Pull in upstream changes

2025-12-19 07:23:06 +01:00 · 2023-01-27 07:53:53 -05:00
parent 29aa6dceed 83aad48e3a
commit a71cbcfc9b
174 changed files with 549 additions and 615 deletions
--- a/.github/workflows/pythontest.yml
+++ b/.github/workflows/pythontest.yml
@@ -1,6 +1,12 @@
 name: python-test
-on: [push, pull_request]
+on:
  push:
    paths: 
      - "salt/sensoroni/files/analyzers/**"
  pull_request:
    paths:
      - "salt/sensoroni/files/analyzers/**"
 jobs:
  build:
--- a/pillar/logstash/manager.sls
+++ b/pillar/logstash/manager.sls
@@ -2,9 +2,7 @@ logstash:
  pipelines:
    manager:
      config:
        - so/0009_input_beats.conf      
        - so/0010_input_hhbeats.conf
        - so/0011_input_endgame.conf
        - so/0012_input_elastic_agent.conf     
        - so/9999_output_redis.conf.jinja
-        
+        
--- a/pillar/logstash/receiver.sls
+++ b/pillar/logstash/receiver.sls
@@ -2,8 +2,7 @@ logstash:
  pipelines:
    receiver:
      config:
        - so/0009_input_beats.conf      
        - so/0010_input_hhbeats.conf
        - so/0011_input_endgame.conf
        - so/0012_input_elastic_agent.conf
        - so/9999_output_redis.conf.jinja
-        
+        
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -3,16 +3,5 @@ logstash:
    search:
      config:
        - so/0900_input_redis.conf.jinja
        - so/9000_output_zeek.conf.jinja
        - so/9002_output_import.conf.jinja
        - so/9034_output_syslog.conf.jinja
        - so/9050_output_filebeatmodules.conf.jinja
        - so/9100_output_osquery.conf.jinja  
        - so/9400_output_suricata.conf.jinja
        - so/9500_output_beats.conf.jinja
        - so/9600_output_ossec.conf.jinja
        - so/9700_output_strelka.conf.jinja
        - so/9800_output_logscan.conf.jinja
        - so/9801_output_rita.conf.jinja
        - so/9805_output_elastic_agent.conf.jinja
        - so/9900_output_endgame.conf.jinja
--- a/pillar/node_data/ips.sls
+++ b/pillar/node_data/ips.sls
@@ -1,7 +1,5 @@
 {% set node_types = {} %}
 {% set manage_alived = salt.saltutil.runner('manage.alived', show_ip=True) %}
 {% set manager = grains.master %}
 {% set manager_type = manager.split('_')|last %}
 {% for minionid, ip in salt.saltutil.runner('mine.get', tgt='*', fun='network.ip_addrs', tgt_type='glob') | dictsort() %}
 {%   set hostname = minionid.split('_')[0] %}
 {%   set node_type = minionid.split('_')[1] %}
@@ -24,10 +22,10 @@
 node_data:
 {% for node_type, host_values in node_types.items() %}
  {{node_type}}:
 {%   for hostname, details in host_values.items() %}
-    {{hostname}}:
+  {{hostname}}:
-      ip: {{details.ip}}
+    ip: {{details.ip}}
-      alive: {{ details.alive }}
+    alive: {{ details.alive }}
    role: {{node_type}}
 {%   endfor %}
 {% endfor %}
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -10,6 +10,7 @@ base:
    - sensoroni.adv_sensoroni
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf
    - node_data.ips
  '* and not *_eval and not *_import':
    - logstash.nodes
@@ -23,11 +24,15 @@ base:
    - logstash
    - logstash.manager
    - logstash.search
    - logstash.soc_logstash
    - logstash.adv_logstash
    - elasticsearch.index_templates
  '*_manager':
    - logstash
    - logstash.manager
    - logstash.soc_logstash
    - logstash.adv_logstash
    - elasticsearch.index_templates
  '*_manager or *_managersearch':
@@ -51,6 +56,8 @@ base:
    - redis.adv_redis
    - influxdb.soc_influxdb
    - influxdb.adv_influxdb
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - backup.soc_backup
    - backup.adv_backup
    - minions.{{ grains.id }}
@@ -76,6 +83,7 @@ base:
    - soc_global
    - kratos.soc_kratos
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - manager.soc_manager
    - soc.soc_soc
    - kratos.soc_kratos
@@ -94,6 +102,7 @@ base:
    - logstash.manager
    - logstash.search
    - logstash.soc_logstash
    - logstash.adv_logstash
    - elasticsearch.index_templates
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
@@ -111,6 +120,7 @@ base:
    - influxdb.soc_influxdb
    - influxdb.adv_influxdb
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - manager.soc_manager
    - soc.soc_soc
    - backup.soc_backup
@@ -134,6 +144,8 @@ base:
  '*_searchnode':
    - logstash
    - logstash.search
    - logstash.soc_logstash
    - logstash.adv_logstash
    - elasticsearch.index_templates
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
@@ -148,6 +160,8 @@ base:
  '*_receiver':
    - logstash
    - logstash.receiver
    - logstash.soc_logstash
    - logstash.adv_logstash
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
@@ -169,6 +183,7 @@ base:
    {% endif %}
    - kratos.soc_kratos
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - manager.soc_manager
    - soc.soc_soc
    - soc_global
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -107,7 +107,8 @@
          'zeek',
          'schedule',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
          'elastic-fleet'
          ],
      'so-manager': [
          'salt.master',
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -218,6 +218,11 @@ sostatus_check_cron:
    - month: '*'
    - dayweek: '*'
 remove_post_setup_cron:
  cron.absent:
    - name: 'salt-call state.highstate'
    - identifier: post_setup_cron
 {% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %}
 soversionfile:
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,6 +1,33 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if GLOBALS.os != 'CentOS' %}     
+{% if GLOBALS.os == 'Ubuntu' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - chrony
      - apache2-utils
      - wget
      - ntpdate
      - jq
      - python3-docker
      - curl
      - ca-certificates
      - software-properties-common
      - apt-transport-https
      - openssl
      - netcat
      - python3-mysqldb
      - sqlite3
      - libssl-dev
      - python3-dateutil
      - python3-m2crypto
      - python3-mysqldb
      - python3-packaging
      - python3-lxml
      - git
      - vim
 {% elif GLOBALS.os == 'Rocky' %}     
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
--- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete
+++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete
@@ -1,4 +1,9 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 POLICY_ID=$1
--- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list
+++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list
@@ -1,4 +1,9 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 # Let's snag a cookie from Kibana
--- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view
+++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view
@@ -1,4 +1,9 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 POLICY_ID=$1
--- a/salt/common/tools/sbin/so-elastic-fleet-data-streams-list
+++ b/salt/common/tools/sbin/so-elastic-fleet-data-streams-list
@@ -1,4 +1,9 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 # Let's snag a cookie from Kibana
--- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete
+++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete
@@ -0,0 +1,23 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 POLICY_ID=$1
 # Let's snag a cookie from Kibana
 SESSIONCOOKIE=$(curl -q -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 # Get integration policies relative to agent policy
 INTEGRATION_POLICY_IDS=$(curl -q -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID" | jq -r '.item.package_policies[].id')
 for i in $INTEGRATION_POLICY_IDS; do
  # Delete integration policies
  echo "Deleting integration policy: $i..."
  curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d"{\"packagePolicyIds\": [\"$i\"], \"force\":true}";
  echo
  echo
 done
--- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete
+++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete
@@ -1,4 +1,9 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 POLICY_ID=$1
--- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list
+++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list
@@ -1,4 +1,9 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 # Let's snag a cookie from Kibana
--- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -1,4 +1,8 @@
 #/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
@@ -17,68 +21,76 @@ echo
 echo "Setting up default Security Onion package policies for Elastic Agent..."
 # Set up Suricata logs
 echo
 echo "Setting up Suricata package policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "suricata_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "alert", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: suricata", "custom": "pipeline: suricata.common" }}}}}}'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "suricata", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: suricata", "custom": "pipeline: suricata.common" }}}}}}'
 # Import - Suricata
 echo "Settings up Suricata import package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "import_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "alert", "tags": ["import"], "processors": "- add_fields:\n    target: event\n    fields:\n      category: file\n      module: suricata\n      imported: true\n- dissect:\n      tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n      field: \"log.file.path\"\n      target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }'
 # Zeek logs
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
  {%- if ZEEKVER != 'SURICATA' %}
    {% import_yaml 'filebeat/defaults.yaml' as FBD with context %}
    {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %}
    {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %}
 # Set up Zeek {{ LOGNAME }} logs
 echo "Setting up Zeek {{ LOGNAME }} package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-{{ LOGNAME }}", "description": "Zeek {{ LOGNAME }} logs", "namespace": "zeek_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/zeek/logs/current/{{ LOGNAME }}.log" ], "data_stream.dataset": "{{ LOGNAME }}", "tags": [], "processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek", "custom": "pipeline: zeek.{{ LOGNAME }}" }}}}}}'
 echo
-echo "Setting up Zeek import {{ LOGNAME }} package policy..."
