From d94065fa00d95b244796f607c5d6b653befb0bf2 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 30 Jan 2020 17:09:06 -0500
Subject: [PATCH] evalfix

---
 salt/filebeat/init.sls                        |  12 +-
 .../pipelines/eval/0010_input_hhbeats.conf    |  40 +++
 .../eval/1000_preprocess_log_elapsed.conf     |  13 +
 .../eval/1001_preprocess_syslogng.conf        |  33 ++
 .../pipelines/eval/1002_preprocess_json.conf  |  18 ++
 .../eval/1004_preprocess_syslog_types.conf    |  19 ++
 .../pipelines/eval/1026_preprocess_dhcp.conf  | 140 +++++++++
 .../pipelines/eval/1029_preprocess_esxi.conf  |  31 ++
 .../eval/1030_preprocess_greensql.conf        |  21 ++
 .../pipelines/eval/1031_preprocess_iis.conf   |  21 ++
 .../eval/1032_preprocess_mcafee.conf          |  26 ++
 .../pipelines/eval/1033_preprocess_snort.conf | 181 +++++++++++
 .../eval/1034_preprocess_syslog.conf          |  16 +
 .../pipelines/eval/2000_network_flow.conf     |  59 ++++
 .../conf/pipelines/eval/6002_syslog.conf      |  11 +
 .../pipelines/eval/6101_switch_brocade.conf   |  33 ++
 .../eval/6200_firewall_fortinet.conf          | 281 ++++++++++++++++++
 .../pipelines/eval/6201_firewall_pfsense.conf |  56 ++++
 .../conf/pipelines/eval/6300_windows.conf     | 161 ++++++++++
 .../conf/pipelines/eval/6301_dns_windows.conf |  49 +++
 .../conf/pipelines/eval/6400_suricata.conf    |  92 ++++++
 .../conf/pipelines/eval/6500_ossec.conf       | 160 ++++++++++
 .../pipelines/eval/6501_ossec_sysmon.conf     | 118 ++++++++
 .../pipelines/eval/6502_ossec_autoruns.conf   |  43 +++
 .../eval/6600_winlogbeat_sysmon.conf          |  23 ++
 .../conf/pipelines/eval/6700_winlogbeat.conf  |  17 ++
 .../conf/pipelines/eval/7100_osquery_wel.conf |  23 ++
 ...01_postprocess_common_ip_augmentation.conf |  58 ++++
 .../pipelines/eval/8007_postprocess_http.conf |  27 ++
 .../eval/8200_postprocess_tagging.conf        |  63 ++++
 .../eval/8998_postprocess_log_elapsed.conf    |  19 ++
 .../eval/8999_postprocess_rename_type.conf    |   8 +
 .../eval/templates/0800_input_eval.conf       | 203 +++++++++++++
 .../eval/templates/9000_output_bro.conf       |  31 ++
 .../eval/templates/9001_output_switch.conf    |  27 ++
 .../eval/templates/9002_output_import.conf    |  27 ++
 .../eval/templates/9004_output_flow.conf      |  27 ++
 .../eval/templates/9026_output_dhcp.conf      |  26 ++
 .../eval/templates/9029_output_esxi.conf      |  25 ++
 .../eval/templates/9030_output_greensql.conf  |  25 ++
 .../eval/templates/9031_output_iis.conf       |  26 ++
 .../eval/templates/9032_output_mcafee.conf    |  26 ++
 .../eval/templates/9033_output_snort.conf     |  29 ++
 .../eval/templates/9034_output_syslog.conf    |  28 ++
 .../eval/templates/9100_output_osquery.conf   |  19 ++
 .../eval/templates/9200_output_firewall.conf  |  29 ++
 .../eval/templates/9300_output_windows.conf   |  27 ++
 .../templates/9301_output_dns_windows.conf    |  27 ++
 .../eval/templates/9400_output_suricata.conf  |  27 ++
 .../eval/templates/9500_output_beats.conf     |  25 ++
 .../eval/templates/9600_output_ossec.conf     |  29 ++
 .../eval/templates/9999_output_redis.conf     |  26 ++
 salt/logstash/etc/logstash.yml                |   6 +-
 salt/logstash/init.sls                        |   4 +
 salt/top.sls                                  |   1 -
 55 files changed, 2582 insertions(+), 10 deletions(-)
 create mode 100644 salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/2000_network_flow.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6002_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6300_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6400_suricata.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6500_ossec.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
 create mode 100644 salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 8528ecc38..7dd59ef01 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -1,4 +1,4 @@
-  # Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
+# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
@@ -14,11 +14,11 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
 {% set MASTER = salt['grains.get']('master') %}
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
-{% set FEATURES = salt['pillar.get']('elastic:features', False) %}		
-{% if FEATURES %}		
-  {% set FEATURES = "-features" %}		
-{% else %}		
-  {% set FEATURES = '' %}		
+{% set FEATURES = salt['pillar.get']('elastic:features', False) %}
+{% if FEATURES %}
+  {% set FEATURES = "-features" %}
+{% else %}
+  {% set FEATURES = '' %}
 {% endif %}
 # Filebeat Setup
 filebeatetcdir:
diff --git a/salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf b/salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf
new file mode 100644
index 000000000..6b7667f5c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/0010_input_hhbeats.conf
@@ -0,0 +1,40 @@
+input {
+  beats {
+    port => "5644"
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+  if [type] == "ids" or [type] =~ "bro" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "sensor_name" => "%{[beat][name]}" }
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+  }
+  if [type] =~ "ossec" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+   }
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
new file mode 100644
index 000000000..d098eb11a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1000_preprocess_log_elapsed.conf
@@ -0,0 +1,13 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_start', Time.now.to_f)"
+  }
+  mutate {
+    #add_tag => [ "conf_file_1000"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
new file mode 100644
index 000000000..84bce8802
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf
@@ -0,0 +1,33 @@
+# Updated by: Doug Burks and Wes Lambert
+# Last Update: 10/30/2018
+
+filter {
+  if "syslogng" in [tags] {
+	mutate {
+		rename => { "MESSAGE" => "message" }
+		rename => { "PROGRAM" => "type" }
+		rename => { "FACILITY" => "syslog-facility" }
+		rename => { "FILE_NAME" => "syslog-file_name" }
+		rename => { "HOST" => "syslog-host" }
+		rename => { "HOST_FROM" => "syslog-host_from" }
+		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
+		rename => { "PID" => "syslog-pid" }
+		rename => { "PRIORITY" => "syslog-priority" }
+		rename => { "SOURCEIP" => "syslog-sourceip" }
+		rename => { "TAGS" => "syslog-tags" }
+		lowercase => [ "syslog-host_from" ]
+		remove_field => [ "ISODATE" ]
+		remove_field => [ "SEQNUM" ]
+          	#add_tag => [ "conf_file_1001"]
+	}
+	if "bro_" in [type] {
+		mutate {
+			add_tag => [ "bro" ]
+		}
+	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
+		mutate {
+			add_tag => [ "syslog" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
new file mode 100644
index 000000000..ea7c677da
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1002_preprocess_json.conf
@@ -0,0 +1,18 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "json" in [tags]{
+    json {
+      source => "message"
+    }
+    mutate {
+      remove_tag => [ "json" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
new file mode 100644
index 000000000..243abcc15
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1004_preprocess_syslog_types.conf
@@ -0,0 +1,19 @@
+filter {
+  if "syslog" in [tags] {
+    if [host] == "172.16.1.1" {
+      mutate {
+        add_field => { "type" => "fortinet" }
+        add_tag => [ "firewall" ]
+      }
+    }
+    if [host] == "10.0.0.101" {
+      mutate {
+        add_field => { "type" => "brocade" }
+        add_tag => [ "switch" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_1004"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
new file mode 100644
index 000000000..2f893cf7a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1026_preprocess_dhcp.conf
@@ -0,0 +1,140 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 12/9/2016
+# This conf file is based on accepting logs for DHCP.  It is currently based on Windows DHCP only.
+filter {
+  if [type] == "dhcp" {
+    mutate {
+      add_field => { "Hostname" => "%{host}" }
+    }
+    mutate {
+      strip => "message"
+    }
+	  # This is the initial parsing of the log
+      grok {
+        # Server 2008+
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},%{DATA:Username},%{INT:TransactionID},%{INT:QResult},%{DATA:ProbationTime},%{DATA:CorrelationID}"}
+        # Server 2003
+        match => { "message" => "%{DATA:id},%{DATE_US:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{IPV4:ip},%{DATA:Hostname},%{DATA:mac},"}
+        match => { "message" => "%{DATA:id},%{DATA:date},(?<time>%{HOUR}:%{MINUTE}:%{SECOND}),%{DATA:description},%{DATA:ip},%{DATA:Hostname},%{DATA:mac},"}
+      }
+	  # This section below translates the message ID into something humans can understand.
