
-      if [id] == "20" {
-        mutate {
-          add_field => [ "event", "A BOOTP address was leased to a client"]
-        }
-      }
-      if [id] == "21" {
-        mutate {
-          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
-        }
-      }
-      if [id] == "22" {
-        mutate {
-          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
-        }
-      }
-      if [id] == "23" {
-        mutate {
-          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
-        }
-      }
-      if [id] == "24" {
-        mutate {
-          add_field => [ "event", "IP address cleanup operation has began"]
-        }
-      }
-      if [id] == "25" {
-        mutate {
-          add_field => [ "event", "IP address cleanup statistics"]
-        }
-      }
-      if [id] == "30" {
-        mutate {
-          add_field => [ "event", "DNS update request to the named DNS server"]
-        }
-      }
-      if [id] == "31" {
-        mutate {
-          add_field => [ "event", "DNS update failed"]
-        }
-      }
-      if [id] == "32" {
-        mutate {
-          add_field => [ "event", "DNS update successful"]
-        }
-      }
-      if [id] == "33" {
-        mutate {
-          add_field => [ "event", "Packet dropped due to NAP policy"]
-        }
-      }
-	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
-      #if "_grokparsefailure" not in [tags] { 
-      #  mutate {
-      #    remove_field => [ "message"]
-      #  }
-      #}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
deleted file mode 100644
index 18120d00d..000000000
--- a/salt/logstash/conf/pipelines/search/1029_preprocess_esxi.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
-filter {
-  # This is an example of using an IP address range to classify a syslog message to a specific type of log
-  # This is helpful as so many devices only send logs via syslog
-  if [host] =~ "10\.[0-1]\.9\." {
-    mutate {
-      replace => ["type", "esxi"]
-    }
-  }
-  if [host] =~ "\.234$" {
-    mutate {
-      replace => ["type", "esxi"]
-    }
-  }
-  if [type] == "esxi" {
-     grok {
-          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
-
-#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
-    }
-	mutate {
-		#add_tag => [ "conf_file_1029"]
-	}
-  }
-}
-
diff --git a/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
deleted file mode 100644
index adea86053..000000000
--- a/salt/logstash/conf/pipelines/search/1030_preprocess_greensql.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "greensql" {
-    # This section is parsing out the fields for GreenSQL syslog data
-    grok {
-      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
-      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
-    }
-	# Remove the message field as it is unnecessary
-    #mutate {
-    #  remove_field => [ "message"]
-    #}
-	mutate {
-		#add_tag => [ "conf_file_1030"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
deleted file mode 100644
index 9bcd33a3e..000000000
--- a/salt/logstash/conf/pipelines/search/1031_preprocess_iis.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "iis" {
-    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
-    json {
-      source => "message"
-    }
-    # This removes the message field as it is unneccesary and tags the packet as web
-    mutate {
-    #  remove_field => [ "message"]
-      add_tag => [ "web" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1031"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
deleted file mode 100644
index de5466288..000000000
--- a/salt/logstash/conf/pipelines/search/1032_preprocess_mcafee.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This file looks for McAfee EPO logs
-filter {
-  if [type] == "mcafee" {
-    # NXLog should be sending the logs in JSON format so they auto parse
-    json {
-      source => "message"
-    }
-	# This section converts the UTC fields to the proper time format
-    date {
-      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
-      target => [ "ReceivedUTC" ]
-    }
-    date {
-      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
-      target => [ "DetectedUTC" ]
-    }
-	mutate {
-		#add_tag => [ "conf_file_1032"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
deleted file mode 100644
index 897a8ae4b..000000000
--- a/salt/logstash/conf/pipelines/search/1033_preprocess_snort.conf
+++ /dev/null
@@ -1,181 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 3/15/2018
-
-filter {
-  if [type] == "ids" {
-    # This is the initial parsing of the log
-    if [engine] == "suricata" {
-        json {
-            source => "message"
-        }
-        mutate {
-	    rename => { "alert" => "orig_alert" } 
-            rename => { "[orig_alert][gid]" => "gid" }
-            rename => { "[orig_alert][signature_id]" => "sid" }
-            rename => { "[orig_alert][rev]" => "rev" }
-            rename => { "[orig_alert][signature]" => "alert" }
-            rename => { "[orig_alert][category]" => "classification" }
-            rename => { "[orig_alert][severity]" => "priority" }
-	    rename => { "[orig_alert][rule]" => "rule_signature" }
-            rename => { "app_proto" => "application_protocol" }
-            rename => { "dest_ip" => "destination_ip" }
-            rename => { "dest_port" => "destination_port" }
-            rename => { "in_iface" => "interface" }
-            rename => { "proto" => "protocol" }
-            rename => { "src_ip" => "source_ip" }
-            rename => { "src_port" => "source_port" }
-	    #rename => { "[fileinfo][filename]" => "filename" }
-            #rename => { "[fileinfo][gaps]" => "gaps" }
-            #rename => { "[fileinfo][size]" => "size" }
-            #rename => { "[fileinfo][state]" => "state" }
-            #rename => { "[fileinfo][stored]" => "stored" }
-            #rename => { "[fileinfo][tx_id]" => "tx_id" }
-            #rename => { "[flow][age]" => "duration" }
-            #rename => { "[flow][alerted]" => "flow_alerted" }
-            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
-            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
-            #rename => { "[flow][end]" => "flow_end" }
-            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
-            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
-            #rename => { "[flow][reason]" => "reason" }
-            #rename => { "[flow][start]" => "flow_start" }
-            #rename => { "[flow][state]" => "state" }
-            #rename => { "[netflow][age]" => "duration" }
-            #rename => { "[netflow][bytes]" => "bytes" }
-            #rename => { "[netflow][end]" => "netflow_end" }
-            #rename => { "[netflow][start]" => "netflow_start" }
-            #rename => { "[netflow][pkts]" => "packets" }
-            rename => { "[alert][action]" => "action" }
-            rename => { "[alert][category]" => "category" }
-            rename => { "[alert][gid]" => "gid" }
-            rename => { "[alert][rev]" => "rev" }
-            rename => { "[alert][severity]" => "severity" }
-            rename => { "[alert][signature]" => "signature" }
-            rename => { "[alert][signature_id]" => "sid" }
-	    #rename => { "[dns][aa]" => "aa" }
-            #rename => { "[dns][flags]" => "flags" }
-	    #rename => { "[dns][id]" => "id" }
-	    #rename => { "[dns][qr]" => "qr" }
-            #rename => { "[dns][rcode]" => "rcode_name" }
-	    #rename => { "[dns][rrname]" => "rrname" }
-	    #rename => { "[dns][rrtype]" => "rrtype" }
-            #rename => { "[dns][tx_id]" => "tx_id" }
-	    #rename => { "[dns][type]" => "record_type" }
-	    #rename => { "[dns][version]" => "version" }
-            rename => { "[http][hostname]" => "virtual_host" }
-            rename => { "[http][http_content_type]" => "content_type" }
-            rename => { "[http][http_port]" => "http_port" }
-            rename => { "[http][http_method]" => "method" }
-	    rename => { "[http][http_user_agent]" => "useragent" }
-            #rename => { "[http][length]" => "payload_length" }
-            #rename => { "[http][protocol]" => "http_version" }
-            rename => { "[http][status]" => "status_message" }
-            rename => { "[http][url]" => "url" }
-            #rename => { "[metadata][flowbits]" => "flowbits" }
-            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
-            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
-            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
-            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
-            rename => { "[tls][subject]" => "certificate_common_name" }
-            rename => { "[tls][version]" => "tls_version" }
-	    rename => { "event_type" => "ids_event_type" }
-	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
-	    remove_tag => [ "beats_input_codec_plain_applied" ]
-	    add_tag => [ "eve" ]
-             
-	}
-    } else {
-        grok {
-          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
-               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
-		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
-		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
-                "message", "%{GREEDYDATA:alert}"]
-        }
-    }
-    if [timestamp] {
-        mutate {
-                add_field => { "logstash_timestamp" => "%{@timestamp}" }
-        }
-        mutate {
-                convert => { "logstash_timestamp" => "string" }
-        }
-        date {
-                match => [ "timestamp", "ISO8601" ]
-        }
-        mutate {
-                rename => { "logstash_timestamp" => "timestamp" }
-        }
-    }
-	
-	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
-    if [alert] =~ "GPL " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "GPL\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Snort GPL" }
-        lowercase => [ "category"]
-        }
-    }
-	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-    if [alert] =~ "ET " {
-	  # This will parse out the category type from the alert
-      grok {
-        match => { "alert" => "ET\s+%{DATA:category}\s" }
-      }
-	  # This will store the category
-      mutate {
-        add_field => { "rule_type" => "Emerging Threats" }
-        lowercase => [ "category"]
-      }
-    }
-	# I recommend changing the field types below to integer so searches can do greater than or less than
-	# and also so math functions can be ran against them
-    mutate {
-      convert => [ "source_port", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "gid", "integer" ]
-      convert => [ "sid", "integer" ]
-    #  remove_field => [ "message"]
-    }
-	# This will translate the priority field into a severity field of either High, Medium, or Low
-	if [priority] == 1 {
-      mutate {
-        add_field => { "severity" => "High" }
-      }
-    }
-    if [priority] == 2 {
-      mutate {
-        add_field => { "severity" => "Medium" }
-      }
-    }
-    if [priority] == 3 {
-      mutate {
-        add_field => { "severity" => "Low" }
-      }
-    }
-    # This section adds URLs to lookup information about a rule online
-    if [sid] and [sid] > 0 and [sid] < 1000000 {
-      mutate {
-        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
-      }
-    }
-    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
-      mutate {
-        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
-      }
-    }
-#	mutate {
-		#add_tag => [ "conf_file_1033"]
-#	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
deleted file mode 100644
index 998109685..000000000
--- a/salt/logstash/conf/pipelines/search/1034_preprocess_syslog.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/22/2017
-
-filter {
-  if [type] == "syslog" { 
-    # This drops syslog messages regarding license messages.  You may want to comment it out.