+# Set up Zeek logs
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-zeek-{{ LOGNAME }}-logs", "name": "import-zeek-{{ LOGNAME }}-logs", "description": "Import Zeek {{ LOGNAME }} logs", "namespace": "import_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/{{ LOGNAME }}.log"], "data_stream.dataset": "{{ LOGNAME }}", "tags": ["import"], "processors": "- add_fields:\n    target: event\n    fields:\n      category: file\n      module: suricata\n      imported: true", "custom": "pipeline: zeek.{{ LOGNAME }}" } } } } } }'
+echo
 echo "Setting up Zeek package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n    tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n    field: \"log.file.path\"\n    trim_chars: \".log\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"pipeline\");\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"(broker | capture_loss | loaded_scripts | packet_filter | stats | stderr | stdout).log$\"]\n" } } } } } }'
 echo
-    {%- endfor %}
+# Import - Suricata
-  {%- endif %}
+echo
-{%- endif %}
+echo "Settings up Suricata import package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": [], "processors": "- add_fields:\n    target: event\n    fields:\n      category: file\n      module: suricata\n      imported: true\n- dissect:\n      tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n      field: \"log.file.path\"\n      target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }'
 echo
 # Set Import - Zeek logs
 echo
 echo "Setting up Zeek Import package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"import.file\").slice(0,-4);\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n      imported: true\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"" } } } } } }'
 # Strelka logs
 echo "Setting up Strelka package policy"
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "strelka_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: file\n      module: strelka", "custom": "pipeline: strelka.file" }}}}}}'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: file\n      module: strelka", "custom": "pipeline: strelka.file" }}}}}}'
 echo
 # Syslog TCP Port 514
 echo
 echo "Setting up Syslog TCP package policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "syslog_so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n    target: event\n    fields:\n      module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n    target: event\n    fields:\n      module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
 echo
 # Syslog UDP Port 514
 echo
 echo "Setting up Syslog UDP package policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "syslog_so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n    target: event\n    fields: \n      module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n    target: event\n    fields: \n      module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }'
 echo
 # Kratos logs
 echo
 echo "Setting up Kratos package policy..."
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "kratos_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "access", "tags": [],"processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- rename:\n    fields:\n      - from: \"audience\"\n        to: \"event.dataset\"\n    ignore_missing: true\n- add_fields:\n    when:\n      not: \n        has_fields: ['event.dataset']\n    target: ''\n    fields:\n      event.dataset: access", "custom": "pipeline: kratos" }}}}}}'
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true\n- rename:\n    fields:\n      - from: \"audience\"\n        to: \"event.dataset\"\n    ignore_missing: true\n- add_fields:\n    when:\n      not: \n        has_fields: ['event.dataset']\n    target: ''\n    fields:\n      event.dataset: access", "custom": "pipeline: kratos" }}}}}}'
 echo
-# RITA Beacon logs
+# RITA Logs
-echo "Setting up RITA Beacon package policy..."
+#echo
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-beacon-logs", "name": "rita-beacon-logs", "description": "RITA Beacon logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv" ], "data_stream.dataset": "beacon", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: rita", "custom": "pipeline: rita.beacon" }}}}}}'
+#echo "Setting up RITA package policy..."
-
+#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-logs", "name": "rita-logs", "description": "RITA Beacon logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv", "/nsm/rita/long-connections.csv", "/nsm/rita/short-connections.csv", "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "rita", "tags": [], "processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: rita\n- if:\n    log.file.path: beacons.csv\n  then: \n    - add_fields:\n        target: \"@metadata\"\n        fields:\n          pipeline: rita.beacon\n- if:\n    regexp:\n      log.file.path: \"*connections.csv\"\n  then: \n    - add_fields:\n        target: \"@metadata\"\n        fields:\n          pipeline: rita.connection\n- if:\n    log.file.path: \"exploded-dns.csv\"\n  then: \n    - add_fields:\n        target: \"@metadata\"\n        fields:\n          pipeline: rita.dns" }}}}}}'