+      if [id] == "00" {
+        mutate {
+          add_field => [ "event", "The log was started"]
+        }
+      }
+      if [id] == "01" {
+        mutate {
+          add_field => [ "event", "The log was stopped"]
+        }
+      }
+      if [id] == "02" {
+        mutate {
+          add_field => [ "event", "The log was temporarily paused due to low disk space"]
+        }
+      }
+      if [id] == "10" {
+        mutate {
+          add_field => [ "event", "A new IP address was leased to a client"]
+        }
+      }
+      if [id] == "11" {
+        mutate {
+          add_field => [ "event", "A lease was renewed by a client"]
+        }
+      }
+      if [id] == "12" {
+        mutate {
+          add_field => [ "event", "A lease was released by a client"]
+        }
+      }
+      if [id] == "13" {
+        mutate {
+          add_field => [ "event", "An IP address was found to be in use on the network"]
+        }
+      }
+      if [id] == "14" {
+        mutate {
+          add_field => [ "event", "A lease request could not be satisfied because the scope's address pool was exhausted"]
+        }
+      }
+      if [id] == "15" {
+        mutate {
+          add_field => [ "event", "A lease was denied"]
+        }
+      }
+      if [id] == "16" {
+        mutate {
+          add_field => [ "event", "A lease was deleted"]
+        }
+      }
+      if [id] == "17" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records for an expired leases have not been deleted"]
+        }
+      }
+      if [id] == "18" {
+        mutate {
+          add_field => [ "event", "A lease was expired and DNS records were deleted"]
+        }
+      }
+      if [id] == "20" {
+        mutate {
+          add_field => [ "event", "A BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "21" {
+        mutate {
+          add_field => [ "event", "A dynamic BOOTP address was leased to a client"]
+        }
+      }
+      if [id] == "22" {
+        mutate {
+          add_field => [ "event", "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"]
+        }
+      }
+      if [id] == "23" {
+        mutate {
+          add_field => [ "event", "A BOOTP IP address was deleted after checking to see it was not in use"]
+        }
+      }
+      if [id] == "24" {
+        mutate {
+          add_field => [ "event", "IP address cleanup operation has began"]
+        }
+      }
+      if [id] == "25" {
+        mutate {
+          add_field => [ "event", "IP address cleanup statistics"]
+        }
+      }
+      if [id] == "30" {
+        mutate {
+          add_field => [ "event", "DNS update request to the named DNS server"]
+        }
+      }
+      if [id] == "31" {
+        mutate {
+          add_field => [ "event", "DNS update failed"]
+        }
+      }
+      if [id] == "32" {
+        mutate {
+          add_field => [ "event", "DNS update successful"]
+        }
+      }
+      if [id] == "33" {
+        mutate {
+          add_field => [ "event", "Packet dropped due to NAP policy"]
+        }
+      }
+	  # If the message failed to parse correctly keep the message for debugging.  Otherwise, drop it.
+      #if "_grokparsefailure" not in [tags] { 
+      #  mutate {
+      #    remove_field => [ "message"]
+      #  }
+      #}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
new file mode 100644
index 000000000..18120d00d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1029_preprocess_esxi.conf
@@ -0,0 +1,31 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
+filter {
+  # This is an example of using an IP address range to classify a syslog message to a specific type of log
+  # This is helpful as so many devices only send logs via syslog
+  if [host] =~ "10\.[0-1]\.9\." {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [host] =~ "\.234$" {
+    mutate {
+      replace => ["type", "esxi"]
+    }
+  }
+  if [type] == "esxi" {
+     grok {
+          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}
+
+#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
+    }
+	mutate {
+		#add_tag => [ "conf_file_1029"]
+	}
+  }
+}
+
diff --git a/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
new file mode 100644
index 000000000..adea86053
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1030_preprocess_greensql.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "greensql" {
+    # This section is parsing out the fields for GreenSQL syslog data
+    grok {
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
+      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
+    }
+	# Remove the message field as it is unnecessary
+    #mutate {
+    #  remove_field => [ "message"]
+    #}
+	mutate {
+		#add_tag => [ "conf_file_1030"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
new file mode 100644
index 000000000..9bcd33a3e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1031_preprocess_iis.conf
@@ -0,0 +1,21 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "iis" {
+    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
+    json {
+      source => "message"
+    }
+    # This removes the message field as it is unneccesary and tags the packet as web
+    mutate {
+    #  remove_field => [ "message"]
+      add_tag => [ "web" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1031"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
new file mode 100644
index 000000000..de5466288
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1032_preprocess_mcafee.conf
@@ -0,0 +1,26 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This file looks for McAfee EPO logs
+filter {
+  if [type] == "mcafee" {
+    # NXLog should be sending the logs in JSON format so they auto parse
+    json {
+      source => "message"
+    }
+	# This section converts the UTC fields to the proper time format
+    date {
+      match => [ "ReceivedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "ReceivedUTC" ]
+    }
+    date {
+      match => [ "DetectedUTC", "YYYY-MM-dd HH:mm:ss" ]
+      target => [ "DetectedUTC" ]
+    }
+	mutate {
+		#add_tag => [ "conf_file_1032"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
new file mode 100644
index 000000000..897a8ae4b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1033_preprocess_snort.conf
@@ -0,0 +1,181 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 3/15/2018
+
+filter {
+  if [type] == "ids" {
+    # This is the initial parsing of the log
+    if [engine] == "suricata" {
+        json {
+            source => "message"
+        }
+        mutate {
+	    rename => { "alert" => "orig_alert" } 
+            rename => { "[orig_alert][gid]" => "gid" }
+            rename => { "[orig_alert][signature_id]" => "sid" }
+            rename => { "[orig_alert][rev]" => "rev" }
+            rename => { "[orig_alert][signature]" => "alert" }
+            rename => { "[orig_alert][category]" => "classification" }
+            rename => { "[orig_alert][severity]" => "priority" }
+	    rename => { "[orig_alert][rule]" => "rule_signature" }
+            rename => { "app_proto" => "application_protocol" }
+            rename => { "dest_ip" => "destination_ip" }
+            rename => { "dest_port" => "destination_port" }
+            rename => { "in_iface" => "interface" }
+            rename => { "proto" => "protocol" }
+            rename => { "src_ip" => "source_ip" }
+            rename => { "src_port" => "source_port" }
+	    #rename => { "[fileinfo][filename]" => "filename" }
+            #rename => { "[fileinfo][gaps]" => "gaps" }
+            #rename => { "[fileinfo][size]" => "size" }
+            #rename => { "[fileinfo][state]" => "state" }
+            #rename => { "[fileinfo][stored]" => "stored" }
+            #rename => { "[fileinfo][tx_id]" => "tx_id" }
+            #rename => { "[flow][age]" => "duration" }
+            #rename => { "[flow][alerted]" => "flow_alerted" }
+            #rename => { "[flow][bytes_toclient]" => "bytes_to_client" }
+            #rename => { "[flow][bytes_toserver]" => "bytes_to_server" }
+            #rename => { "[flow][end]" => "flow_end" }
+            #rename => { "[flow][pkts_toclient]" => "packets_to_client" }
+            #rename => { "[flow][pkts_toserver]" => "packets_to_server" }
+            #rename => { "[flow][reason]" => "reason" }
+            #rename => { "[flow][start]" => "flow_start" }
+            #rename => { "[flow][state]" => "state" }
+            #rename => { "[netflow][age]" => "duration" }
+            #rename => { "[netflow][bytes]" => "bytes" }
+            #rename => { "[netflow][end]" => "netflow_end" }
+            #rename => { "[netflow][start]" => "netflow_start" }
+            #rename => { "[netflow][pkts]" => "packets" }
+            rename => { "[alert][action]" => "action" }
+            rename => { "[alert][category]" => "category" }
+            rename => { "[alert][gid]" => "gid" }
+            rename => { "[alert][rev]" => "rev" }
+            rename => { "[alert][severity]" => "severity" }
+            rename => { "[alert][signature]" => "signature" }
+            rename => { "[alert][signature_id]" => "sid" }
+	    #rename => { "[dns][aa]" => "aa" }
+            #rename => { "[dns][flags]" => "flags" }
+	    #rename => { "[dns][id]" => "id" }
+	    #rename => { "[dns][qr]" => "qr" }
+            #rename => { "[dns][rcode]" => "rcode_name" }
+	    #rename => { "[dns][rrname]" => "rrname" }
+	    #rename => { "[dns][rrtype]" => "rrtype" }
+            #rename => { "[dns][tx_id]" => "tx_id" }
+	    #rename => { "[dns][type]" => "record_type" }
+	    #rename => { "[dns][version]" => "version" }
+            rename => { "[http][hostname]" => "virtual_host" }
+            rename => { "[http][http_content_type]" => "content_type" }
+            rename => { "[http][http_port]" => "http_port" }
+            rename => { "[http][http_method]" => "method" }
+	    rename => { "[http][http_user_agent]" => "useragent" }
+            #rename => { "[http][length]" => "payload_length" }
+            #rename => { "[http][protocol]" => "http_version" }
+            rename => { "[http][status]" => "status_message" }
+            rename => { "[http][url]" => "url" }
+            #rename => { "[metadata][flowbits]" => "flowbits" }
+            rename => { "[tls][fingerprint]" => "certificate_serial_number" }
+            rename => { "[tls][issuerdn]" => "issuer_distinguished_name" }
+            rename => { "[tls][notafter]" => "certificate_not_valid_after" }
+            rename => { "[tls][notbefore]" => "certificate_not_valid_before" }
+            rename => { "[tls][subject]" => "certificate_common_name" }
+            rename => { "[tls][version]" => "tls_version" }
+	    rename => { "event_type" => "ids_event_type" }
+	    remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ]
+	    remove_tag => [ "beats_input_codec_plain_applied" ]
+	    add_tag => [ "eve" ]
+             
+	}
+    } else {
+        grok {
+          match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", 
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}",
+               "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})",
+		"message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}",
+		"message", "\A%{TIME} pid\(%{INT}\)  Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z",
+                "message", "%{GREEDYDATA:alert}"]
+        }
+    }
+    if [timestamp] {
+        mutate {
+                add_field => { "logstash_timestamp" => "%{@timestamp}" }
+        }
+        mutate {
+                convert => { "logstash_timestamp" => "string" }
+        }
+        date {
+                match => [ "timestamp", "ISO8601" ]
+        }
+        mutate {
+                rename => { "logstash_timestamp" => "timestamp" }
+        }
+    }
+	
+	# If the alert is a Snort GPL alert break it apart for easier reading and categorization
+    if [alert] =~ "GPL " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "GPL\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Snort GPL" }
+        lowercase => [ "category"]
+        }
+    }
+	# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+    if [alert] =~ "ET " {
+	  # This will parse out the category type from the alert
+      grok {
+        match => { "alert" => "ET\s+%{DATA:category}\s" }
+      }
+	  # This will store the category
+      mutate {
+        add_field => { "rule_type" => "Emerging Threats" }
+        lowercase => [ "category"]
+      }
+    }
+	# I recommend changing the field types below to integer so searches can do greater than or less than
+	# and also so math functions can be ran against them
+    mutate {
+      convert => [ "source_port", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "gid", "integer" ]
+      convert => [ "sid", "integer" ]
+    #  remove_field => [ "message"]
+    }
+	# This will translate the priority field into a severity field of either High, Medium, or Low
+	if [priority] == 1 {
+      mutate {
+        add_field => { "severity" => "High" }
+      }
+    }
+    if [priority] == 2 {
+      mutate {
+        add_field => { "severity" => "Medium" }
+      }
+    }
+    if [priority] == 3 {
+      mutate {
+        add_field => { "severity" => "Low" }
+      }
+    }
+    # This section adds URLs to lookup information about a rule online
+    if [sid] and [sid] > 0 and [sid] < 1000000 {
+      mutate {
+        add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ]
+      }
+    }
+    if [sid] and [sid] > 1999999 and [sid] < 2999999 {
+      mutate {
+        add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ]
+      }
+    }
+#	mutate {
+		#add_tag => [ "conf_file_1033"]
+#	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
new file mode 100644
index 000000000..998109685
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/1034_preprocess_syslog.conf
@@ -0,0 +1,16 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/22/2017
+
+filter {
+  if [type] == "syslog" { 
+    # This drops syslog messages regarding license messages.  You may want to comment it out.