-    #if [message] =~ "license" {
-    #  drop { }
-    #}
-	mutate {
-		#convert => [ "status_code", "integer" ]
-	}
-  }  
-}
diff --git a/salt/logstash/conf/pipelines/search/2000_network_flow.conf b/salt/logstash/conf/pipelines/search/2000_network_flow.conf
deleted file mode 100644
index 40a060955..000000000
--- a/salt/logstash/conf/pipelines/search/2000_network_flow.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "sflow" {
-    if [message] =~ /CNTR/ {
-      drop { }
-    }
-
-    grok {
-      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
-    }
-
-    if "_grokparsefailure" in [tags] {
-      drop { }
-    }
-
-    mutate {
-      add_field => {
-        "[source_hostname]" => "%{source_ip}"
-        "[destination_hostname]" => "%{destination_ip}"
-        "[sflow_source_hostname]" => "%{sflow_source_ip}"
-      }
-    }
-
-    translate {
-      field => "[source_port]"
-      destination => "[source_service]"
-      dictionary_path => "/lib/dictionaries/iana_services.yaml"
-    }
-
-    translate {
-      field => "[destination_port]"
-      destination => "[destination_service]"
-      dictionary_path => "/lib/dictionaries/iana_services.yaml"
-    }
-
-    translate {
-      field => "[protocol]"
-      destination => "[protocol_name]"
-      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
-    }
-
-    translate {
-      field => "[tcp_flags]"
-      destination => "[tcp_flag]"
-      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
-    }
-
-    mutate {
-      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
-    }
-	mutate {
-		#add_tag => [ "conf_file_2000"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6002_syslog.conf b/salt/logstash/conf/pipelines/search/6002_syslog.conf
deleted file mode 100644
index f82f81a25..000000000
--- a/salt/logstash/conf/pipelines/search/6002_syslog.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-#
-filter {
-  if "syslog" in [tags] {
-	mutate {
-		#convert => [ "status_code", "integer" ]
-	  #add_tag => [ "conf_file_6002"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
deleted file mode 100644
index dd2f3126c..000000000
--- a/salt/logstash/conf/pipelines/search/6101_switch_brocade.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "brocade" {
-    grok {
-      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
-    }
-    grok {
-      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
-      add_field => [ "received_at", "%{@timestamp}" ]
-    }
-    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
-      grok {
-        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
-      }
-      mutate {
-        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
-      }
-    }
-    date {
-      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
-      timezone => "America/Chicago"
-      remove_field => "syslog_timestamp"
-      remove_field => "received_at"
-    }
-	mutate {
-		#add_tag => [ "conf_file_6101"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
deleted file mode 100644
index b33c89bb8..000000000
--- a/salt/logstash/conf/pipelines/search/6200_firewall_fortinet.conf
+++ /dev/null
@@ -1,281 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "fortinet" {
-    mutate {
-      gsub => [ "message", "= ", "=NA " ]
-    }
-
-    grok {
-       match => ["message", "type=%{DATA:event_type}\s+"]
-       tag_on_failure => []
-    }
-    grok {
-       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
-       tag_on_failure => []
-    }
-    kv {
-      source => "kv"
-      exclude_keys => [ "type" ]
-    }
-    mutate {
-      gsub => [ "log", "= ", "=NA " ]
-    }
-    kv {
-      source => "log"
-      target => "SubLog"
-    }
-    grok {
-       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
-       tag_on_failure => [ "" ]
-    }
-    mutate {
-      rename => {  "action" => "action" }
-      rename => {  "addr" => "addr_ip" }
-      rename => {  "age" => "age" }
-      rename => {  "assigned" => "assigned_ip" }
-      rename => {  "assignip" => "assign_ip" }
-      rename => {  "ap" => "access_point" }
-      rename => {  "app" => "application" }
-      rename => {  "appcat" => "application_category" }
-      rename => {  "applist" => "application_list" }
-      rename => {  "apprisk" => "application_risk" }
-      rename => {  "approfile" => "accessPoint_profile" }
-      rename => {  "apscan" => "access_point_scan" }
-      rename => {  "apstatus" => "acces_point_status" }
-      rename => {  "aptype" => "access_point_type" }
-      rename => {  "authproto" => "authentication_protocol" }
-      rename => {  "bandwidth" => "bandwidth" }
-      rename => {  "banned_src" => "banned_source" }
-      rename => {  "cat" => "category" }
-      rename => {  "catdesc" => "category_description" }
-      rename => {  "cfgattr" => "configuration_attribute" }
-      rename => {  "cfgobj" => "configuration_object" }
-      rename => {  "cfgpath" => "configuration_path" }
-      rename => {  "cfgtid" => "configuration_transaction_id" }
-      rename => {  "channel" => "channel" }
-      rename => {  "community" => "community" }
-      rename => {  "cookies" => "cookies" }
-      rename => {  "craction" => "cr_action" }
-      rename => {  "crlevel" => "cr_level" }
-      rename => {  "crscore" => "cr_score" }
-      rename => {  "datarange" => "data_range" }
-      rename => {  "desc" => "description" }
-      rename => {  "detectionmethod" => "detection_method" }
-      rename => {  "devid" => "device_id" }
-      rename => {  "devname" => "device_name" }
-      rename => {  "devtype" => "device_type" }
-      rename => {  "dhcp_msg" => "dhcp_message" }
-      rename => {  "disklograte" => "disk_lograte" }
-      rename => {  "dstcountry" => "destination_country" }
-      rename => {  "dstintf" => "destination_interface" }
-      rename => {  "dstip" => "destination_ip" }
-      rename => {  "dstport" => "destination_port" }
-      rename => {  "duration" => "elapsed_time" }
-      rename => {  "error_num" => "error_number" }
-      rename => {  "espauth" => "esp_authentication" }
-      rename => {  "esptransform" => "esp_transform" }
-      rename => {  "eventid" => "event_id" }
-      rename => {  "eventtype" => "event_type" }
-      rename => {  "fazlograte" => "faz_lograte" }
-      rename => {  "filename" => "file_name" }
-      rename => {  "filesize" => "file_size" }
-      rename => {  "filetype" => "file_type" }
-      rename => {  "hostname" => "hostname" }
-      rename => {  "ip" => "source_ip" }
-      rename => {  "localip" => "source_ip" }
-      rename => {  "locip" => "local_ip" }
-      rename => {  "locport" => "source_port" }
-      rename => {  "logid" => "log_id" }
-      rename => {  "logver" => "log_version" }
-      rename => {  "manuf" => "manufacturer" }
-      rename => {  "mem" => "memory" }
-      rename => {  "meshmode" => "mesh_mode" }
-      rename => {  "msg" => "message" }
-      rename => {  "nextstat" => "next_stat" }
-      rename => {  "onwire" => "on_wire" }
-      rename => {  "osname" => "os_name" }
-      rename => {  "osversion" => "unauthenticated_user" }
-      rename => {  "outintf" => "outbound_interface" }
-      rename => {  "peer_notif" => "peer_notification" }
-      rename => {  "phase2_name" => "phase2_name" }
-      rename => {  "policyid" => "policy_id" }
-      rename => {  "policytype" => "policy_type" }
-      rename => {  "port" => "port" }
-      rename => {  "probeproto" => "probe_protocol" }
-      rename => {  "proto" => "protocol_number" }
-      rename => {  "radioband" => "radio_band" }
-      rename => {  "radioidclosest" => "radio_id_closest" }
-      rename => {  "radioiddetected" => "radio_id_detected" }
-      rename => {  "rcvd" => "bytes_received" }
-      rename => {  "rcvdbyte" => "bytes_received" }
-      rename => {  "rcvdpkt" => "packets_received" }
-      rename => {  "remip" => "destination_ip" }
-      rename => {  "remport" => "remote_port" }
-      rename => {  "reqtype" => "request_type" }
-      rename => {  "scantime" => "scan_time" }
-      rename => {  "securitymode" => "security_mode" }
-      rename => {  "sent" => "bytes_sent" }
-      rename => {  "sentbyte" => "bytes_sent" }
-      rename => {  "sentpkt" => "packets_sent" }
-      rename => {  "session_id" => "session_id" }
-      rename => {  "setuprate" => "setup_rate" }
-      rename => {  "sn" => "serial" }
-      rename => {  "snclosest" => "serial_closest_access_point" }
-      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
-      rename => {  "snmeshparent" => "serial_mesh_parent" }
-      rename => {  "srccountry" => "source_country" }
-      rename => {  "srcip" => "source_ip" }
-      rename => {  "srcmac" => "source_mac" }
-      rename => {  "srcname" => "source_name" }
-      rename => {  "srcintf" => "source_interface" }
-      rename => {  "srcport" => "source_port" }
-      rename => {  "stacount" => "station_count" }