-# RITA Connection Logs
+#echo
 echo "Setting up RITA connection  package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-connection-logs", "name": "rita-connection-logs", "description": "RITA Connection logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/long-connections.csv" ], "data_stream.dataset": "connections", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: rita", "custom": "pipeline: rita.connections" }}}}}}'
 # RITA DNS Logs
 echo "Setting up RITA DNS package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-exploded-dns-logs", "name": "rita-exploded-dns-logs", "description": "RITA Exploded DNS logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "exploded_dns", "tags": [],"processors": "- add_fields:\n    target: event\n    fields:\n      category: network\n      module: rita", "custom": "pipeline: rita.dns" }}}}}}'
 # Elasticsearch logs
 echo
 echo "Seting up Elasticsearch package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "elasticsearch", "version": "1.0.0" }, "id": "elasticsearch-logs", "name": "elasticsearch-logs", "description": "Elasticsearch Logs", "namespace": "default", "inputs": { "elasticsearch-logfile": { "enabled": true, "streams": { "elasticsearch.audit": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_audit.json" ] } }, "elasticsearch.deprecation": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_deprecation.json" ] } }, "elasticsearch.gc": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/gc.log.[0-9]*", "/var/log/elasticsearch/gc.log" ] } }, "elasticsearch.server": { "enabled": true, "vars": { "paths": [ "/opt/so/log/elasticsearch/*.log" ] } }, "elasticsearch.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_index_search_slowlog.json", "/var/log/elasticsearch/*_index_indexing_slowlog.json" ] } } } }, "elasticsearch-elasticsearch/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9200" ], "scope": "node" }, "streams": { "elasticsearch.stack_monitoring.ccr": { "enabled": false }, "elasticsearch.stack_monitoring.cluster_stats": { "enabled": false }, "elasticsearch.stack_monitoring.enrich": { "enabled": false }, "elasticsearch.stack_monitoring.index": { "enabled": false }, "elasticsearch.stack_monitoring.index_recovery": { "enabled": false, "vars": { "active.only": true } }, "elasticsearch.stack_monitoring.index_summary": { "enabled": false }, "elasticsearch.stack_monitoring.ml_job": { "enabled": false }, "elasticsearch.stack_monitoring.node": { "enabled": false }, "elasticsearch.stack_monitoring.node_stats": { "enabled": false }, "elasticsearch.stack_monitoring.pending_tasks": { "enabled": false }, "elasticsearch.stack_monitoring.shard": { "enabled": false } } } } }'
 echo
 # Logstash logs
 echo
 echo "Setting up Logstash package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "logstash", "version": "2.0.0" }, "id": "logstash-logs", "name": "logstash-logs", "description": "Logstash logs", "namespace": "default", "inputs": { "logstash-logfile": { "enabled": true, "streams": { "logstash.log": { "enabled": true, "vars": { "paths": [ "/opt/so/logs/logstash/logstash.log" ] } }, "logstash.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/logstash/logstash-slowlog-plain*.log", "/var/log/logstash/logstash-slowlog-json*.log" ] } } } }, "logstash-logstash/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9600" ], "period": "10s" }, "streams": { "logstash.stack_monitoring.node": { "enabled": false }, "logstash.stack_monitoring.node_stats": { "enabled": false } } } } }'
 echo
 # Kibana logs
 echo
 echo "Setting up Kibana package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "kibana", "version": "2.0.0" }, "id": "kibana-logs", "name": "kibana-logs", "description": "Kibana logs", "namespace": "default", "inputs": { "kibana-logfile": { "enabled": true, "streams": { "kibana.audit": { "enabled": false, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } }, "kibana.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } } } }, "kibana-kibana/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:5601" ] }, "streams": { "kibana.stack_monitoring.cluster_actions": { "enabled": false }, "kibana.stack_monitoring.cluster_rules": { "enabled": false }, "kibana.stack_monitoring.node_actions": { "enabled": false }, "kibana.stack_monitoring.node_rules": { "enabled": false }, "kibana.stack_monitoring.stats": { "enabled": false }, "kibana.stack_monitoring.status": { "enabled": false } } } } }'
 echo
 # Redis logs
 echo
 echo "Setting up Redis package policy..."