+    #if [message] =~ "license" {
+    #  drop { }
+    #}
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	}
+  }  
+}
diff --git a/salt/logstash/conf/pipelines/eval/2000_network_flow.conf b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
new file mode 100644
index 000000000..40a060955
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/2000_network_flow.conf
@@ -0,0 +1,59 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "sflow" {
+    if [message] =~ /CNTR/ {
+      drop { }
+    }
+
+    grok {
+      match => { "message" => "%{WORD:sample_type},%{IP:sflow_source_ip},%{WORD:in_port:int},%{WORD:out_port:int},%{WORD:source_mac},%{WORD:destination_mac},%{WORD:ether_type},%{NUMBER:in_vlan:int},%{NUMBER:out_vlan:int},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:protocol:int},%{WORD:type_of_service},%{WORD:ttl:int},%{NUMBER:source_port:int},%{NUMBER:destination_port:int},%{DATA:tcp_flags},%{NUMBER:packet_size:int},%{NUMBER:ip_size:int},%{NUMBER:sample_rate:int}" }
+    }
+
+    if "_grokparsefailure" in [tags] {
+      drop { }
+    }
+
+    mutate {
+      add_field => {
+        "[source_hostname]" => "%{source_ip}"
+        "[destination_hostname]" => "%{destination_ip}"
+        "[sflow_source_hostname]" => "%{sflow_source_ip}"
+      }
+    }
+
+    translate {
+      field => "[source_port]"
+      destination => "[source_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[destination_port]"
+      destination => "[destination_service]"
+      dictionary_path => "/lib/dictionaries/iana_services.yaml"
+    }
+
+    translate {
+      field => "[protocol]"
+      destination => "[protocol_name]"
+      dictionary_path => "/lib/dictionaries/iana_protocols.yaml"
+    }
+
+    translate {
+      field => "[tcp_flags]"
+      destination => "[tcp_flag]"
+      dictionary_path => "/lib/dictionaries/tcp_flags.yaml"
+    }
+
+    mutate {
+      add_field => { "ips" => [ "%{sflow_source_ip}" ] }
+    }
+	mutate {
+		#add_tag => [ "conf_file_2000"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6002_syslog.conf b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
new file mode 100644
index 000000000..f82f81a25
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6002_syslog.conf
@@ -0,0 +1,11 @@
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+#
+filter {
+  if "syslog" in [tags] {
+	mutate {
+		#convert => [ "status_code", "integer" ]
+	  #add_tag => [ "conf_file_6002"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
new file mode 100644
index 000000000..dd2f3126c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6101_switch_brocade.conf
@@ -0,0 +1,33 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "brocade" {
+    grok {
+      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
+    }
+    grok {
+      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+    }
+    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
+      grok {
+        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
+      }
+      mutate {
+        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
+      }
+    }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      timezone => "America/Chicago"
+      remove_field => "syslog_timestamp"
+      remove_field => "received_at"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6101"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
new file mode 100644
index 000000000..b33c89bb8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6200_firewall_fortinet.conf
@@ -0,0 +1,281 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "fortinet" {
+    mutate {
+      gsub => [ "message", "= ", "=NA " ]
+    }
+
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+       tag_on_failure => []
+    }
+    grok {
+       match => ["message", "<%{DATA}>%{GREEDYDATA:kv}"]
+       tag_on_failure => []
+    }
+    kv {
+      source => "kv"
+      exclude_keys => [ "type" ]
+    }
+    mutate {
+      gsub => [ "log", "= ", "=NA " ]
+    }
+    kv {
+      source => "log"
+      target => "SubLog"
+    }
+    grok {
+       match => ["message", "custom: DOM-ALL, dns_query=%{DATA:dns_query};"]
+       tag_on_failure => [ "" ]
+    }
+    mutate {
+      rename => {  "action" => "action" }
+      rename => {  "addr" => "addr_ip" }
+      rename => {  "age" => "age" }
+      rename => {  "assigned" => "assigned_ip" }
+      rename => {  "assignip" => "assign_ip" }
+      rename => {  "ap" => "access_point" }
+      rename => {  "app" => "application" }
+      rename => {  "appcat" => "application_category" }
+      rename => {  "applist" => "application_list" }
+      rename => {  "apprisk" => "application_risk" }
+      rename => {  "approfile" => "accessPoint_profile" }
+      rename => {  "apscan" => "access_point_scan" }
+      rename => {  "apstatus" => "acces_point_status" }
+      rename => {  "aptype" => "access_point_type" }
+      rename => {  "authproto" => "authentication_protocol" }
+      rename => {  "bandwidth" => "bandwidth" }
+      rename => {  "banned_src" => "banned_source" }
+      rename => {  "cat" => "category" }
+      rename => {  "catdesc" => "category_description" }
+      rename => {  "cfgattr" => "configuration_attribute" }
+      rename => {  "cfgobj" => "configuration_object" }
+      rename => {  "cfgpath" => "configuration_path" }
+      rename => {  "cfgtid" => "configuration_transaction_id" }
+      rename => {  "channel" => "channel" }
+      rename => {  "community" => "community" }
+      rename => {  "cookies" => "cookies" }
+      rename => {  "craction" => "cr_action" }
+      rename => {  "crlevel" => "cr_level" }
+      rename => {  "crscore" => "cr_score" }
+      rename => {  "datarange" => "data_range" }
+      rename => {  "desc" => "description" }
+      rename => {  "detectionmethod" => "detection_method" }
+      rename => {  "devid" => "device_id" }
+      rename => {  "devname" => "device_name" }
+      rename => {  "devtype" => "device_type" }
+      rename => {  "dhcp_msg" => "dhcp_message" }
+      rename => {  "disklograte" => "disk_lograte" }
+      rename => {  "dstcountry" => "destination_country" }
+      rename => {  "dstintf" => "destination_interface" }
+      rename => {  "dstip" => "destination_ip" }
+      rename => {  "dstport" => "destination_port" }
+      rename => {  "duration" => "elapsed_time" }
+      rename => {  "error_num" => "error_number" }
+      rename => {  "espauth" => "esp_authentication" }
+      rename => {  "esptransform" => "esp_transform" }
+      rename => {  "eventid" => "event_id" }
+      rename => {  "eventtype" => "event_type" }
+      rename => {  "fazlograte" => "faz_lograte" }
+      rename => {  "filename" => "file_name" }
+      rename => {  "filesize" => "file_size" }
+      rename => {  "filetype" => "file_type" }
+      rename => {  "hostname" => "hostname" }
+      rename => {  "ip" => "source_ip" }
+      rename => {  "localip" => "source_ip" }
+      rename => {  "locip" => "local_ip" }
+      rename => {  "locport" => "source_port" }
+      rename => {  "logid" => "log_id" }
+      rename => {  "logver" => "log_version" }
+      rename => {  "manuf" => "manufacturer" }
+      rename => {  "mem" => "memory" }
+      rename => {  "meshmode" => "mesh_mode" }
+      rename => {  "msg" => "message" }
+      rename => {  "nextstat" => "next_stat" }
+      rename => {  "onwire" => "on_wire" }
+      rename => {  "osname" => "os_name" }
+      rename => {  "osversion" => "unauthenticated_user" }
+      rename => {  "outintf" => "outbound_interface" }
+      rename => {  "peer_notif" => "peer_notification" }
+      rename => {  "phase2_name" => "phase2_name" }
+      rename => {  "policyid" => "policy_id" }
+      rename => {  "policytype" => "policy_type" }
+      rename => {  "port" => "port" }
+      rename => {  "probeproto" => "probe_protocol" }
+      rename => {  "proto" => "protocol_number" }
+      rename => {  "radioband" => "radio_band" }
+      rename => {  "radioidclosest" => "radio_id_closest" }
+      rename => {  "radioiddetected" => "radio_id_detected" }
+      rename => {  "rcvd" => "bytes_received" }
+      rename => {  "rcvdbyte" => "bytes_received" }
+      rename => {  "rcvdpkt" => "packets_received" }
+      rename => {  "remip" => "destination_ip" }
+      rename => {  "remport" => "remote_port" }
+      rename => {  "reqtype" => "request_type" }
+      rename => {  "scantime" => "scan_time" }
+      rename => {  "securitymode" => "security_mode" }
+      rename => {  "sent" => "bytes_sent" }
+      rename => {  "sentbyte" => "bytes_sent" }
+      rename => {  "sentpkt" => "packets_sent" }
+      rename => {  "session_id" => "session_id" }
+      rename => {  "setuprate" => "setup_rate" }
+      rename => {  "sn" => "serial" }
+      rename => {  "snclosest" => "serial_closest_access_point" }
+      rename => {  "sndetected" => "serial_access_point_that_detected_rogue_ap" }
+      rename => {  "snmeshparent" => "serial_mesh_parent" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "stacount" => "station_count" }
+      rename => {  "stamac" => "static_mac" }
+      rename => {  "srccountry" => "source_country" }
+      rename => {  "srcip" => "source_ip" }
+      rename => {  "srcmac" => "source_mac" }
+      rename => {  "srcname" => "source_name" }
+      rename => {  "sn" => "serial" }
+      rename => {  "srcintf" => "source_interface" }
+      rename => {  "srcport" => "source_port" }
+      rename => {  "total" => "total_bytes" }
+      rename => {  "totalsession" => "total_sessions" }
+      rename => {  "trandisp" => "nat_translation_type" }
+      rename => {  "tranip" => "nat_destination_ip" }
+      rename => {  "tranport" => "nat_destination_port" }
+      rename => {  "transip" => "nat_source_ip" }
+      rename => {  "transport" => "nat_source_port" }
+      rename => {  "tunnelid" => "tunnel_id" }
+      rename => {  "tunnelip" => "tunnel_ip" }
+      rename => {  "tunneltype" => "tunnel_type" }
+      rename => {  "unauthuser" => "unauthenticated_user_source" }
+      rename => {  "unauthusersource" => "os_version" }
+      rename => {  "vendorurl" => "vendor_url" }
+      rename => {  "vpntunnel" => "vpn_tunnel" }
+      rename => {  "vulncat" => "vulnerability_category" }
+      rename => {  "vulncmt" => "vulnerability_count" }
+      rename => {  "vulnid" => "vulnerability_id" }
+      rename => {  "vulnname" => "vulnerability_name" }
+      rename => {  "vulnref" => "vulnerability_reference" }
+      rename => {  "vulnscore" => "vulnerability_score" }
+      rename => {  "xauthgroup" => "x_authentication_group" }
+      rename => {  "xauthuser" => "x_authentication_user" }
+      rename => {  "[SubLog][appid]" => "sub_application_id" }
+      rename => {  "[SubLog][devid]" => "sub_device_id" }
+      rename => {  "[SubLog][dstip]" => "sub_destination_ip" }
+      rename => {  "[SubLog][srcip]" => "sub_source_ip" }
+      rename => {  "[SubLog][dstport]" => "sub_destination_port" }
+      rename => {  "[SubLog][eventtype]" => "sub_event_type" }