-      rename => {  "stamac" => "static_mac" }
-      rename => {  "srccountry" => "source_country" }
-      rename => {  "srcip" => "source_ip" }
-      rename => {  "srcmac" => "source_mac" }
-      rename => {  "srcname" => "source_name" }
-      rename => {  "sn" => "serial" }
-      rename => {  "srcintf" => "source_interface" }
-      rename => {  "srcport" => "source_port" }
-      rename => {  "total" => "total_bytes" }
-      rename => {  "totalsession" => "total_sessions" }
-      rename => {  "trandisp" => "nat_translation_type" }
-      rename => {  "tranip" => "nat_destination_ip" }
-      rename => {  "tranport" => "nat_destination_port" }
-      rename => {  "transip" => "nat_source_ip" }
-      rename => {  "transport" => "nat_source_port" }
-      rename => {  "tunnelid" => "tunnel_id" }
-      rename => {  "tunnelip" => "tunnel_ip" }
-      rename => {  "tunneltype" => "tunnel_type" }
-      rename => {  "unauthuser" => "unauthenticated_user_source" }
-      rename => {  "unauthusersource" => "os_version" }
-      rename => {  "vendorurl" => "vendor_url" }
-      rename => {  "vpntunnel" => "vpn_tunnel" }
-      rename => {  "vulncat" => "vulnerability_category" }
-      rename => {  "vulncmt" => "vulnerability_count" }
-      rename => {  "vulnid" => "vulnerability_id" }
-      rename => {  "vulnname" => "vulnerability_name" }
-      rename => {  "vulnref" => "vulnerability_reference" }
-      rename => {  "vulnscore" => "vulnerability_score" }
-      rename => {  "xauthgroup" => "x_authentication_group" }
-      rename => {  "xauthuser" => "x_authentication_user" }
-      rename => {  "[SubLog][appid]" => "sub_application_id" }
-      rename => {  "[SubLog][devid]" => "sub_device_id" }
-      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
-      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
-      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
-      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
-      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
-      rename => {  "[SubLog][date]" => "sub_date" }
-      rename => {  "[SubLog][time]" => "sub_time" }
-      rename => {  "[SubLog][srcport]" => "sub_source_port" }
-      rename => {  "[SubLog][subtype]" => "sub_subtype" }
-      rename => {  "[SubLog][devname]" => "sub_device_name" }
-      rename => {  "[SubLog][itime]" => "sub_itime" }
-      rename => {  "[SubLog][level]" => "sub_level" }
-      rename => {  "[SubLog][logid]" => "sub_log_id" }
-      rename => {  "[SubLog][logver]" => "sub_log_version" }
-      rename => {  "[SubLog][type]" => "sub_event_type" }
-      rename => {  "[SubLog][vd]" => "sub_vd" }
-      rename => {  "[SubLog][action]" => "sub_action" }
-      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
-      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
-      rename => {  "[SubLog][reason]" => "sub_reason" }
-      rename => {  "[SubLog][service]" => "sub_service" }
-      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
-      rename => {  "[SubLog][src]" => "sub_source_ip" }
-      rename => {  "[SubLog][status]" => "sub_status" }
-      rename => {  "[SubLog][ui]" => "sub_ui" }
-      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
-      strip => [ "bytes_sent", "bytes_received" ]
-      convert => [ "bytes_sent", "integer" ]
-      convert => [ "bytes_received", "integer" ]
-      convert => [ "cr_score", "integer" ]
-      convert => [ "cr_action", "integer" ]
-      convert => [ "elapsed_time", "integer" ]
-      convert => [ "destination_port", "integer" ]
-      convert => [ "source_port", "integer" ]
-      convert => [ "local_port", "integer" ]
-      convert => [ "remote_port", "integer" ]
-      convert => [ "packets_sent", "integer" ]
-      convert => [ "packets_received", "integer" ]
-      convert => [ "port", "integer" ]
-      convert => [ "ProtocolNumber", "integer" ]
-      convert => [ "XAuthUser", "string" ]
-      remove_field => [ "kv", "log" ]
-    }
-    if [tunnel_ip] == "N/A" {
-      mutate {
-        remove_field => [ "tunnel_ip" ]
-      }
-    }
-    if [nat_destination_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
-        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
-      }
-    }
-    if [sub_destination_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
-        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
-      }
-    }
-    if [nat_source_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{nat_source_ip}" ] }
-        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
-      }
-    }
-    if [sub_source_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{sub_source_ip}" ] }
-        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
-      }
-    }
-    if [addr_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{addr_ip}" ] }
-      }
-    }
-    if [assign_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{assign_ip}" ] }
-      }
-    }
-    if [assigned_ip] {
-      mutate {
-        add_field => { "ips" => [ "%{assigned_ip}" ] }
-      }
-    }
-    grok {
-       match => ["message", "type=%{DATA:event_type}\s+"]
-    }
-    if [date] and [time] {
-      mutate {
-        add_field => { "receive_time" => "%{date} %{time}" }
-        remove_field => [ "date", "time" ]
-      }
-      date {
-        timezone => "America/Chicago"
-        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
-        target => "receive_time"
-      }
-      mutate {
-        rename => { "receive_time" => "@timestamp" }
-      }
-    } else {
-      mutate {
-        add_tag => [ "missing_date" ]
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6200"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
deleted file mode 100644
index acd08eba0..000000000
--- a/salt/logstash/conf/pipelines/search/6201_firewall_pfsense.conf
+++ /dev/null
@@ -1,56 +0,0 @@
-# Author: Wes Lambert
-# Updated by: Doug Burks
-
-filter {
-  if [type] == "filterlog" {
-    dissect {
-      mapping => {
-        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
-      }
-    }
-    if [ip_version] == "4" {
-      dissect {
-      	mapping => {
-        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
-      	}
-      }
-    }
-    if [ip_version] == "6" {
-      dissect {
-      	mapping => {
-        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
-      	}
-      }
-    }
-    if [protocol] == "tcp" {
-      dissect {
-      	mapping => {
-        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
-      	}
-      }
-    }
-    if [protocol] == "udp" {
-      dissect {
-      	mapping => {
-        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
-      	}
-      }
-    }
-    if [protocol] == "Options" {
-      mutate {
-	  copy => { "ip_sub_msg" => "options" }
-        }
-      mutate {
-          split => { "options" => "," }
-        }
-    }
-    mutate {
-      convert 		=> [ "destination_port", "integer" ]
-      convert 		=> [ "source_port", "integer" ]    
-      convert 		=> [ "ip_version", "integer" ]
-      replace 		=> { "type" => "firewall" }
-      add_tag		=> [ "pfsense","firewall" ]
-      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6300_windows.conf b/salt/logstash/conf/pipelines/search/6300_windows.conf
deleted file mode 100644
index 34450af2b..000000000
--- a/salt/logstash/conf/pipelines/search/6300_windows.conf
+++ /dev/null
@@ -1,161 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "windows" {
-#    json {
-#      source => "message"
-#    }
-    date {
-      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
-      remove_field => [ "EventTime" ]
-    }
-    if [EventID] == 4634 {
-      mutate {
-        add_tag => [ "logoff" ]
-      }
-    }
-    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
-      mutate {
-        add_tag => [ "logon" ]
-        add_tag => [ "alert_data" ]
-      }
-    }
-    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
-      mutate {
-        add_tag => [ "logon_failure" ]
-        add_tag => [ "alert_data" ]
-      }
-    }
-    # Critical event IDs to monitor
-    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
-      mutate {
-        add_tag => [ "alert_data" ]
-      }
-    }
-    # Critical event IDs to monitor
-    if [EventID] == 5152 { drop {} }
-    if [EventID] == 4688 { drop {} }
-    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
-    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
-    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
-    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
-    # Whitelist/Blacklist check
-    if [EventID] == 7045 {
-      translate {
-        field => "ServiceName"
-        destination => "ServiceCheck"
-        dictionary_path => "/lib/dictionaries/services.yaml"
-      }
-    }
-    if [EventID] == 7045 and !([ServiceCheck]) {
-      mutate {
-        add_tag => [ "alert_data","new_service" ] 