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n  pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }'
 echo
--- a/salt/common/tools/sbin/so-elastic-fleet-setup
+++ b/salt/common/tools/sbin/so-elastic-fleet-setup
@@ -19,10 +19,22 @@ printf "\n"
 curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d  '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}'
 printf "\n\n"
-# Create Logstash Output payload
+# Configure certificates
 mkdir -p /opt/so/conf/elastic-fleet/certs
 cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
 cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs
 {% if grains.role == 'so-import' %}
 # Add SO-Manager Elasticsearch Ouput
 ESCACRT=$(openssl x509 -in  /opt/so/conf/elastic-fleet/certs/intca.crt)
 JSON_STRING=$( jq -n \
                  --arg ESCACRT "$ESCACRT" \
                  '{"name":"so-manager_elasticsearch2","id":"so-manager_elasticsearch2","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
 curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 printf "\n\n"
 {% else %}
 # Create Logstash Output payload
 LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt)
 LOGSTASHKEY=$(openssl rsa -in  /opt/so/conf/elastic-fleet/certs/elasticfleet.key)
 LOGSTASHCA=$(openssl x509 -in  /opt/so/conf/elastic-fleet/certs/intca.crt)
@@ -30,12 +42,13 @@ JSON_STRING=$( jq -n \
                  --arg LOGSTASHCRT "$LOGSTASHCRT" \
                  --arg LOGSTASHKEY "$LOGSTASHKEY" \
                  --arg LOGSTASHCA "$LOGSTASHCA" \
-                  '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}'                
+                  '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}'
                  )
 # Add SO-Manager Logstash Ouput
 curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 printf "\n\n"
 {%- endif %}
 # Add Elastic Fleet Integrations
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -36,7 +36,9 @@ container_list() {
      "so-steno"
      "so-suricata"
      "so-telegraf"
-      "so-zeek" 
+      "so-zeek"
      "so-elastic-agent"
      "so-elastic-agent-builder"
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=(
--- a/salt/common/tools/sbin/so-minion
+++ b/salt/common/tools/sbin/so-minion
@@ -131,13 +131,24 @@ function add_fleet_to_minion() {
    # Write out settings to minion file
    printf '%s\n'\
 		"logstash_settings:"\
 		"  lsheap: '500m'"\
 		"fleet-server:"\
 		"  ES-Token: '$ESTOKEN'"\
 		"  " >> $PILLARFILE
 }
 function add_logstash_to_minion() {
 	# Create the logstash advanced pillar
 	printf '%s\n'\
 		"logstash_settings:"\
 		"  ls_host: '$LSHOSTNAME'"\
 		"  ls_pipeline_batch_size: 125"\
 		"  ls_input_threads: 1"\
 		"  lsheap: $LSHEAP"\
 		"  ls_pipeline_workers: $CPUCORES"\
 		"  " >> $PILLARFILE
 }
 # Analyst Workstation
 function add_analyst_to_minion() {
    printf '%s\n'\
@@ -186,11 +197,13 @@ function add_sensor_to_minion() {
 function createEVAL() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
 }
 function createFLEET() {
 	add_fleet_to_minion
 	add_logstash_to_minion
 }
 function createIDHNODE() {
@@ -199,20 +212,24 @@ function createIDHNODE() {
 function createIMPORT() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
 }
 function createHEAVYNODE() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
 }
-function createMASTER() {
+function createMANAGER() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 }
-function createMASTERSEARCH() {
+function createMANAGERSEARCH() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 }
 function createSENSOR() {
@@ -221,10 +238,12 @@ function createSENSOR() {
 function createSEARCHNODE() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 }
 function createSTANDALONE() {
 	add_elastic_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
 }
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -4,12 +4,25 @@
 # Elastic License 2.0.
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 dockergroup:
  group.present:
    - name: docker
    - gid: 920
 {% if GLOBALS.os == 'Ubuntu' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.4.9-1
      - docker-ce: 5:20.10.8~3-0~ubuntu-focal
      - docker-ce-cli: 5:20.10.5~3-0~ubuntu-focal
      - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
    - hold: True
    - update_holds: True
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -19,6 +32,7 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 20.10.5-3.el7
    - hold: True
    - update_holds: True
 {% endif %}
 #disable docker from managing iptables
 iptables_disabled:
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -1165,7 +1165,7 @@ elasticsearch:
      index_template:
        data_stream: {}
        index_patterns:
-          - logs-*_so
+          - logs-*-so*
        template:
          mappings:
            dynamic_templates:
@@ -1418,7 +1418,7 @@ elasticsearch:
      index_sorting: False
      index_template:
        index_patterns:
-          - so-elasticsearch*
+          - logs-elasticsearch-default*
        template:
          mappings:
            dynamic_templates:
@@ -2171,7 +2171,7 @@ elasticsearch:
      index_template:
        data_stream: {}
        index_patterns:
-          - logs-*-suricata_so
+          - logs-suricata-so*
        template:
          mappings:
            dynamic_templates:
@@ -2339,7 +2339,7 @@ elasticsearch:
      index_template:
        data_stream: {}
        index_patterns:
-          - logs-*-import_so
+          - logs-import-so*
        template:
          mappings:
            dynamic_templates:
@@ -2677,8 +2677,11 @@ elasticsearch:
      delete: 365
      index_sorting: False
      index_template:
        data_stream:
          hidden: false
          allow_custom_routing: false
        index_patterns:
-          - logs-*-kratos_so
+          - logs-kratos-so*
        template:
          mappings:
            dynamic_templates:
@@ -2755,7 +2758,7 @@ elasticsearch:
      index_sorting: False
      index_template:
        index_patterns:
-          - so-logstash*
+          - logs-logstash-default*
        template:
          mappings:
            dynamic_templates:
@@ -3676,7 +3679,7 @@ elasticsearch:
      index_sorting: False
      index_template:
        index_patterns:
-          - so-redis*
+          - logs-redis-default*
        template:
          mappings:
            dynamic_templates:
@@ -4178,7 +4181,7 @@ elasticsearch:
      index_template:
        data_stream: {}
        index_patterns:
-          - logs-*-strelka_so
+          - logs-strelka-so*
        template:
          mappings:
            dynamic_templates:
@@ -4263,7 +4266,7 @@ elasticsearch:
      index_sorting: False
      index_template:
        index_patterns:
-          - so-syslog*
+          - logs-syslog-so*
        template:
          mappings:
            dynamic_templates:
@@ -4432,7 +4435,7 @@ elasticsearch:
      index_template:
        data_stream: {}
        index_patterns:
-          - logs-*-zeek_so
+          - logs-zeek-so*
        template:
          mappings:
            dynamic_templates:
--- a/salt/elasticsearch/files/ingest/kratos
+++ b/salt/elasticsearch/files/ingest/kratos
@@ -1,6 +1,7 @@
 {
  "description" : "kratos",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "access" } },
    { "pipeline":    { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/rita.beacon
+++ b/salt/elasticsearch/files/ingest/rita.beacon
@@ -3,8 +3,8 @@
  "processors": [
    {
      "set": {
-        "field": "_index",
+        "field": "event.dataset",
-        "value": "so-rita",
+        "value": "beacon",
        "override": true
      }
    },
--- a/salt/elasticsearch/files/ingest/rita.connection
+++ b/salt/elasticsearch/files/ingest/rita.connection
@@ -3,8 +3,8 @@
  "processors": [
    {
      "set": {
-        "field": "_index",