+      rename => {  "[SubLog][proto]" => "sub_protocol_number" }
+      rename => {  "[SubLog][date]" => "sub_date" }
+      rename => {  "[SubLog][time]" => "sub_time" }
+      rename => {  "[SubLog][srcport]" => "sub_source_port" }
+      rename => {  "[SubLog][subtype]" => "sub_subtype" }
+      rename => {  "[SubLog][devname]" => "sub_device_name" }
+      rename => {  "[SubLog][itime]" => "sub_itime" }
+      rename => {  "[SubLog][level]" => "sub_level" }
+      rename => {  "[SubLog][logid]" => "sub_log_id" }
+      rename => {  "[SubLog][logver]" => "sub_log_version" }
+      rename => {  "[SubLog][type]" => "sub_event_type" }
+      rename => {  "[SubLog][vd]" => "sub_vd" }
+      rename => {  "[SubLog][action]" => "sub_action" }
+      rename => {  "[SubLog][logdesc]" => "sub_destination_ip" }
+      rename => {  "[SubLog][policyid]" => "sub_olicy_id" }
+      rename => {  "[SubLog][reason]" => "sub_reason" }
+      rename => {  "[SubLog][service]" => "sub_service" }
+      rename => {  "[SubLog][sessionid]" => "sub_session_id" }
+      rename => {  "[SubLog][src]" => "sub_source_ip" }
+      rename => {  "[SubLog][status]" => "sub_status" }
+      rename => {  "[SubLog][ui]" => "sub_ui" }
+      rename => {  "[SubLog][urlfilteridx]" => "sub_url_filter_idx" }
+      strip => [ "bytes_sent", "bytes_received" ]
+      convert => [ "bytes_sent", "integer" ]
+      convert => [ "bytes_received", "integer" ]
+      convert => [ "cr_score", "integer" ]
+      convert => [ "cr_action", "integer" ]
+      convert => [ "elapsed_time", "integer" ]
+      convert => [ "destination_port", "integer" ]
+      convert => [ "source_port", "integer" ]
+      convert => [ "local_port", "integer" ]
+      convert => [ "remote_port", "integer" ]
+      convert => [ "packets_sent", "integer" ]
+      convert => [ "packets_received", "integer" ]
+      convert => [ "port", "integer" ]
+      convert => [ "ProtocolNumber", "integer" ]
+      convert => [ "XAuthUser", "string" ]
+      remove_field => [ "kv", "log" ]
+    }
+    if [tunnel_ip] == "N/A" {
+      mutate {
+        remove_field => [ "tunnel_ip" ]
+      }
+    }
+    if [nat_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{nat_destination_ip}" ] }
+      }
+    }
+    if [sub_destination_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_destination_ip}" ] }
+        add_field => { "destination_ips" => [ "%{sub_destination_ip}" ] }
+      }
+    }
+    if [nat_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{nat_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{nat_source_ip}" ] }
+      }
+    }
+    if [sub_source_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{sub_source_ip}" ] }
+        add_field => { "source_ips" => [ "%{sub_source_ip}" ] }
+      }
+    }
+    if [addr_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{addr_ip}" ] }
+      }
+    }
+    if [assign_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assign_ip}" ] }
+      }
+    }
+    if [assigned_ip] {
+      mutate {
+        add_field => { "ips" => [ "%{assigned_ip}" ] }
+      }
+    }
+    grok {
+       match => ["message", "type=%{DATA:event_type}\s+"]
+    }
+    if [date] and [time] {
+      mutate {
+        add_field => { "receive_time" => "%{date} %{time}" }
+        remove_field => [ "date", "time" ]
+      }
+      date {
+        timezone => "America/Chicago"
+        match => [ "receive_time", "YYYY-MM-dd HH:mm:ss" ]
+        target => "receive_time"
+      }
+      mutate {
+        rename => { "receive_time" => "@timestamp" }
+      }
+    } else {
+      mutate {
+        add_tag => [ "missing_date" ]
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6200"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
new file mode 100644
index 000000000..acd08eba0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6201_firewall_pfsense.conf
@@ -0,0 +1,56 @@
+# Author: Wes Lambert
+# Updated by: Doug Burks
+
+filter {
+  if [type] == "filterlog" {
+    dissect {
+      mapping => {
+        "message" => "%{rule_number},%{sub_rule_number},%{anchor},%{tracker_id},%{interface},%{reason},%{action},%{direction},%{ip_version},%{sub_msg}"
+      }
+    }
+    if [ip_version] == "4" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{ipv4_tos},%{ipv4_ecn},%{ipv4_ttl},%{ipv4_id},%{ipv4_offset},%{ipv4_flags},%{protocol_id},%{protocol},%{protocol_length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [ip_version] == "6" {
+      dissect {
+      	mapping => {
+        	"sub_msg" => "%{class},%{flow_label},%{hop_limit},%{protocol},%{protocol_id},%{length},%{source_ip},%{destination_ip},%{ip_sub_msg}"
+      	}
+      }
+    }
+    if [protocol] == "tcp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length},%{tcp_flags},"
+      	}
+      }
+    }
+    if [protocol] == "udp" {
+      dissect {
+      	mapping => {
+        	"ip_sub_msg" => "%{source_port},%{destination_port},%{data_length}"
+      	}
+      }
+    }
+    if [protocol] == "Options" {
+      mutate {
+	  copy => { "ip_sub_msg" => "options" }
+        }
+      mutate {
+          split => { "options" => "," }
+        }
+    }
+    mutate {
+      convert 		=> [ "destination_port", "integer" ]
+      convert 		=> [ "source_port", "integer" ]    
+      convert 		=> [ "ip_version", "integer" ]
+      replace 		=> { "type" => "firewall" }
+      add_tag		=> [ "pfsense","firewall" ]
+      remove_field 	=> [ "sub_msg", "ip_sub_msg" ]
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6300_windows.conf b/salt/logstash/conf/pipelines/eval/6300_windows.conf
new file mode 100644
index 000000000..34450af2b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6300_windows.conf
@@ -0,0 +1,161 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "windows" {
+#    json {
+#      source => "message"
+#    }
+    date {
+      match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
+      remove_field => [ "EventTime" ]
+    }
+    if [EventID] == 4634 {
+      mutate {
+        add_tag => [ "logoff" ]
+      }
+    }
+    if [EventID] == 4624 or [EventID] == 528 or [EventID] == 540 or [EventID] == 552 or [EventID] == 682 or [EventID] == 4648 or [EventID] == 4778 {
+      mutate {
+        add_tag => [ "logon" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    if [EventID] == 529 or [EventID] == 4625 or [EventID] == 530 or [EventID] == 531 or [EventID] == 532 or [EventID] == 533 or [EventID] == 534 or [EventID] == 535 or [EventID] == 536 or [EventID] == 536 or [EventID] == 537 or [EventID] == 538 or [EventID] == 539 or [EventID] == 4625 or [EventID] == 4771 {
+      mutate {
+        add_tag => [ "logon_failure" ]
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 7030 or [EventID] == 4720 or [EventID] == 4722 or [EventID] == 4724 or [EventID] == 4738 or [EventID] == 4732 or [EventID] == 1102 or [EventID] == 1056 or [EventID] == 2003 or [EventID] == 2005 or [EventID] == 8003 or [EventID] == 8004 or [EventID] == 8006 or [EventID] == 8007 {
+      mutate {
+        add_tag => [ "alert_data" ]
+      }
+    }
+    # Critical event IDs to monitor
+    if [EventID] == 5152 { drop {} }
+    if [EventID] == 4688 { drop {} }
+    if [EventID] == 4689 { drop {} } # Process Termination:Not needed due to Sysmon
+    if [Channel] == "Microsoft-Windows-Known Folders API Service" { drop {} }
+    if [EventID] == 3 and [SourceIp] =~ "255$" { drop {} }
+    if [EventID] == 3 and [DestinationIp] =~ "255$" { drop {} }
+    # Whitelist/Blacklist check
+    if [EventID] == 7045 {
+      translate {
+        field => "ServiceName"
+        destination => "ServiceCheck"
+        dictionary_path => "/lib/dictionaries/services.yaml"
+      }
+    }
+    if [EventID] == 7045 and !([ServiceCheck]) {
+      mutate {
+        add_tag => [ "alert_data","new_service" ] 
+      }
+    }
+    if [ServiceCheck] == 'whitelist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "whitelist" ]
+      }
+    }
+    if [ServiceCheck] == 'blacklist' {
+      mutate {
+        remove_field => [ "ServiceCheck" ]
+        add_tag => [ "blacklist" ]
+      }
+    }
+    if [EventID] == 5158 {
+      if [Application] == "System" { drop {} }
+      if [Application] =~ "\\windows\\system32\\spoolsv\.exe" { drop {} }
+      if [Application] =~ "\\windows\\system32\\wbem\\wmiprvse\.exe" { drop {} }
+      if [Application] =~ "mcafee" { drop {} }
+      if [Application] =~ "carestream" { drop {} }
+      if [Application] =~ "Softdent" { drop {} }
+    }
+    if [ProcessName] == "C:\\Windows\\System32\\wbem\\WmiPrvSE\.exe" and [SubjectUserName] == "SolarwindsHO" { drop {} }
+    if [EventID] == 4690 { drop {} }
+    if [EventID] == 861 and [AccountName] == "ntp" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\lsass\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\svchost\.exe$" { drop {} }
+    if [EventID] == 5158 and [Application] =~ "\\windows\\system32\\dfsrs\.exe$" { drop {} }
+    if [EventID] == 5447 { drop {} }
+
+    mutate {
+      rename => [ "AccountName", "user" ]
+      rename => [ "AccountType", "account_type" ]
+      rename => [ "ActivityID", "activity_id" ]
+      rename => [ "Category", "category" ]
+      rename => [ "ClientAddress", "client_ip" ]
+      rename => [ "Channel", "channel" ]
+      rename => [ "DCIPAddress", "domain_controller_ip" ]
+      rename => [ "DCName", "domain_controller_name" ]
+      rename => [ "EventID", "event_id" ]
+      rename => [ "EventReceivedTime", "event_received_time" ]
+      rename => [ "EventType", "event_type" ]
+      rename => [ "GatewayIPAddress", "gateway_ip" ]
+      rename => [ "IPAddress", "client_ip" ]
+      rename => [ "Ipaddress", "client_ip" ]
+      rename => [ "IpAddress", "client_ip" ]
+      rename => [ "IPPort", "source_port" ]
+      rename => [ "OpcodeValue", "opcode_value" ]
+      rename => [ "PreAuthType", "preauthentication_type" ]
+      rename => [ "PrincipleSAMName", "user" ]
+      rename => [ "ProcessID", "process_id" ]
+      rename => [ "ProviderGUID", "providerguid" ]
+      rename => [ "RecordNumber", "record_number" ]
+      rename => [ "RemoteAddress", "destination_ip" ]
+      rename => [ "ServiceName", "service_name" ]
+      rename => [ "ServiceID", "service_id" ]
+      rename => [ "SeverityValue", "severity_value" ]
+      rename => [ "SourceAddress", "client_ip" ]
+      rename => [ "SourceModuleName", "source_module_name" ]
+      rename => [ "SourceModuleType", "source_module_type" ]
+      rename => [ "SourceName", "source_name" ]
+      rename => [ "SubjectUserName", "user" ]
+      rename => [ "TaskName", "task_name" ]
+      rename => [ "TargetDomainName", "target_domain_name" ]
+      rename => [ "TargetUserName", "user" ]
+      rename => [ "ThreadID", "thread_id" ]
+      rename => [ "User_ID", "user" ]
+      rename => [ "UserID", "user" ]
+      rename => [ "username", "user" ]
+    }
+    # For any accounts that are service accounts or special accounts add the tag of service_account