-      }
-    }
-    if [ServiceCheck] == 'whitelist' {
-      mutate {
-        remove_field => [ "ServiceCheck" ]
-        add_tag => [ "whitelist" ]
-      }
-    }
-    if [ServiceCheck] == 'blacklist' {
-      mutate {
-        remove_field => [ "ServiceCheck" ]
-        add_tag => [ "blacklist" ]
-      }
-    }
-    if [EventID] == 5158 {
-      if [Application] == "System" { drop {} }
-      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
-      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
-      if [Application] =~ "mcafee" { drop {} }
-      if [Application] =~ "carestream" { drop {} }
-      if [Application] =~ "Softdent" { drop {} }
-    }
-    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
-    if [EventID] == 4690 { drop {} }
-    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
-    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
-    if [EventID] == 5447 { drop {} }
-
-    mutate {
-      rename => [ "AccountName", "user" ]
-      rename => [ "AccountType", "account_type" ]
-      rename => [ "ActivityID", "activity_id" ]
-      rename => [ "Category", "category" ]
-      rename => [ "ClientAddress", "client_ip" ]
-      rename => [ "Channel", "channel" ]
-      rename => [ "DCIPAddress", "domain_controller_ip" ]
-      rename => [ "DCName", "domain_controller_name" ]
-      rename => [ "EventID", "event_id" ]
-      rename => [ "EventReceivedTime", "event_received_time" ]
-      rename => [ "EventType", "event_type" ]
-      rename => [ "GatewayIPAddress", "gateway_ip" ]
-      rename => [ "IPAddress", "client_ip" ]
-      rename => [ "Ipaddress", "client_ip" ]
-      rename => [ "IpAddress", "client_ip" ]
-      rename => [ "IPPort", "source_port" ]
-      rename => [ "OpcodeValue", "opcode_value" ]
-      rename => [ "PreAuthType", "preauthentication_type" ]
-      rename => [ "PrincipleSAMName", "user" ]
-      rename => [ "ProcessID", "process_id" ]
-      rename => [ "ProviderGUID", "providerguid" ]
-      rename => [ "RecordNumber", "record_number" ]
-      rename => [ "RemoteAddress", "destination_ip" ]
-      rename => [ "ServiceName", "service_name" ]
-      rename => [ "ServiceID", "service_id" ]
-      rename => [ "SeverityValue", "severity_value" ]
-      rename => [ "SourceAddress", "client_ip" ]
-      rename => [ "SourceModuleName", "source_module_name" ]
-      rename => [ "SourceModuleType", "source_module_type" ]
-      rename => [ "SourceName", "source_name" ]
-      rename => [ "SubjectUserName", "user" ]
-      rename => [ "TaskName", "task_name" ]
-      rename => [ "TargetDomainName", "target_domain_name" ]
-      rename => [ "TargetUserName", "user" ]
-      rename => [ "ThreadID", "thread_id" ]
-      rename => [ "User_ID", "user" ]
-      rename => [ "UserID", "user" ]
-      rename => [ "username", "user" ]
-    }
-    # For any accounts that are service accounts or special accounts add the tag of service_account
-    # This example applies the tag to any username that starts with SVC_.  If you use a different
-    # standard change this.
-    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
-      mutate {
-        add_tag => [ "service_account" ]
-      }
-    }
-    # This looks for events that are typically noisy but may be of use for deep dive investigations
-    # A tag of noise is added to quickly filter out noise
-    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
-      mutate {
-        add_tag => [ "noise" ]
-      }
-    }
-    #Identify machine accounts
-    if [user] =~ /\$/ {
-      mutate {
-        add_tag => [ "machine", "noise" ]
-      }
-    }
-    # Lower case all field names
-    ruby {
-      code => "
-        event_hash = event.to_hash
-        new_event = {}
-        event_hash.keys.each do |key|
-        new_event[key.downcase] = event[key]
-        end
-        event.instance_variable_set(:@data, new_event)"
-    }
-	mutate {
-		#add_tag => [ "conf_file_6300"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6301_dns_windows.conf b/salt/logstash/conf/pipelines/search/6301_dns_windows.conf
deleted file mode 100644
index 1ef5077a6..000000000
--- a/salt/logstash/conf/pipelines/search/6301_dns_windows.conf
+++ /dev/null
@@ -1,49 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [type] == "dns" and "bro" not in [tags] {
-    json {
-      source => "message"
-    }
-    # strip whitespace from message field
-    mutate {
-      strip => "message"
-    }
-    # If the message is blank, drop the log
-    if [Message] =~ /^$/ {
-      drop {  }
-    } else {
-      if [type] == "dns" {
-  	  # This section is lookup for a match against the log and parsing out the fields
-        grok {
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
-          remove_field => [ "Message" ]
-        }
-  	  # This section attempts to convert the dns_domain into the traditional domain.com format
-        mutate {
-          gsub => [ "dns_domain", "(\(\d+\))", "." ]
-        }
-        grok {
-          match => { "dns_domain" => "\.%{DATA:query}\.$" }
-          remove_field => [ "dns_domain" ]
-        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6301"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6400_suricata.conf b/salt/logstash/conf/pipelines/search/6400_suricata.conf
deleted file mode 100644
index 11f185ddf..000000000
--- a/salt/logstash/conf/pipelines/search/6400_suricata.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-#
-# This conf file is based on accepting logs for suricata json events
-filter {
-  if [type] == "suricata" {
-    if "test_data" not in [tags] {
-      date {
-        match => [ "timestamp", "ISO8601" ]
-      }
-    } else {
-      mutate {
-        remove_field => [ "netflow.start","netflow.end","timestamp" ]
-      }
-    }
-    if [event_type] == "fileinfo" {
-      ruby {
-        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
-      }
-    }
-	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
-    mutate {
-      rename => [ "src_ip", "source_ip" ]
-      rename => [ "dest_ip", "destination_ip" ]
-      rename => [ "src_port", "source_port" ]
-      rename => [ "dest_port", "destination_port" ]
-    }
-	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
-    if [event_type] == "alert" {
-      if [alert][severity] == 1 {
-        mutate {
-          add_field => { "severity" => "High" }
-        }
-      }
-      if [alert][severity] == 2 {
-        mutate {
-          add_field => { "severity" => "Medium" }
-        }
-      }
-      if [alert][severity] == 3 {
-        mutate {
-          add_field => { "severity" => "Low" }
-        }
-      }
-	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
-      if [alert][signature] =~ "GPL " {
-	    # This will parse out the category type from the alert
-        grok {
-          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
-        }
-		# This will store the category
-        mutate {
-          add_field => { "rule_type" => "Snort GPL" }
-          lowercase => [ "category" ]
-        }
-      }
-	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
-      if [alert][signature] =~ "ET " {
-	    # This will parse out the category type from the alert
-        grok {
-          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
-        }
-		# This will store the category
-        mutate {
-          add_field => { "rule_type" => "Emerging Threats" }
-          lowercase => [ "category" ]
-        }
-      }
-	  # This section adds URLs to lookup information about a rule online
-      if [rule_type] == "Snort GPL" {
-        mutate {
-          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
-        }
-      }
-      if [rule_type] == "Emerging Threats" {
-        mutate {
-          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
-        }
-      }
-    }
-    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
-    #  mutate {
-    #    remove_field => [ "message" ]
-    #  }
-    }
-	mutate {
-		#add_tag => [ "conf_file_6400"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6500_ossec.conf b/salt/logstash/conf/pipelines/search/6500_ossec.conf
deleted file mode 100644
index 292fea49b..000000000
--- a/salt/logstash/conf/pipelines/search/6500_ossec.conf
+++ /dev/null
@@ -1,160 +0,0 @@
-# Author: Wes Lambert
-#
-# Last Update: 09/19/2018
-#
-# This conf file is based on accepting logs from OSSEC
-
-filter {
-  # OSSEC Alerts
-  if [type] == "ossec" {
-        
-	# Sysmon/Autoruns logs transported by OSSEC
-        if [message] =~ "Microsoft-Windows-Sysmon" {
-            mutate {
-                replace => { "type" => "sysmon" }
-                add_tag => [ "ossec" ]
-            }
-        }
-        if [message] =~ "AR-LOG" {
-            mutate {
-                replace => { "type" => "autoruns" }
-                add_tag => [ "ossec" ]
-            }
-        }
-		
-	# If message looks like json, try to parse it as such. Otherwise, grok.