+        "field": "event.dataset",
-        "value": "so-rita",
+        "value": "connection",
        "override": true
      }
    },
--- a/salt/elasticsearch/files/ingest/rita.dns
+++ b/salt/elasticsearch/files/ingest/rita.dns
@@ -3,8 +3,8 @@
  "processors": [
    {
      "set": {
-        "field": "_index",
+        "field": "event.dataset",
-        "value": "so-rita",
+        "value": "dns",
        "override": true
      }
    },
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -9,12 +9,11 @@
    { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
    { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
    { "rename":         { "field": "message2.community_id",        "target_field": "network.community_id",     "ignore_missing": true  } },
-    { "remove":{ "field": "dataset", 						"ignore_failure": true	} },
+    { "set":         { "field": "event.dataset",        "value": "{{ message2.event_type }}"  } },
    { "rename":{ "field": "message2.event_type",		"target_field": "dataset",		"ignore_failure": true 	} },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
    { "set":         { "field": "event.ingested",        "value": "{{@timestamp}}"  } },
    { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
    { "remove":{ "field": "agent", 						"ignore_failure": true	} },
-    { "pipeline": { "if": "ctx?.dataset != null", "name": "suricata.{{dataset}}" } }
+    { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } }
  ]
-}
+}
--- a/salt/elasticsearch/files/ingest/zeek.bacnet
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bacnet",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bacnet" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",		"target_field": "bacnet.is_orig",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bacnet_discovery",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bacnet_discovery" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename":         { "field": "message2.is_orig",		"target_field": "bacnet.is_orig",		"ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.bacnet_property
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bacnet_property",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bacnet_property" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":           { "field": "message",			"target_field": "message2",			"ignore_failure": true  } },
    { "rename":         { "field": "message2.is_orig",          "target_field": "bacnet.is_orig",         "ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_ip_header",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_ip_header" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.num_msg",		"target_field": "bsap.number.messages",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_ip_rdb",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_ip_rdb" } },
    { "remove":         { "field": ["host"],										"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",				"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.header_size",	"target_field": "bsap.header.length",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_ip_unknown",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_ip_unknown" } },
    { "remove":         { "field": ["host"],							"ignore_failure": true	} },
    { "json":		{ "field": "message",		"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.ip.unknown.data",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_header",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_serial_header" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.ser",		"target_field": "bsap.message.serial_number",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_rdb",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_serial_rdb" } },
    { "remove":         { "field": ["host"],									"ignore_failure": true  } },
    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.func_code",	"target_field": "bsap.rdb.function",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_rdb_ext",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_serial_rdb_ext" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true  } },
    { "json":		{ "field": "message",		"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.dfun",	"target_field": "bsap.destination.function",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown
+++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.bsap_serial_unknown",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "bsap_serial_unknown" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true  } },
    { "json":		{ "field": "message",		"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.serial.unknown.data",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cip
+++ b/salt/elasticsearch/files/ingest/zeek.cip
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cip",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "cip" } },
    { "remove":         { "field": ["host"],											"ignore_failure": true	} },
    { "json":		{ "field": "message",				"target_field": "message2",				"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			        "ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cip_identity
+++ b/salt/elasticsearch/files/ingest/zeek.cip_identity
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cip_identity",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "cip_identity" } },
    { "remove":         { "field": ["host"],										"ignore_failure": true	} },
    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.encapsulation_version",	"target_field": "cip.encapsulation.version",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cip_io
+++ b/salt/elasticsearch/files/ingest/zeek.cip_io
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cip_io",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "cip_io" } },
    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",		"target_field": "cip.is_orig",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.conn
+++ b/salt/elasticsearch/files/ingest/zeek.conn
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.conn",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "conn" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                              } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.cotp
+++ b/salt/elasticsearch/files/ingest/zeek.cotp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.cotp",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "cotp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.pdu_code", 		"target_field": "cotp.pdu.code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dce_rpc
+++ b/salt/elasticsearch/files/ingest/zeek.dce_rpc
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dce_rpc",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dce_rpc" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.rtt", 		"target_field": "event.duration",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dhcp
+++ b/salt/elasticsearch/files/ingest/zeek.dhcp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dhcp",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dhcp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } }, 
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.uids", 	 	"target_field": "log.id.uids",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dnp3
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dnp3",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dnp3" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fc_request",	"target_field": "dnp3.fc_request",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dnp3_control
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3_control