+    # This example applies the tag to any username that starts with SVC_.  If you use a different
+    # standard change this.
+    if [user] =~ "^DWM-*" or [user] == "SYSTEM" or [user] == "NETWORK SERVICE" or [user] == "LOCAL SERVICE" or [user] =~ "^SVC_*" {
+      mutate {
+        add_tag => [ "service_account" ]
+      }
+    }
+    # This looks for events that are typically noisy but may be of use for deep dive investigations
+    # A tag of noise is added to quickly filter out noise
+    if [event_id] == 7036 or [source_name] == "Desktop Window Manager" or [category] == "Engine Lifecycle" or [category] == "Provider Lifecycle" {
+      mutate {
+        add_tag => [ "noise" ]
+      }
+    }
+    #Identify machine accounts
+    if [user] =~ /\$/ {
+      mutate {
+        add_tag => [ "machine", "noise" ]
+      }
+    }
+    # Lower case all field names
+    ruby {
+      code => "
+        event_hash = event.to_hash
+        new_event = {}
+        event_hash.keys.each do |key|
+        new_event[key.downcase] = event[key]
+        end
+        event.instance_variable_set(:@data, new_event)"
+    }
+	mutate {
+		#add_tag => [ "conf_file_6300"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
new file mode 100644
index 000000000..1ef5077a6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6301_dns_windows.conf
@@ -0,0 +1,49 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [type] == "dns" and "bro" not in [tags] {
+    json {
+      source => "message"
+    }
+    # strip whitespace from message field
+    mutate {
+      strip => "message"
+    }
+    # If the message is blank, drop the log
+    if [Message] =~ /^$/ {
+      drop {  }
+    } else {
+      if [type] == "dns" {
+  	  # This section is lookup for a match against the log and parsing out the fields
+        grok {
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{DATE_US} %{TIME} (?:AM|PM))\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          # Server 2003 DNS logs do not include slashes or AM/PM in timestamp
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:recursion}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{DATA:response}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          match => { "Message" => "(?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME})\s+%{DATA:thread_id}\s+%{WORD:dns_type}\s+ %{BASE16NUM:packet_id}\s+%{WORD:dns_protocol}\s+%{WORD:dns_direction}\s+%{IP:dns_ip}\s+ %{BASE16NUM:xid}\s+%{WORD:dns_query_type}\s+\[%{BASE16NUM:hex_flags}\s+%{WORD:flags}\s+ %{WORD:rcode_name}\]\s+%{WORD:query_type_name}\s+%{GREEDYDATA:dns_domain}"}
+          remove_field => [ "Message" ]
+        }
+  	  # This section attempts to convert the dns_domain into the traditional domain.com format
+        mutate {
+          gsub => [ "dns_domain", "(\(\d+\))", "." ]
+        }
+        grok {
+          match => { "dns_domain" => "\.%{DATA:query}\.$" }
+          remove_field => [ "dns_domain" ]
+        }
+      }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6301"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6400_suricata.conf b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
new file mode 100644
index 000000000..11f185ddf
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6400_suricata.conf
@@ -0,0 +1,92 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+#
+# This conf file is based on accepting logs for suricata json events
+filter {
+  if [type] == "suricata" {
+    if "test_data" not in [tags] {
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+    } else {
+      mutate {
+        remove_field => [ "netflow.start","netflow.end","timestamp" ]
+      }
+    }
+    if [event_type] == "fileinfo" {
+      ruby {
+        code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
+      }
+    }
+	# I recommend renaming the fields below to be consistent with other log sources.  This makes it easy to "pivot" between logs
+    mutate {
+      rename => [ "src_ip", "source_ip" ]
+      rename => [ "dest_ip", "destination_ip" ]
+      rename => [ "src_port", "source_port" ]
+      rename => [ "dest_port", "destination_port" ]
+    }
+	# This will translate the alert.severity field into a severity field of either High, Medium, or Low
+    if [event_type] == "alert" {
+      if [alert][severity] == 1 {
+        mutate {
+          add_field => { "severity" => "High" }
+        }
+      }
+      if [alert][severity] == 2 {
+        mutate {
+          add_field => { "severity" => "Medium" }
+        }
+      }
+      if [alert][severity] == 3 {
+        mutate {
+          add_field => { "severity" => "Low" }
+        }
+      }
+	  # If the alert is a Snort GPL alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "GPL " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Snort GPL" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # If the alert is an Emerging Threat alert break it apart for easier reading and categorization
+      if [alert][signature] =~ "ET " {
+	    # This will parse out the category type from the alert
+        grok {
+          match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
+        }
+		# This will store the category
+        mutate {
+          add_field => { "rule_type" => "Emerging Threats" }
+          lowercase => [ "category" ]
+        }
+      }
+	  # This section adds URLs to lookup information about a rule online
+      if [rule_type] == "Snort GPL" {
+        mutate {
+          add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
+        }
+      }
+      if [rule_type] == "Emerging Threats" {
+        mutate {
+          add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
+        }
+      }
+    }
+    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
+    #  mutate {
+    #    remove_field => [ "message" ]
+    #  }
+    }
+	mutate {
+		#add_tag => [ "conf_file_6400"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6500_ossec.conf b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
new file mode 100644
index 000000000..292fea49b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6500_ossec.conf
@@ -0,0 +1,160 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/19/2018
+#
+# This conf file is based on accepting logs from OSSEC
+
+filter {
+  # OSSEC Alerts
+  if [type] == "ossec" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+        if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate {
+                replace => { "type" => "sysmon" }
+                add_tag => [ "ossec" ]
+            }
+        }
+        if [message] =~ "AR-LOG" {
+            mutate {
+                replace => { "type" => "autoruns" }
+                add_tag => [ "ossec" ]
+            }
+        }
+		
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+			rename => { "rule" => "wazuh-rule" }
+			rename => { "[wazuh-rule][level]" => "alert_level" }
+			rename => { "[wazuh-rule][description]" => "description" }
+			rename => { "[data][srcuser]" => "username" }
+			rename => { "[data][dstuser]" => "escalated_user" }
+			rename => { "[data][command]" => "command" }
+			rename => { "[predecoder][program_name]" => "process" }
+			
+                }
+                # Wazuh 3.8.2
+                if [data][EventChannel] {
+        		mutate {
+				rename => { "[data][EventChannel][EventData][User]" => "username" }
+        			rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+        			rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+        			rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+        			rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+        			rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+        			rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+        			rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+			}
+		}
+                # Wazuh 3.9.2
+		if [data][win] {
+                        mutate {
+				rename => { "[data][win][eventdata][user]" => "username" }
+                        	rename => { "[data][win][system][eventID]" => "event_id" }
+                        	rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+                        	rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+                        	rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+                        	rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+                        	rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+                        	rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" } 
+                        }
+		}
+	} else {
+		grok {
+			match => ["message", "Alert Level: %{NONNEGINT;alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; user: +%{DATA:username}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{INT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: %{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{SYSLOGTIMESTAMP:timestamp} %{DATA:host} %{DATA:program}: +%{DATA:username} : %{GREEDYDATA:details}",  
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; srcip: %{IP:source_ip};%{GREEDYDATA:details}", 
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{INT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA:username}: %{GREEDYDATA:details}.",
+				"message", "Alert Level: %{NONNEGINT:alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:location}; user: +%{DATA:username};",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{DATA}: %{DATA}: \'%{DATA}': %{DATA:interface}: %{NONNEGINT:num_packets}",
+				"message", "Alert Level: %{NONNEGINT:alert_level}; Rule: %{NONNEGINT:rule} - %{DATA:description}; Location: %{DATA:location}; %{GREEDYDATA:details}"]
+		}
+	}
+	
+	# Add tag for OSSEC alerts
+	if [alert_level] {
+            mutate {
+		add_tag => [ "alert" ]
+	    }
+        }
+
+	translate {
+		field => "alert_level"
+
+		destination => "classification"
+
+		dictionary => [
+               	    "1", "None",
+		    "2", "System low priority notification",
+		    "3", "Successful/authorized event",
+		    "4", "System low priority error",
+		    "5", "User generated error",
+		    "6", "Low relevance attack",
+		    "7", '"Bad word" matching',
+		    "8", "First time seen",
+		    "9", "Error from invalid source",
+		    "10", "Multiple user generated errors",
+		    "11", "Integrity checking warning",
+		    "12", "High importance event",
+		    "13", "Unusal error (high importance)",
+		    "14", "High importance security event",
+		    "15", "Severe attack"
+               	]
+	}
+  }
+
+  # OSSEC Archive Logs
+  if [type] == "ossec_archive" {
+        
+	# Sysmon/Autoruns logs transported by OSSEC
+	if [message] =~ "Microsoft-Windows-Sysmon" {
+            mutate { 
+                replace => { "type" => "sysmon" } 
+                add_tag => [ "ossec" ] 
+	    }
+        }
+	if [message] =~ "AR-LOG" {
+            mutate { 
+                replace => { "type" => "autoruns" } 
+                add_tag => [ "ossec" ]
+            }
+        }
+
+	# If message looks like json, try to parse it as such. Otherwise, grok.