-        if [message] =~ /^{.*}$/ {
-                json {
-                        source => "message"
-                }
-		mutate {
-			rename => { "rule" => "wazuh-rule" }
-			rename => { "[wazuh-rule][level]" => "alert_level" }
-			rename => { "[wazuh-rule][description]" => "description" }
-			rename => { "[data][srcuser]" => "username" }
-			rename => { "[data][dstuser]" => "escalated_user" }
-			rename => { "[data][command]" => "command" }
-			rename => { "[predecoder][program_name]" => "process" }
-			
-                }
-                # Wazuh 3.8.2
-                if [data][EventChannel] {
-        		mutate {
-				rename => { "[data][EventChannel][EventData][User]" => "username" }
-        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
-        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
-        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
-        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
-        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
-        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
-        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
-			}
-		}
-                # Wazuh 3.9.2
-		if [data][win] {
-                        mutate {
-				rename => { "[data][win][eventdata][user]" => "username" }
-                        	rename => { "[data][win][system][eventID]" => "event_id" }
-                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
-                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
-                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
-                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
-                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
-                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
-                        }
-		}
-	} else {
-		grok {
-			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
-				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
-				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
-		}
-	}
-	
-	# Add tag for OSSEC alerts
-	if [alert_level] {
-            mutate {
-		add_tag => [ "alert" ]
-	    }
-        }
-
-	translate {
-		field => "alert_level"
-
-		destination => "classification"
-
-		dictionary => [
-               	    "1", "None",
-		    "2", "System low priority notification",
-		    "3", "Successful/authorized event",
-		    "4", "System low priority error",
-		    "5", "User generated error",
-		    "6", "Low relevance attack",
-		    "7", '"Bad word" matching',
-		    "8", "First time seen",
-		    "9", "Error from invalid source",
-		    "10", "Multiple user generated errors",
-		    "11", "Integrity checking warning",
-		    "12", "High importance event",
-		    "13", "Unusal error (high importance)",
-		    "14", "High importance security event",
-		    "15", "Severe attack"
-               	]
-	}
-  }
-
-  # OSSEC Archive Logs
-  if [type] == "ossec_archive" {
-        
-	# Sysmon/Autoruns logs transported by OSSEC
-	if [message] =~ "Microsoft-Windows-Sysmon" {
-            mutate { 
-                replace => { "type" => "sysmon" } 
-                add_tag => [ "ossec" ] 
-	    }
-        }
-	if [message] =~ "AR-LOG" {
-            mutate { 
-                replace => { "type" => "autoruns" } 
-                add_tag => [ "ossec" ]
-            }
-        }
-
-	# If message looks like json, try to parse it as such. Otherwise, grok.
-        if [message] =~ /^{.*}$/ {
-                json {
-                        source => "message"
-                }
-		mutate {
-                        rename => [ "rule", "wazuh-rule" ]
-                        rename => [ "[wazuh-rule][level]", "alert_level" ]
-                        rename => [ "[wazuh-rule][description]", "description" ]
-                        rename => [ "[data][srcuser]", "username" ]
-                        rename => [ "[data][dstuser]", "escalated_user" ]
-                        rename => [ "[data][command]", "command" ]
-                        rename => [ "[predecoder][program_name]", "process" ]
-                }
-	} else {
-		grok {
-			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
-				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
-				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
-				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
-				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
-			remove_field => [ "ossec_timestamp" ]
-		}
-		mutate {
-			convert => [ "status_code", "integer" ]
-		}
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
deleted file mode 100644
index 6ebf10487..000000000
--- a/salt/logstash/conf/pipelines/search/6501_ossec_sysmon.conf
+++ /dev/null
@@ -1,118 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# This conf file is based on accepting Sysmon logs from OSSEC
-#
-# Parse using grok
-filter {
-  # OSSEC Logs and Alerts
-  if [type] == "sysmon" or "sysmon" in [tags] {
-    if [message] !~ /^{.*}$/ {
-      #mutate { replace => { "type" => "sysmon" } }
-      grok {
-      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
-        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
-      }
-      mutate {
-        convert => ["event_id", "integer"]
-        remove_field => ["timestamp"]
-        remove_field => ["year"]
-      }
-      if [event_id] == 1 {
-        grok {
-          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
-		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
-		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          add_tag => ["process_creation"]
-        }
-      }
-      if [event_id] == 3 {
-        mutate {
-          remove_field => ["source_ip"]
-        }
-        grok {
-        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          convert => ["source_port", "integer"]
-          convert => ["destination_port", "integer"]
-          add_tag => ["network_connection"]
-        }
-      }
-      if [event_id] == 5 {
-        grok {
-          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          add_tag => ["process_termination"]
-        }
-      }
-      if [event_id] == 11 {
-        grok {
-          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
-        }
-        mutate {
-          convert => ["process_guid", "integer"]
-          convert => ["process_id", "integer"]
-          add_tag => ["file_created"]
-        }
-      }
-      mutate {
-        remove_field => ["rest_of_msg"]
-      }
-    } else {
-      mutate {
-	rename => { "[data][srcuser]" => "username" }
-        rename => { "[data][id]" => "event_id" }
-        rename => { "[data][dstport]" => "destination_port" }
-        rename => { "[data][dstip]" => "destination_ip" }
-        rename => { "[data][srcip]" => "source_ip" }
-        rename => { "[data][sysmon][image]" => "image_path" }
-        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
-        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
-        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
-        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
-      }
-      # Wazuh 3.8.2  
-      if [data][EventChannel] {
-        mutate {
-           rename => { "[data][EventChannel][EventData][User]" => "username" }
-           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
-           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
-           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
-           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
-           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
-           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
-           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
-           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
-           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
-           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
-	}
-      }
-      # Wazuh 3.9.2
-      if [data][win] {
-        mutate {
-          rename => { "[data][win][eventdata][user]" => "username" }
-          rename => { "[data][win][system][eventID]" => "event_id" }
-          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
-          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
-          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
-          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
-          rename => { "[data][win][eventdata][image]" => "image_path" }
-          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
-          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
-          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
-          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
-        }
-      }    
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
deleted file mode 100644
index 5d7207891..000000000
--- a/salt/logstash/conf/pipelines/search/6502_ossec_autoruns.conf
+++ /dev/null
@@ -1,43 +0,0 @@
-# Author: Wes Lambert
-# wlambertts@gmail.com
-#
-# Updated by: Dustin Lee
-# Last Update: 06/13/2019
-#
-# This conf file is based on accepting Autoruns logs from OSSEC
-#
-# Parse using grok
-filter {
-  if [type] == "autoruns" or "autoruns" in [tags] {
-    if [message] !~ /^{.*}$/ {
-      grok {
-        match => [
-            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
-            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
-        ]
-      }
-    #csv {
-#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
-#      separator => "|"
-#      }
-      mutate {
-        remove_field => [ "year" ]
-        remove_field => [ "timestamp" ]
-      }
-    } else {
-        grok {
-        match => [
-            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
-            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
-        ]
-      }
-      mutate {
-        # Rename fields
-      }
-    }
-    date {
-      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
-      target => "image_timestamp"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
deleted file mode 100644
index 200b58497..000000000
--- a/salt/logstash/conf/pipelines/search/6600_winlogbeat_sysmon.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Wes Lambert
-#
-# Last Update: 09/24/2018
-#
-# This conf file is based on accepting Sysmon logs from winlogbeat
-
-filter {
-  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
-      mutate {
-        replace => { "type" => "sysmon" }
-        rename => { "[event_data][User]" => "username" }
-        rename => { "[event_data][DestinationPort]" => "destination_port" }
-        rename => { "[event_data][DestinationIp]" => "destination_ip" }
-        rename => { "[event_data][SourceIp]" => "source_ip" }
-        rename => { "[event_data][Image]" => "image_path" }
-        rename => { "[event_data][ParentImage]" => "parent_image_path" }
-        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
-        rename => { "[event_data][SourceHostname]" => "source_hostname" }
-        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
-	rename => { "[event_data][TargetFilename]" => "target_filename" }
-      }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
deleted file mode 100644
index 222757956..000000000
--- a/salt/logstash/conf/pipelines/search/6700_winlogbeat.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Author: Doug Burks
-#
-# Last Update: 09/24/2018
-#
-# This conf file is for beat data
-
-filter {
-  if "beat" in [tags] {
-      mutate {
-	# As of beats 6.3.0, host is now an object:
-	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
-	# This creates a conflict with our existing host string.