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dnp3_control",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dnp3_control" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		        "ignore_failure": true	} },
    { "rename":         { "field": "message2.block_type",       "target_field": "dnp3.block_type",              "ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.dnp3_objects
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3_objects
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dnp3_objects",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dnp3_objects" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.function_code",	"target_field": "dnp3.function_code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dns
+++ b/salt/elasticsearch/files/ingest/zeek.dns
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dns",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dns" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.dpd
+++ b/salt/elasticsearch/files/ingest/zeek.dpd
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.dpd",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "dpd" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_aoe_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_aoe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.targetid", 		"target_field": "destination.mac",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_arp_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_arp_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.arp_type", 		"target_field": "ecat.arp.type",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_coe_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_coe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.number", 		"target_field": "ecat.message.number",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_dev_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_dev_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		          "ignore_failure": true	} },
    { "rename": 	{ "field": "message2.slave_id",         "target_field": "ecat.slave.address",		  "ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_foe_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_foe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_log_address
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_log_address",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_log_address" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.srcmac", 		"target_field": "source.mac",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_registers
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_registers",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_registers" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.srcmac", 		"target_field": "source.mac",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info
+++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ecat_soe_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ecat_soe_info" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.enip
+++ b/salt/elasticsearch/files/ingest/zeek.enip
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.enip",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "enip" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "enip.is_orig",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.files",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "files" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ftp
+++ b/salt/elasticsearch/files/ingest/zeek.ftp
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ftp",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ftp" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.user",		"target_field": "ftp.user",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.http
+++ b/salt/elasticsearch/files/ingest/zeek.http
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.http",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "http" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
    { "rename": 	{ "field": "message2.trans_depth",	"target_field": "http.trans_depth",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.intel
+++ b/salt/elasticsearch/files/ingest/zeek.intel
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.intel",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "intel" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "dot_expander":   { "field": "seen.indicator",    "path": "message2",                     "ignore_failure": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.irc
+++ b/salt/elasticsearch/files/ingest/zeek.irc
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.irc",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "irc" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.nick", 		"target_field": "irc.nickname",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.kerberos
+++ b/salt/elasticsearch/files/ingest/zeek.kerberos
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.kerberos",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "kerberos" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.request_type", 	"target_field": "kerberos.request_type",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus
+++ b/salt/elasticsearch/files/ingest/zeek.modbus
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.modbus",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "modbus" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.func", 		"target_field": "modbus.function",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus_detailed
+++ b/salt/elasticsearch/files/ingest/zeek.modbus_detailed
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.modbus_detailed",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "modbus_detailed" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register
+++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.modbus_mask_write_register",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "modbus_mask_write_register" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			 "target_field": "message2",		        "ignore_failure": true	} },
    { "rename": 	{ "field": "message2.unit_id", 		 "target_field": "modbus.unit_id",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers
+++ b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.read_write_multiple_registers",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "modbus_read_write_multiple_registers" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.mysql
+++ b/salt/elasticsearch/files/ingest/zeek.mysql
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.mysql",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "mysql" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.cmd", 		"target_field": "mysql.command",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.notice
+++ b/salt/elasticsearch/files/ingest/zeek.notice
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.notice",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "notice" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 		"target_field": "log.id.fuid",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.ntlm
+++ b/salt/elasticsearch/files/ingest/zeek.ntlm
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.ntlm",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "ntlm" } },
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.hostname",			"target_field": "host.name",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.msg_type",			"target_field": "opcua.message_type",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session" } },
    { "remove":   { "field": ["host"],                                                                                  "ignore_failure": true } },
    { "json":     { "field": "message",			               "target_field": "message2",		        "ignore_failure": true} },