+        if [message] =~ /^{.*}$/ {
+                json {
+                        source => "message"
+                }
+		mutate {
+                        rename => [ "rule", "wazuh-rule" ]
+                        rename => [ "[wazuh-rule][level]", "alert_level" ]
+                        rename => [ "[wazuh-rule][description]", "description" ]
+                        rename => [ "[data][srcuser]", "username" ]
+                        rename => [ "[data][dstuser]", "escalated_user" ]
+                        rename => [ "[data][command]", "command" ]
+                        rename => [ "[predecoder][program_name]", "process" ]
+                }
+	} else {
+		grok {
+			match => ["message",'%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip} - %{DATA:username} \[%{DATA:request_timestamp}] "%{DATA:method} %{DATA:requested_resource} %{DATA:protocol}\/%{DATA:protocol_version}" %{NONNEGINT:status_code} %{NONNEGINT:object_size} "%{DATA:referrer}" "%{DATA:user_agent}"',
+				"message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:host} %{DATA:process}\[%{NONNEGINT:pid}]: \(%{DATA:username}\) CMD \(%{DATA:command}\)",
+				"message", "%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{GREEDYDATA:details}","message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{SYSLOGTIMESTAMP:ossec_timestamp} %{DATA:ossec_host} %{DATA:process}\[%{NONNEGINT:pid}]: %{GREEDYDATA:details}",
+				"message","%{DATA:age} %{DATA:program} %{DATA} '%{DATA:checksum}'",
+				"message", "%{DATA:username} : TTY=%{DATA:tty} ; PWD=%{DATA:dir} ; USER=%{DATA:escalated_user} ; COMMAND=%{GREEDYDATA:command}"]
+			remove_field => [ "ossec_timestamp" ]
+		}
+		mutate {
+			convert => [ "status_code", "integer" ]
+		}
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
new file mode 100644
index 000000000..6ebf10487
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6501_ossec_sysmon.conf
@@ -0,0 +1,118 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# This conf file is based on accepting Sysmon logs from OSSEC
+#
+# Parse using grok
+filter {
+  # OSSEC Logs and Alerts
+  if [type] == "sysmon" or "sysmon" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      #mutate { replace => { "type" => "sysmon" } }
+      grok {
+      # match => ["message","%{YEAR:year} %{SYSLOGTIMESTAMP:timestamp} %{DATA:location} %{IP:source_ip}->WinEvtLog %{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION\(%{INT:sysmon_event_id}\):"]
+        match => ["message", "%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{DATA:location}%{SPACE}(any|%{IP:source_ip})->WinEvtLog%{SPACE}%{YEAR:year}%{SPACE}%{SYSLOGTIMESTAMP:ossec_timestamp}%{SPACE}WinEvtLog:%{SPACE}Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION\(%{INT:event_id}\):%{SPACE}%{GREEDYDATA:rest_of_msg}"]
+      }
+      mutate {
+        convert => ["event_id", "integer"]
+        remove_field => ["timestamp"]
+        remove_field => ["year"]
+      }
+      if [event_id] == 1 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name} %{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}\{%{DATA:parent_process_guid}\}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}",
+		"rest_of_msg", 'Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}"%{DATA:process_name}"%{SPACE}%{DATA:process_arguments}%{SPACE}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}\{%{DATA:logon_guid}\}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{DATA:integrity_level}',
+		"rest_of_msg", "Microsoft-Windows-Sysmon/Operational:%{SPACE}INFORMATION(%{INT:event_id}):%{SPACE}Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}{%{DATA:process_guid}}%{SPACE}ProcessId:%{SPACE}%{INT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}CommandLine:%{SPACE}%{DATA:process_name}%{SPACE}%{DATA:process_arguments}CurrentDirectory:%{SPACE}%{DATA:current_directory}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}LogonGuid:%{SPACE}{%{DATA:logon_guid}}%{SPACE}LogonId:%{SPACE}%{DATA:logon_id}%{SPACE}TerminalSessionId:%{SPACE}%{INT:terminal_id}%{SPACE}IntegrityLevel:%{SPACE}%{DATA:integrity_level}%{SPACE}Hashes:%{SPACE}MD5=%{DATA:md5},SHA256=%{DATA:sha256}%{SPACE}ParentProcessGuid:%{SPACE}{%{DATA:parent_process_guid}}%{SPACE}ParentProcessId:%{SPACE}%{NONNEGINT:parent_process_id}%{SPACE}ParentImage:%{SPACE}%{DATA:parent_image_path}%{SPACE}ParentCommandLine:%{SPACE}%{GREEDYDATA:parent_process_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_creation"]
+        }
+      }
+      if [event_id] == 3 {
+        mutate {
+          remove_field => ["source_ip"]
+        }
+        grok {
+        match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}User:%{SPACE}%{DATA:username}%{SPACE}Protocol:%{SPACE}%{DATA:protocol}%{SPACE}Initiated:%{SPACE}%{DATA:initiated}%{SPACE}SourceIsIpv6:%{SPACE}%{DATA:is_source_ipv6}%{SPACE}SourceIp:%{SPACE}%{IP:source_ip}%{SPACE}SourceHostname:%{SPACE}%{DATA:source_hostname}%{SPACE}SourcePort:%{SPACE}%{NONNEGINT:source_port}%{SPACE}SourcePortName:%{SPACE}%{DATA:source_port_name}%{SPACE}DestinationIsIpv6:%{SPACE}%{DATA:dest_is_ipv6}%{SPACE}DestinationIp:%{SPACE}%{IP:destination_ip}%{SPACE}DestinationHostname:%{SPACE}%{DATA:destination_hostname}%{SPACE}DestinationPort:%{SPACE}%{NONNEGINT:destination_port}%{SPACE}DestinationPortName:%{SPACE}%{GREEDYDATA:destination_port_name}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          convert => ["source_port", "integer"]
+          convert => ["destination_port", "integer"]
+          add_tag => ["network_connection"]
+        }
+      }
+      if [event_id] == 5 {
+        grok {
+          match => ["rest_of_msg", "Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{GREEDYDATA:image_path}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["process_termination"]
+        }
+      }
+      if [event_id] == 11 {
+        grok {
+          match => ["rest_of_msg","Microsoft-Windows-Sysmon:%{SPACE}SYSTEM:%{SPACE}NT%{SPACE}AUTHORITY:%{SPACE}%{DATA:hostname}:%{SPACE}%{DATA:event_type}:%{SPACE}UtcTime:%{SPACE}%{DATA:sysmon_timestamp}%{SPACE}ProcessGuid:%{SPACE}\{%{DATA:process_guid}\}%{SPACE}ProcessId:%{SPACE}%{NONNEGINT:process_id}%{SPACE}Image:%{SPACE}%{DATA:image_path}%{SPACE}TargetFilename:%{SPACE}%{DATA:target_filename}%{SPACE}CreationUtcTime:%{SPACE}%{DATA:creation_time}%{SPACE}"]
+        }
+        mutate {
+          convert => ["process_guid", "integer"]
+          convert => ["process_id", "integer"]
+          add_tag => ["file_created"]
+        }
+      }
+      mutate {
+        remove_field => ["rest_of_msg"]
+      }
+    } else {
+      mutate {
+	rename => { "[data][srcuser]" => "username" }
+        rename => { "[data][id]" => "event_id" }
+        rename => { "[data][dstport]" => "destination_port" }
+        rename => { "[data][dstip]" => "destination_ip" }
+        rename => { "[data][srcip]" => "source_ip" }
+        rename => { "[data][sysmon][image]" => "image_path" }
+        rename => { "[data][sysmon][parentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[data][sysmon][sourceHostname]" => "source_hostname" }
+        rename => { "[data][sysmon][destinationHostname]" => "destination_hostname" }
+      }
+      # Wazuh 3.8.2  
+      if [data][EventChannel] {
+        mutate {
+           rename => { "[data][EventChannel][EventData][User]" => "username" }
+           rename => { "[data][EventChannel][System][EventID]" => "event_id" }
+           rename => { "[data][EventChannel][EventData][DestinationPort]" => "destination_port" }
+           rename => { "[data][EventChannel][EventData][DestinationIp]" => "destination_ip" }
+           rename => { "[data][EventChannel][EventData][SourcePort]" => "source_port" }
+           rename => { "[data][EventChannel][EventData][SourceIp]" => "source_ip" }
+           rename => { "[data][EventChannel][EventData][Image]" => "image_path" }
+           rename => { "[data][EventChannel][EventData][ParentImage]" => "parent_image_path" }
+           rename => { "[data][EventChannel][EventData][TargetFilename]" => "target_filename" }
+           rename => { "[data][EventChannel][EventData][SourceHostname]" => "source_hostname" }
+           rename => { "[data][EventChannel][EventData][DestinationHostname]" => "destination_hostname" }
+	}
+      }
+      # Wazuh 3.9.2
+      if [data][win] {
+        mutate {
+          rename => { "[data][win][eventdata][user]" => "username" }
+          rename => { "[data][win][system][eventID]" => "event_id" }
+          rename => { "[data][win][eventdata][destinationPort]" => "destination_port" }
+          rename => { "[data][win][eventdata][destinationIp]" => "destination_ip" }
+          rename => { "[data][win][eventdata][sourcePort]" => "source_port" }
+          rename => { "[data][win][eventdata][sourceIp]" => "source_ip" }
+          rename => { "[data][win][eventdata][image]" => "image_path" }
+          rename => { "[data][win][eventdata][parentImage]" => "parent_image_path" }
+          rename => { "[data][win][eventdata][targetFilename]" => "target_filename" }
+          rename => { "[data][win][eventdata][sourceHostname]" => "source_hostname" }
+          rename => { "[data][win][eventdata][destinationHostname]" => "destination_hostname" }
+        }
+      }    
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
new file mode 100644
index 000000000..5d7207891
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6502_ossec_autoruns.conf
@@ -0,0 +1,43 @@
+# Author: Wes Lambert
+# wlambertts@gmail.com
+#
+# Updated by: Dustin Lee
+# Last Update: 06/13/2019
+#
+# This conf file is based on accepting Autoruns logs from OSSEC
+#
+# Parse using grok
+filter {
+  if [type] == "autoruns" or "autoruns" in [tags] {
+    if [message] !~ /^{.*}$/ {
+      grok {
+        match => [
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "message", "%{YEAR:year} %{SYSLOGTIMESTAMP:ossec_timestamp} \(%{DATA:ossec_agent_name}\) %{IP:source_ip}->%{DATA:location} %{DATA:log_name}\|%{DATA:hostname}\|%{DATESTAMP:log_timestamp}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+    #csv {
+#      columns => ["log_name","entry_location","entry","enabled","category","autoruns_description","signer","company","image_path","version","launch_string","md5","sha1","pesha1","pesha256","sha256","imphash"]
+#      separator => "|"
+#      }
+      mutate {
+        remove_field => [ "year" ]
+        remove_field => [ "timestamp" ]
+      }
+    } else {
+        grok {
+        match => [