-	# So let's rename the host object to beat_host.
-        rename => { "host" => "beat_host" }
-      }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
deleted file mode 100644
index b4d77d83f..000000000
--- a/salt/logstash/conf/pipelines/search/7100_osquery_wel.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Author: Josh Brower
-# Last Update: 12/28/2018
-# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
-
-filter {
-  if "osquery" in [tags] and [osquery][columns][eventid] {
-
-        mutate {
-     gsub => ["[osquery][columns][data]", "\\x0A", ""]
-    }
-
-        json {
-      source => "[osquery][columns][data]"
-      target => "[osquery][columns][data]"
-     }
-
-        mutate {
-     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
-     remove_field => ["[osquery][columns][data]"]
-        }
-
-  }
-}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/search/7200_strelka.conf b/salt/logstash/conf/pipelines/search/7200_strelka.conf
deleted file mode 100644
index b2b57bf05..000000000
--- a/salt/logstash/conf/pipelines/search/7200_strelka.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-filter {
-  if [type] =~ "strelka" {
-    json {
-      source => "message"
-    }
-  }
-}
-
diff --git a/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
deleted file mode 100644
index d28449da6..000000000
--- a/salt/logstash/conf/pipelines/search/8001_postprocess_common_ip_augmentation.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/20/2017
-
-filter {
-  if [source_ip] {
-    if [source_ip] == "-" {
-      mutate {
-        replace => { "source_ip" => "0.0.0.0" }
-      }
-    }
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
-	mutate {
-	}
-      } else {
-        geoip {
-          source => "[source_ip]"
-          target => "source_geo"
-        }
-      }
-    if [source_ip] {
-      mutate {
-        add_field => { "ips" => "%{source_ip}" }
-        add_field => { "source_ips" => [ "%{source_ip}" ] }
-      }
-    }
-  }
-  if [destination_ip] {
-    if [destination_ip] == "-" {
-      mutate {
-        replace => { "destination_ip" => "0.0.0.0" }
-      }
-    }
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
-      mutate {
-      }
-    }
-    else {
-      geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-      }
-    }
-  }
-  if [destination_ip] {
-    mutate {
-      add_field => { "ips" => "%{destination_ip}" }
-      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
-    }
-  }
-}
-  #if [source_ip] or [destination_ip] {
-  #  mutate {
-	  #add_tag => [ "conf_file_8001"]
-  #	}
-  #}
-
diff --git a/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
deleted file mode 100644
index b9c9d224b..000000000
--- a/salt/logstash/conf/pipelines/search/8007_postprocess_http.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-
-filter {
-  if [type] == "bro_http" {
-    if [uri] {
-      ruby {
-        code => "event.set('uri_length', event.get('uri').length)"
-      }
-    }
-    if [virtual_host] {
-      ruby {
-        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
-      }
-    }
-    if [useragent] {
-      ruby {
-        code => "event.set('useragent_length', event.get('useragent').length)"
-      }
-    }
-	mutate {
-	  ##add_tag => [ "conf_file_8007"]
-	}
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
deleted file mode 100644
index e698b3ce3..000000000
--- a/salt/logstash/conf/pipelines/search/8200_postprocess_tagging.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [destination_ip] {
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_destination" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_destination" ]
-      }
-    }
-    if "internal_destination" not in [tags] {
-      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-  }
-  if [source_ip] {
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_source" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_source" ]
-      }
-    }
-    if "internal_source" not in [tags] {
-      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-	mutate {
-		##add_tag => [ "conf_file_8200"]
-	}
-  }
-  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
-      mutate {
-          remove_tag => [ "syslog" ]
-      }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
deleted file mode 100644
index 478c6b0e0..000000000
--- a/salt/logstash/conf/pipelines/search/8998_postprocess_log_elapsed.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_end', Time.now.to_f)"
-  }
-  ruby {
-    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
-  }
-  mutate {
-    remove_field => [ 'task_start', 'task_end' ]
-  }
-  mutate {
-	#add_tag => [ "conf_file_8998"]
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
deleted file mode 100644
index 383fd9827..000000000
--- a/salt/logstash/conf/pipelines/search/8999_postprocess_rename_type.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# Author: Doug Burks
-# Last Update: 12/10/2017
-
-filter {
-    mutate {
-	  rename => [ "type", "event_type" ]
-	}
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
deleted file mode 100644
index 553500281..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9000_output_bro.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-
-filter {
-  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9000"]
-	}
-  }
-}
-output {
-  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      pipeline => "%{event_type}"
-      hosts => "{{ ES }}"
-      index => "logstash-bro-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
deleted file mode 100644
index 949a738ab..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9001_output_switch.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "switch" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9001"]
-	}
-  }
-}
-output {
-  if "switch" in [tags] and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-switch-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
deleted file mode 100644
index 88fbc7551..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9002_output_import.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Updated by: Doug Burks
-# Last Update: 5/16/2017
-
-filter {
-  if "import" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9002"]
-	}
-  }
-}
-output {
-  if "import" in [tags] and "test_data" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-import-%{+YYYY.MM.dd}"
-      template_name => "logstash-*"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
deleted file mode 100644
index 3dbd34f16..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9004_output_flow.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "sflow" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9004"]
-	}
-  }
-}
-output {
-  if [event_type] == "sflow" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-flow-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
deleted file mode 100644
index a63ac5f98..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9026_output_dhcp.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "dhcp" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9026"]
-	}
-  }
-}
-output {
-  if [event_type] == "dhcp" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
deleted file mode 100644
index 229de6b9c..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9029_output_esxi.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "esxi" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9029"]
-	}
-  }
-}
-output {
-  if [event_type] == "esxi" and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
deleted file mode 100644
index a6d16b95d..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9030_output_greensql.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "greensql" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9030"]
-	}
-  }
-}
-output {
-  if [event_type] == "greensql" and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
deleted file mode 100644
index 6650d8a7d..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9031_output_iis.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "iis" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9031"]
-	}
-  }
-}
-output {
-  if [event_type] == "iis" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
deleted file mode 100644
index ca982967d..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9032_output_mcafee.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "mcafee" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9032"]
-	}
-  }
-}
-output {
-  if [event_type] == "mcafee" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
deleted file mode 100644
index 6c310b91e..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9033_output_snort.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "ids" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9033"]
-	}
-  }
-}
-output {
-    if [event_type] == "ids" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-ids-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
deleted file mode 100644
index 56a6527b8..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9034_output_syslog.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/15/2017
-
-filter {
-  if "syslog" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9034"]
-	}
-  }
-}
-output {
-  if "syslog" in [tags] and "test_data" not in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-syslog-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
deleted file mode 100644
index e95119562..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9100_output_osquery.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Josh Brower
-# Last Update: 12/29/2018