    { "rename":   { "field": "message2.opcua_link_id",                 "target_field": "opcua.link_id",                 "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session_client_software_cert",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_client_software_cert" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.client_software_cert_link_id",	"target_field": "opcua.client_software_cert_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session_diagnostic_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_diagnostic_info" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.activate_session_diag_info_link_id",	"target_field": "opcua.activate_session_diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_activate_session_locale_id",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_locale_id" } },
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_browse" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",				"target_field": "opcua.link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_description",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_description" } },
    { "remove":   { "field": ["host"],														"ignore_failure": true } },
    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_description_link_id",     	"target_field": "opcua.browse_description_link_id",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_diagnostic_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_diagnostic_info" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_diag_info_link_id",	"target_field": "opcua.browse_session_diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_request_continuation_point",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_request_continuation_point" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_next_link_id",	"target_field": "opcua.browse_next_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_response_references",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_response_references" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",			                        "target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_reference_link_id",               "target_field": "opcua.link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_browse_result",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_browse_result" } },
    { "remove":   { "field": ["host"],											"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.browse_response_link_id",	"target_field": "opcua.response_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session" } },
    { "remove":   { "field": ["host"],                                                                                      "ignore_failure": true } },
    { "json":     { "field": "message",			            "target_field": "message2",		                    "ignore_failure": true} },
    { "rename":   { "field": "message2.opcua_link_id",              "target_field": "opcua.link_id",                        "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session_discovery",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_discovery" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session_endpoints",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_endpoints" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.endpoint_link_id",	"target_field": "opcua.endpoint_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_session_user_token",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_user_token" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_create_subscription",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_create_subscription" } },
    { "remove":   { "field": ["host"],                                                                                              "ignore_failure": true } },
    { "json":     { "field": "message",			                 "target_field": "message2",		                    "ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",                   "target_field": "opcua.link_id",                           "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_diag_info_detail",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_diag_info_detail" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.diag_info_link_id",	"target_field": "opcua.diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints" } },
    { "remove":   { "field": ["host"],								"ignore_failure": true } },
    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",	"target_field": "opcua.link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_description",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_description" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.endpoint_description_link_id",	"target_field": "opcua.endpoint_description_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_discovery",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_discovery" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_locale_id",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_locale_id" } },
    { "remove":   { "field": ["host"],									"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_profile_uri",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_profile_uri" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.profile_uri_link_id",	"target_field": "opcua.profile_uri_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_get_endpoints_user_token",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_user_token" } },
    { "remove":   { "field": ["host"],                                                                                                         "ignore_failure": true } },
    { "json":     { "field": "message",			                 "target_field": "message2",		                               "ignore_failure": true } },
    { "rename":   { "field": "message2.user_token_link_id", 	         "target_field": "opcua.user_token_link_id",		               "ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_opensecure_channel",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_opensecure_channel" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",			"target_field": "opcua.link_id",			"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_read" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.opcua_link_id",		"target_field": "opcua.link_id",		"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_array_dims",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.array_dim_link_id",	"target_field": "opcua.array_dim_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_array_dims_link",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims_link" } },
    { "remove":   { "field": ["host"],												"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
    { "rename":   { "field": "message2.variant_data_array_dim_link_id",	"target_field": "opcua.variant_data_array_dim_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_diagnostic_info",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_read_diagnostic_info" } },
    { "remove":   { "field": ["host"],										"ignore_failure": true } },
    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
    { "rename":   { "field": "message2.read_diag_info_link_id",	"target_field": "opcua.read_diag_info_link_id",	"ignore_missing": true } },
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object
@@ -1,6 +1,7 @@
 {
  "description" : "zeek.opcua_binary_read_extension_object",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "opcua_binary_read_extension_object" } },
    { "remove":   { "field": ["host"],													"ignore_failure": true } },
    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
    { "rename":   { "field": "message2.ext_obj_link_id",		"target_field": "opcua.ext_obj_link_id",			"ignore_missing": true } },
--- a/Show More
+++ b/Show More