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:image_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}",
+            "full_log", "AR-LOG\|%{DATA:hostname}\|%{DATA:event_timestamp}\|%{DATA:entry_location}\|%{DATA:entry}\|%{DATA:enabled}\|%{DATA:category}\|%{DATA:profile}\|%{DATA:description}\|%{DATA:signer}\|%{DATA:company}\|%{DATA:image_path}\|%{DATA:version}\|%{DATA:launch_string}\|%{DATA:md5}\|%{DATA:sha1}\|%{DATA:pesha1}\|%{DATA:pesha256}\|%{DATA:sha256}\|%{DATA:imphash}"
+        ]
+      }
+      mutate {
+        # Rename fields
+      }
+    }
+    date {
+      match => [ "image_timestamp", "yyyyMMdd-HHmmss" ]
+      target => "image_timestamp"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
new file mode 100644
index 000000000..200b58497
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6600_winlogbeat_sysmon.conf
@@ -0,0 +1,23 @@
+# Author: Wes Lambert
+#
+# Last Update: 09/24/2018
+#
+# This conf file is based on accepting Sysmon logs from winlogbeat
+
+filter {
+  if "beat" in [tags] and [source_name] =~ "Microsoft-Windows-Sysmon" {
+      mutate {
+        replace => { "type" => "sysmon" }
+        rename => { "[event_data][User]" => "username" }
+        rename => { "[event_data][DestinationPort]" => "destination_port" }
+        rename => { "[event_data][DestinationIp]" => "destination_ip" }
+        rename => { "[event_data][SourceIp]" => "source_ip" }
+        rename => { "[event_data][Image]" => "image_path" }
+        rename => { "[event_data][ParentImage]" => "parent_image_path" }
+        rename => { "[data][sysmon][targetfilename]" => "target_filename" }
+        rename => { "[event_data][SourceHostname]" => "source_hostname" }
+        rename => { "[event_data][DestinationHostname]" => "destination_hostname" }
+	rename => { "[event_data][TargetFilename]" => "target_filename" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
new file mode 100644
index 000000000..222757956
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/6700_winlogbeat.conf
@@ -0,0 +1,17 @@
+# Author: Doug Burks
+#
+# Last Update: 09/24/2018
+#
+# This conf file is for beat data
+
+filter {
+  if "beat" in [tags] {
+      mutate {
+	# As of beats 6.3.0, host is now an object:
+	# https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-6.3.0.html
+	# This creates a conflict with our existing host string.
+	# So let's rename the host object to beat_host.
+        rename => { "host" => "beat_host" }
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
new file mode 100644
index 000000000..b4d77d83f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/7100_osquery_wel.conf
@@ -0,0 +1,23 @@
+# Author: Josh Brower
+# Last Update: 12/28/2018
+# If log is tagged osquery and there is an eventid column - then cleanup and parse out the EventData column
+
+filter {
+  if "osquery" in [tags] and [osquery][columns][eventid] {
+
+        mutate {
+     gsub => ["[osquery][columns][data]", "\\x0A", ""]
+    }
+
+        json {
+      source => "[osquery][columns][data]"
+      target => "[osquery][columns][data]"
+     }
+
+        mutate {
+     merge => { "[osquery][columns]" => "[osquery][columns][data]" }
+     remove_field => ["[osquery][columns][data]"]
+        }
+
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
new file mode 100644
index 000000000..d28449da6
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8001_postprocess_common_ip_augmentation.conf
@@ -0,0 +1,58 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/20/2017
+
+filter {
+  if [source_ip] {
+    if [source_ip] == "-" {
+      mutate {
+        replace => { "source_ip" => "0.0.0.0" }
+      }
+    }
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
+	mutate {
+	}
+      } else {
+        geoip {
+          source => "[source_ip]"
+          target => "source_geo"
+        }
+      }
+    if [source_ip] {
+      mutate {
+        add_field => { "ips" => "%{source_ip}" }
+        add_field => { "source_ips" => [ "%{source_ip}" ] }
+      }
+    }
+  }
+  if [destination_ip] {
+    if [destination_ip] == "-" {
+      mutate {
+        replace => { "destination_ip" => "0.0.0.0" }
+      }
+    }
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
+      mutate {
+      }
+    }
+    else {
+      geoip {
+      source => "[destination_ip]"
+      target => "destination_geo"
+      }
+    }
+  }
+  if [destination_ip] {
+    mutate {
+      add_field => { "ips" => "%{destination_ip}" }
+      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
+    }
+  }
+}
+  #if [source_ip] or [destination_ip] {
+  #  mutate {
+	  #add_tag => [ "conf_file_8001"]
+  #	}
+  #}
+
diff --git a/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
new file mode 100644
index 000000000..b9c9d224b
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8007_postprocess_http.conf
@@ -0,0 +1,27 @@
+# Original Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/13/2017
+
+filter {
+  if [type] == "bro_http" {
+    if [uri] {
+      ruby {
+        code => "event.set('uri_length', event.get('uri').length)"
+      }
+    }
+    if [virtual_host] {
+      ruby {
+        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
+      }
+    }
+    if [useragent] {
+      ruby {
+        code => "event.set('useragent_length', event.get('useragent').length)"
+      }
+    }
+	mutate {
+	  ##add_tag => [ "conf_file_8007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
new file mode 100644
index 000000000..e698b3ce3
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8200_postprocess_tagging.conf
@@ -0,0 +1,63 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [destination_ip] {
+    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_destination" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_destination" ]
+      }
+    }
+    if "internal_destination" not in [tags] {
+      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+  }
+  if [source_ip] {
+    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
+      mutate {
+        add_tag => [ "internal_source" ]
+      }
+    } else {
+      mutate {
+        add_tag => [ "external_source" ]
+      }
+    }
+    if "internal_source" not in [tags] {
+      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
+        mutate {
+          add_tag => [ "root_dns_server" ]
+        }
+      }
+    }
+    # Customize this section to your environment
+    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
+      mutate {
+        add_tag => [ "authorized_dns_server" ]
+      }
+    }
+	mutate {
+		##add_tag => [ "conf_file_8200"]
+	}
+  }
+  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
+      mutate {
+          remove_tag => [ "syslog" ]
+      }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
new file mode 100644
index 000000000..478c6b0e0
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8998_postprocess_log_elapsed.conf
@@ -0,0 +1,19 @@
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  ruby {
+    code => "event.set('task_end', Time.now.to_f)"
+  }
+  ruby {
+    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
+  }
+  mutate {
+    remove_field => [ 'task_start', 'task_end' ]
+  }
+  mutate {
+	#add_tag => [ "conf_file_8998"]
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
new file mode 100644
index 000000000..383fd9827
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf b/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
new file mode 100644
index 000000000..08237884f
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/0800_input_eval.conf
@@ -0,0 +1,203 @@
+# Updated by: Mike Reeves
+# Last Update: 11/1/2018
+
+input {
+  file {
+	  path => "/suricata/eve.json"
+		type => "ids"
+                add_field => { "engine" => "suricata" }
+	}
+	file {
+		path => "/nsm/zeek/logs/current/conn*.log"
+		type => "zeek_conn"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dce_rpc*.log"
+		type => "zeek_dce_rpc"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dhcp*.log"
+		type => "zeek_dhcp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dnp3*.log"
+		type => "zeek_dnp3"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dns*.log"
+		type => "zeek_dns"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/dpd*.log"
+		type => "zeek_dpd"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/files*.log"
+		type => "zeek_files"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ftp*.log"
+		type => "zeek_ftp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/http*.log"
+		type => "zeek_http"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/intel*.log"
+		type => "zeek_intel"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/irc*.log"
+		type => "zeek_irc"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/kerberos*.log"
+		type => "zeek_kerberos"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/modbus*.log"
+		type => "zeek_modbus"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/mysql*.log"
+		type => "zeek_mysql"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/notice*.log"
+		type => "zeek_notice"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ntlm*.log"
+		type => "zeek_ntlm"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/pe*.log"
+		type => "zeek_pe"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/radius*.log"
+		type => "zeek_radius"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rdp*.log"
+		type => "zeek_rdp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/rfb*.log"
+		type => "zeek_rfb"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/signatures*.log"
+		type => "zeek_signatures"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/sip*.log"
+		type => "zeek_sip"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_files*.log"
+		type => "zeek_smb_files"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smb_mapping*.log"
+		type => "zeek_smb_mapping"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/smtp*.log"
+		type => "zeek_smtp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/snmp*.log"
+		type => "zeek_snmp"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/socks*.log"
+		type => "zeek_socks"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/software*.log"
+		type => "zeek_software"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssh*.log"
+		type => "zeek_ssh"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/ssl*.log"
+		type => "zeek_ssl"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/syslog*.log"