-# Output to ES for osquery tagged logs
-
-
-output {
-  if "osquery" in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-osquery-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
deleted file mode 100644
index b2ad43963..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9200_output_firewall.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "firewall" in [tags] and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9200"]
-	}
-  }
-}
-output {
-  if "firewall" in [tags] and "test_data" not in [tags] {
-#    stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-firewall-%{+YYYY.MM.dd}"
-      template_name => "logstash"
-      template => "/logstash-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
deleted file mode 100644
index d3f9d1919..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9300_output_windows.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "windows" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9300"]
-	}
-  }
-}
-output {
-  if [event_type] == "windows" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-windows-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
deleted file mode 100644
index 8a56b7044..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9301_output_dns_windows.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "dns" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9301"]
-	}
-  }
-}
-output {
-  if [event_type] == "dns" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
deleted file mode 100644
index 4bffd7f0a..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9400_output_suricata.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [event_type] == "suricata" and "test_data" not in [tags] {
-    mutate {
-	  ##add_tag => [ "conf_file_9400"]
-	}
-  }
-}
-output {
-  if [event_type] == "suricata" and "test_data" not in [tags] {
-    #stdout { codec => rubydebug }
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-ids-%{+YYYY.MM.dd}"
-      template => "/logstash-template.json"
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
deleted file mode 100644
index 30900cb93..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9500_output_beats.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Wes Lambert
-# Last Update: 09/14/2018
-filter {
-  if "beat" in [tags] {
-    mutate {
-          ##add_tag => [ "conf_file_9500"]
-        }
-  }
-}
-output {
-  if "beat" in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-beats-%{+YYYY.MM.dd}"
-      template_name => "logstash-beats"
-      template => "/beats-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
deleted file mode 100644
index 71d0c28aa..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9600_output_ossec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 9/19/2018
-
-filter {
-  if [event_type] =~ "ossec" {
-    mutate {
-          ##add_tag => [ "conf_file_9600"]
-        }
-  }
-}
-
-output {
-  if [event_type] =~ "ossec" or "ossec" in [tags] {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-ossec-%{+YYYY.MM.dd}"
-      template_name => "logstash-ossec"
-      template => "/logstash-ossec-template.json"
-      template_overwrite => true
-    }
-  }
-}
diff --git a/salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf b/salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf
deleted file mode 100644
index c562cedc7..000000000
--- a/salt/logstash/conf/pipelines/search/templates/9700_output_strelka.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-
-filter {
-  if [event_type] =~ "strelka" {
-    mutate {
-          ##add_tag => [ "conf_file_9000"]
-        }
-  }
-}
-output {
-  if [event_type] =~ "strelka" {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-strelka-%{+YYYY.MM.dd}"
-      template_name => "logstash-strelka"
-      template => "/logstash-strelka-template.json"
-      template_overwrite => true
-    }
-  }
-}
-
diff --git a/salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf b/salt/logstash/pipelines/config/0010_input_hhbeats.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/0010_input_hhbeats.conf
rename to salt/logstash/pipelines/config/0010_input_hhbeats.conf
diff --git a/salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf b/salt/logstash/pipelines/config/0900_input_redis.conf.jinja
similarity index 100%
rename from salt/logstash/conf/pipelines/search/templates/0900_input_redis.conf
rename to salt/logstash/pipelines/config/0900_input_redis.conf.jinja
diff --git a/salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf b/salt/logstash/pipelines/config/1100_preprocess_bro_conn.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1100_preprocess_bro_conn.conf
rename to salt/logstash/pipelines/config/1100_preprocess_bro_conn.conf
diff --git a/salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf b/salt/logstash/pipelines/config/1101_preprocess_bro_dhcp.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1101_preprocess_bro_dhcp.conf
rename to salt/logstash/pipelines/config/1101_preprocess_bro_dhcp.conf
diff --git a/salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf b/salt/logstash/pipelines/config/1102_preprocess_bro_dns.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1102_preprocess_bro_dns.conf
rename to salt/logstash/pipelines/config/1102_preprocess_bro_dns.conf
diff --git a/salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf b/salt/logstash/pipelines/config/1103_preprocess_bro_dpd.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1103_preprocess_bro_dpd.conf
rename to salt/logstash/pipelines/config/1103_preprocess_bro_dpd.conf
diff --git a/salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf b/salt/logstash/pipelines/config/1104_preprocess_bro_files.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1104_preprocess_bro_files.conf
rename to salt/logstash/pipelines/config/1104_preprocess_bro_files.conf
diff --git a/salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf b/salt/logstash/pipelines/config/1105_preprocess_bro_ftp.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1105_preprocess_bro_ftp.conf
rename to salt/logstash/pipelines/config/1105_preprocess_bro_ftp.conf
diff --git a/salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf b/salt/logstash/pipelines/config/1106_preprocess_bro_http.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1106_preprocess_bro_http.conf
rename to salt/logstash/pipelines/config/1106_preprocess_bro_http.conf
diff --git a/salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf b/salt/logstash/pipelines/config/1107_preprocess_bro_irc.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1107_preprocess_bro_irc.conf
rename to salt/logstash/pipelines/config/1107_preprocess_bro_irc.conf
diff --git a/salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf b/salt/logstash/pipelines/config/1108_preprocess_bro_kerberos.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1108_preprocess_bro_kerberos.conf
rename to salt/logstash/pipelines/config/1108_preprocess_bro_kerberos.conf
diff --git a/salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf b/salt/logstash/pipelines/config/1109_preprocess_bro_notice.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1109_preprocess_bro_notice.conf
rename to salt/logstash/pipelines/config/1109_preprocess_bro_notice.conf
diff --git a/salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf b/salt/logstash/pipelines/config/1110_preprocess_bro_rdp.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1110_preprocess_bro_rdp.conf
rename to salt/logstash/pipelines/config/1110_preprocess_bro_rdp.conf
diff --git a/salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf b/salt/logstash/pipelines/config/1111_preprocess_bro_signatures.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1111_preprocess_bro_signatures.conf
rename to salt/logstash/pipelines/config/1111_preprocess_bro_signatures.conf
diff --git a/salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf b/salt/logstash/pipelines/config/1112_preprocess_bro_smtp.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1112_preprocess_bro_smtp.conf
rename to salt/logstash/pipelines/config/1112_preprocess_bro_smtp.conf
diff --git a/salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf b/salt/logstash/pipelines/config/1113_preprocess_bro_snmp.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1113_preprocess_bro_snmp.conf
rename to salt/logstash/pipelines/config/1113_preprocess_bro_snmp.conf
diff --git a/salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf b/salt/logstash/pipelines/config/1114_preprocess_bro_software.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1114_preprocess_bro_software.conf
rename to salt/logstash/pipelines/config/1114_preprocess_bro_software.conf
diff --git a/salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf b/salt/logstash/pipelines/config/1115_preprocess_bro_ssh.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1115_preprocess_bro_ssh.conf
rename to salt/logstash/pipelines/config/1115_preprocess_bro_ssh.conf
diff --git a/salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf b/salt/logstash/pipelines/config/1116_preprocess_bro_ssl.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1116_preprocess_bro_ssl.conf
rename to salt/logstash/pipelines/config/1116_preprocess_bro_ssl.conf
diff --git a/salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf b/salt/logstash/pipelines/config/1117_preprocess_bro_syslog.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1117_preprocess_bro_syslog.conf
rename to salt/logstash/pipelines/config/1117_preprocess_bro_syslog.conf
