diff --git a/salt/elasticsearch/files/ingest/ossec.alert b/salt/elasticsearch/files/ingest/ossec.alert
index 39362c4ed..23d374fdc 100644
--- a/salt/elasticsearch/files/ingest/ossec.alert
+++ b/salt/elasticsearch/files/ingest/ossec.alert
@@ -2,6 +2,7 @@
   "description" : "ossec",
   "processors" : [
     { "json":		{ "field": "message",					"target_field": "message2",		"ignore_failure": true	} },
+    { "remove": { "field": [ "agent" ], "ignore_missing": true, "ignore_failure": false } },
     { "rename": 	{ "field": "message2.agent", 				"target_field": "agent",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.data", 				"target_field": "data",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.decoder", 				"target_field": "decoder",		"ignore_missing": true 	} },
diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common
index 79876d366..52d9372a2 100644
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -8,7 +8,7 @@
     { "rename":{ "field": "message2.src_port",       "target_field": "source.port",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
-     { "remove":         { "field": ["message2"],     "ignore_failure": true                                                                  } },
+     { "remove":         { "field": ["message2", "agent"],     "ignore_failure": true                                                                  } },
     { "pipeline": { "name": "common" } }
   ]
 }
diff --git a/salt/elasticsearch/files/ingest/zeek.common b/salt/elasticsearch/files/ingest/zeek.common
index 85902ffa5..4c062c1c3 100644
--- a/salt/elasticsearch/files/ingest/zeek.common
+++ b/salt/elasticsearch/files/ingest/zeek.common
@@ -16,7 +16,7 @@
     { "rename":         { "field": "message2.id.resp_p",        "target_field": "destination.port",     "ignore_missing": true  } },
     { "set":         { "field": "server.port",        "value": "{{destination.port}}"  } },
     { "date":		{ "field": "message2.ts",	"target_field": "@timestamp",	"formats": ["ISO8601", "UNIX"], "ignore_failure": true	} },
-    { "remove":		{ "field": ["message2.ts", "path"],	"ignore_failure": true									} },
+    { "remove":		{ "field": ["message2.ts", "path", "agent"],	"ignore_failure": true									} },
     { "pipeline":	{ "name": "common" 													} }
   ]
 }