+		type => "zeek_syslog"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/tunnel*.log"
+		type => "zeek_tunnels"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/weird*.log"
+		type => "zeek_weird"
+	    	tags => ["zeek"]
+	}
+	file {
+		path => "/nsm/zeek/logs/current/x509*.log"
+		type => "zeek_x509"
+	    	tags => ["zeek"]
+	}
+  file {
+    path => "/wazuh/alerts/alerts.json"
+    type => "ossec"
+  }
+  file {
+    path => "/wazuh/archives/archive.json"
+    type => "ossec_archive"
+  }
+  file {
+    path => "/osquery/logs/result.log"
+    type => "osquery"
+  }
+  file {
+    path => "/strelka/strelka.log"
+    type => "strelka"
+  }
+}
+filter {
+  if "import" in [tags] {
+	mutate {
+	  #add_tag => [ "conf_file_0007"]
+	}
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
new file mode 100644
index 000000000..553500281
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9000_output_bro.conf
@@ -0,0 +1,31 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+
+filter {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9000"]
+	}
+  }
+}
+output {
+  if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      pipeline => "%{event_type}"
+      hosts => "{{ ES }}"
+      index => "logstash-bro-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
new file mode 100644
index 000000000..949a738ab
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9001_output_switch.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9001"]
+	}
+  }
+}
+output {
+  if "switch" in [tags] and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-switch-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
new file mode 100644
index 000000000..88fbc7551
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9002_output_import.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Updated by: Doug Burks
+# Last Update: 5/16/2017
+
+filter {
+  if "import" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9002"]
+	}
+  }
+}
+output {
+  if "import" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-import-%{+YYYY.MM.dd}"
+      template_name => "logstash-*"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
new file mode 100644
index 000000000..3dbd34f16
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9004_output_flow.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9004"]
+	}
+  }
+}
+output {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-flow-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
new file mode 100644
index 000000000..a63ac5f98
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9026_output_dhcp.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9026"]
+	}
+  }
+}
+output {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
new file mode 100644
index 000000000..229de6b9c
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9029_output_esxi.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9029"]
+	}
+  }
+}
+output {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
new file mode 100644
index 000000000..a6d16b95d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9030_output_greensql.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9030"]
+	}
+  }
+}
+output {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
new file mode 100644
index 000000000..6650d8a7d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9031_output_iis.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9031"]
+	}
+  }
+}
+output {
+  if [event_type] == "iis" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
new file mode 100644
index 000000000..ca982967d
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9032_output_mcafee.conf
@@ -0,0 +1,26 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9032"]
+	}
+  }
+}
+output {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
new file mode 100644
index 000000000..6c310b91e
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9033_output_snort.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "ids" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9033"]
+	}
+  }
+}
+output {
+    if [event_type] == "ids" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
new file mode 100644
index 000000000..56a6527b8
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9034_output_syslog.conf
@@ -0,0 +1,28 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 5/15/2017
+
+filter {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9034"]
+	}
+  }
+}
+output {
+  if "syslog" in [tags] and "test_data" not in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-syslog-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
new file mode 100644
index 000000000..e95119562
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9100_output_osquery.conf
@@ -0,0 +1,19 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Josh Brower
+# Last Update: 12/29/2018
+# Output to ES for osquery tagged logs
+
+
+output {
+  if "osquery" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-osquery-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
\ No newline at end of file
diff --git a/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
new file mode 100644
index 000000000..b2ad43963
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9200_output_firewall.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9200"]
+	}
+  }
+}
+output {
+  if "firewall" in [tags] and "test_data" not in [tags] {
+#    stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-firewall-%{+YYYY.MM.dd}"
+      template_name => "logstash"
+      template => "/logstash-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
new file mode 100644
index 000000000..d3f9d1919
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9300_output_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9300"]
+	}
+  }
+}
+output {
+  if [event_type] == "windows" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-windows-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
new file mode 100644
index 000000000..8a56b7044
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9301_output_dns_windows.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9301"]
+	}
+  }
+}
+output {
+  if [event_type] == "dns" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
new file mode 100644
index 000000000..4bffd7f0a
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9400_output_suricata.conf
@@ -0,0 +1,27 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolution.com
+# Last Update: 12/9/2016
+
+filter {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    mutate {
+	  ##add_tag => [ "conf_file_9400"]
+	}
+  }
+}
+output {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ids-%{+YYYY.MM.dd}"
+      template => "/logstash-template.json"
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
new file mode 100644
index 000000000..30900cb93
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9500_output_beats.conf
@@ -0,0 +1,25 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Wes Lambert
+# Last Update: 09/14/2018
+filter {
+  if "beat" in [tags] {
+    mutate {
+          ##add_tag => [ "conf_file_9500"]
+        }
+  }
+}
+output {
+  if "beat" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-beats-%{+YYYY.MM.dd}"
+      template_name => "logstash-beats"
+      template => "/beats-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
new file mode 100644
index 000000000..71d0c28aa
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9600_output_ossec.conf
@@ -0,0 +1,29 @@
+{%- if grains['role'] == 'so-eval' -%}
+{%- set ES = salt['pillar.get']('master:mainip', '') -%}
+{%- else %}
+{%- set ES = salt['pillar.get']('node:mainip', '') -%}
+{%- endif %}
+# Author: Justin Henderson
+#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Updated by: Doug Burks
+# Last Update: 9/19/2018
+
+filter {
+  if [event_type] =~ "ossec" {
+    mutate {
+          ##add_tag => [ "conf_file_9600"]
+        }
+  }
+}
+
+output {
+  if [event_type] =~ "ossec" or "ossec" in [tags] {
+    elasticsearch {
+      hosts => "{{ ES }}"
+      index => "logstash-ossec-%{+YYYY.MM.dd}"
+      template_name => "logstash-ossec"
+      template => "/logstash-ossec-template.json"
+      template_overwrite => true
+    }
+  }
+}
diff --git a/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
new file mode 100644
index 000000000..f176e0b94
--- /dev/null
+++ b/salt/logstash/conf/pipelines/eval/templates/9999_output_redis.conf
@@ -0,0 +1,26 @@
+{%- if salt['grains.get']('role') == 'so-master' %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- set nodetype = 'master' %}
+{% elif grains.role == 'so-heavynode' %}
+{% set master = salt['pillar.get']('node:mainip', '') %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'search') %}
+{%- else %}
+{%- set nodetype = salt['pillar.get']('node:node_type', 'storage') %}
+{% set master = salt['pillar.get']('static:masterip', '') %}
+{%- endif %}
+
+
+output {
+	redis {
+		host => '{{ master }}'
+		data_type => 'list'
+		{%- if nodetype == 'parser' %}
+		key => 'logstash:parsed'
+		{%- else %}
+		key => 'logstash:unparsed'
+		{%- endif %}
+		congestion_interval => 1
+		congestion_threshold => 50000000
+		# batch_events => 500
+	}
+}
diff --git a/salt/logstash/etc/logstash.yml b/salt/logstash/etc/logstash.yml
index 88f3c527e..47b487ebe 100644
--- a/salt/logstash/etc/logstash.yml
+++ b/salt/logstash/etc/logstash.yml
@@ -63,11 +63,11 @@
 #
 # path.config:
 # /etc/logstash/conf.d is mapped to /usr/share/logstash/pipeline in the Docker image
-{% if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' %}
+{%- if grains.role != 'so-mastersearch' and grains.role != 'so-heavynode' and grains.role != 'so-master' and grains.role != 'so-eval' %}
 path.config: /usr/share/logstash/pipeline.enabled/*.conf
-{% else %} 
+{%- else %} 
 #path.config: /usr/share/logstash/pipeline.enabled/*.conf
-{% endif %}
+{%- endif %}
 
 # Special Docker path
 # path.config: /usr/share/logstash/pipeline
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index f92f047fa..4598ae53c 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -241,6 +241,10 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+      - /opt/so/log/fleet/:/osquery/logs:ro
+      - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
     - watch:
       - file: /opt/so/conf/logstash/etc
diff --git a/salt/top.sls b/salt/top.sls
index 1608b93d6..b1ef40ae6 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -72,7 +72,6 @@ base:
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
-    - filebeat
     - utility
     - schedule
     - soctopus