diff --git a/salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf b/salt/logstash/pipelines/config/1118_preprocess_bro_tunnel.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1118_preprocess_bro_tunnel.conf
rename to salt/logstash/pipelines/config/1118_preprocess_bro_tunnel.conf
diff --git a/salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf b/salt/logstash/pipelines/config/1119_preprocess_bro_weird.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1119_preprocess_bro_weird.conf
rename to salt/logstash/pipelines/config/1119_preprocess_bro_weird.conf
diff --git a/salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf b/salt/logstash/pipelines/config/1121_preprocess_bro_mysql.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1121_preprocess_bro_mysql.conf
rename to salt/logstash/pipelines/config/1121_preprocess_bro_mysql.conf
diff --git a/salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf b/salt/logstash/pipelines/config/1122_preprocess_bro_socks.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1122_preprocess_bro_socks.conf
rename to salt/logstash/pipelines/config/1122_preprocess_bro_socks.conf
diff --git a/salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf b/salt/logstash/pipelines/config/1123_preprocess_bro_x509.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1123_preprocess_bro_x509.conf
rename to salt/logstash/pipelines/config/1123_preprocess_bro_x509.conf
diff --git a/salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf b/salt/logstash/pipelines/config/1124_preprocess_bro_intel.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1124_preprocess_bro_intel.conf
rename to salt/logstash/pipelines/config/1124_preprocess_bro_intel.conf
diff --git a/salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf b/salt/logstash/pipelines/config/1125_preprocess_bro_modbus.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1125_preprocess_bro_modbus.conf
rename to salt/logstash/pipelines/config/1125_preprocess_bro_modbus.conf
diff --git a/salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf b/salt/logstash/pipelines/config/1126_preprocess_bro_sip.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1126_preprocess_bro_sip.conf
rename to salt/logstash/pipelines/config/1126_preprocess_bro_sip.conf
diff --git a/salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf b/salt/logstash/pipelines/config/1127_preprocess_bro_radius.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1127_preprocess_bro_radius.conf
rename to salt/logstash/pipelines/config/1127_preprocess_bro_radius.conf
diff --git a/salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf b/salt/logstash/pipelines/config/1128_preprocess_bro_pe.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1128_preprocess_bro_pe.conf
rename to salt/logstash/pipelines/config/1128_preprocess_bro_pe.conf
diff --git a/salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf b/salt/logstash/pipelines/config/1129_preprocess_bro_rfb.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1129_preprocess_bro_rfb.conf
rename to salt/logstash/pipelines/config/1129_preprocess_bro_rfb.conf
diff --git a/salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf b/salt/logstash/pipelines/config/1130_preprocess_bro_dnp3.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1130_preprocess_bro_dnp3.conf
rename to salt/logstash/pipelines/config/1130_preprocess_bro_dnp3.conf
diff --git a/salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf b/salt/logstash/pipelines/config/1131_preprocess_bro_smb_files.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1131_preprocess_bro_smb_files.conf
rename to salt/logstash/pipelines/config/1131_preprocess_bro_smb_files.conf
diff --git a/salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf b/salt/logstash/pipelines/config/1132_preprocess_bro_smb_mapping.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1132_preprocess_bro_smb_mapping.conf
rename to salt/logstash/pipelines/config/1132_preprocess_bro_smb_mapping.conf
diff --git a/salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf b/salt/logstash/pipelines/config/1133_preprocess_bro_ntlm.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1133_preprocess_bro_ntlm.conf
rename to salt/logstash/pipelines/config/1133_preprocess_bro_ntlm.conf
diff --git a/salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf b/salt/logstash/pipelines/config/1134_preprocess_bro_dce_rpc.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/1134_preprocess_bro_dce_rpc.conf
rename to salt/logstash/pipelines/config/1134_preprocess_bro_dce_rpc.conf
diff --git a/salt/logstash/conf/pipelines/6000_bro.conf b/salt/logstash/pipelines/config/6000_bro.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/6000_bro.conf
rename to salt/logstash/pipelines/config/6000_bro.conf
diff --git a/salt/logstash/conf/pipelines/6001_bro_import.conf b/salt/logstash/pipelines/config/6001_bro_import.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/6001_bro_import.conf
rename to salt/logstash/pipelines/config/6001_bro_import.conf
diff --git a/salt/logstash/conf/pipelines/8000_postprocess_bro_cleanup.conf b/salt/logstash/pipelines/config/8000_postprocess_bro_cleanup.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/8000_postprocess_bro_cleanup.conf
rename to salt/logstash/pipelines/config/8000_postprocess_bro_cleanup.conf
diff --git a/salt/logstash/conf/pipelines/8006_postprocess_dns.conf b/salt/logstash/pipelines/config/8006_postprocess_dns.conf
similarity index 100%
rename from salt/logstash/conf/pipelines/8006_postprocess_dns.conf
rename to salt/logstash/pipelines/config/8006_postprocess_dns.conf
diff --git a/salt/logstash/pipelines/config/9000_output_bro.conf.jinja b/salt/logstash/pipelines/config/9000_output_bro.conf.jinja
index 2beafc8be..553500281 100644
--- a/salt/logstash/pipelines/config/9000_output_bro.conf.jinja
+++ b/salt/logstash/pipelines/config/9000_output_bro.conf.jinja
@@ -1,6 +1,5 @@
 {%- if grains['role'] == 'so-eval' -%}
 {%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- set NAME = grains.host -%}
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
@@ -13,7 +12,7 @@
 filter {
   if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
     mutate {
-	  add_field => { "sensor_name" => "{{ NAME }}" }
+	  ##add_tag => [ "conf_file_9000"]
 	}
   }
 }
diff --git a/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja
index 132f0eb66..e95119562 100644
--- a/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja
+++ b/salt/logstash/pipelines/config/9100_output_osquery.conf.jinja
@@ -3,24 +3,11 @@
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
-# Author: Security Onion Solutions
-# Last Update: 2/3/2020
-# Output to ES for osquery tagged logs - EVAL install
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
 
 
-filter {
-    if "osquery" in [tags] {
-    mutate {
-      rename => { "host" => "beat_host" }
-      remove_tag => ["beat"]
-                }
-   json {
-    source => "message"
-    target => "osquery"
-        }
-  }
-}
-
 output {
   if "osquery" in [tags] {
     elasticsearch {
@@ -29,4 +16,4 @@ output {
       template => "/logstash-template.json"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja
index 1de235444..4bffd7f0a 100644
--- a/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja
+++ b/salt/logstash/pipelines/config/9400_output_suricata.conf.jinja
@@ -1,6 +1,5 @@
 {%- if grains['role'] == 'so-eval' -%}
 {%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- set NAME = grains.host -%}
 {%- else %}
 {%- set ES = salt['pillar.get']('node:mainip', '') -%}
 {%- endif %}
@@ -12,7 +11,7 @@
 filter {
   if [event_type] == "suricata" and "test_data" not in [tags] {
     mutate {
-	  add_field => { "sensor_name" => "{{ NAME }}" }
+	  ##add_tag => [ "conf_file_9400"]
 	}
   }
 }
diff --git a/salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja b/salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja
deleted file mode 100644
index c562cedc7..000000000
--- a/salt/logstash/pipelines/config/9700_ouptut_strelka.conf.jinja
+++ /dev/null
@@ -1,30 +0,0 @@
-{%- if grains['role'] == 'so-eval' -%}
-{%- set ES = salt['pillar.get']('master:mainip', '') -%}
-{%- else %}
-{%- set ES = salt['pillar.get']('node:mainip', '') -%}
-{%- endif %}
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-
-filter {
-  if [event_type] =~ "strelka" {
-    mutate {
-          ##add_tag => [ "conf_file_9000"]
-        }
-  }
-}
-output {
-  if [event_type] =~ "strelka" {
-    elasticsearch {
-      hosts => "{{ ES }}"
-      index => "logstash-strelka-%{+YYYY.MM.dd}"
-      template_name => "logstash-strelka"
-      template => "/logstash-strelka-template.json"
-      template_overwrite => true
-    }
-  }
-}
-
diff --git a/salt/logstash/conf/pipelines/eval/templates/9700_ouptut_strelka.conf b/salt/logstash/pipelines/config/9700_output_strelka.conf.jinja
similarity index 100%
rename from salt/logstash/conf/pipelines/eval/templates/9700_ouptut_strelka.conf
rename to salt/logstash/pipelines/config/9700_output_strelka.conf.jinja
diff --git a/salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf b/salt/logstash/pipelines/config/9997_output_helix.conf.jinja
similarity index 100%
rename from salt/logstash/conf/pipelines/helix/templates/9997_output_helix.conf
rename to salt/logstash/pipelines/config/9997_output_helix.conf.jinja
diff --git a/salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf b/salt/logstash/pipelines/config/9999_output_redis.conf.jinja
similarity index 100%
rename from salt/logstash/conf/pipelines/master/templates/9999_output_redis.conf
rename to salt/logstash/pipelines/config/9999_output_redis.conf.jinja