diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert
index 365c4c2cb..82486adc6 100644
--- a/salt/elasticsearch/files/ingest/suricata.alert
+++ b/salt/elasticsearch/files/ingest/suricata.alert
@@ -1,13 +1,12 @@
 {
   "description" : "suricata.alert",
   "processors" : [
-    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
-    { "rename":{ "field": "message2.comunity_id",       "target_field": "network.comunity_id",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.alert",	"target_field": "rule",	"ignore_failure": true 	} },
     { "rename":{ "field": "rule.signature",     "target_field": "rule.name", "ignore_failure": true  } },
     { "rename":{ "field": "rule.ref",     "target_field": "rule.version", "ignore_failure": true  } },
     { "rename":{ "field": "rule.signature_id",     "target_field": "rule.uuid", "ignore_failure": true  } },
     { "rename":{ "field": "rule.signature_id",     "target_field": "rule.signature", "ignore_failure": true  } },
-    { "pipeline": { "name": "suricata.common" } }
+    { "rename":{ "field": "message2.payload_printable",     "target_field": "network.data.decoded", "ignore_failure": true  } },
+    { "pipeline": { "name": "common" } }
   ]
 }
diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common
index 4a1f293b2..dd08b08a0 100644
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -1,15 +1,18 @@
 {
   "description" : "suricata.common",
   "processors" : [
+    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
     { "rename":{ "field": "message2.proto",		"target_field": "network.transport",		"ignore_failure": true 	} },
-    { "rename":{ "field": "message2.flow_id",		"target_field": "event.id",		"ignore_failure": true 	} },
+    { "rename":{ "field": "message2.flow_id",		"target_field": "log.id.uid",		"ignore_failure": true 	} },
     { "rename":{ "field": "message2.src_ip",       "target_field": "source.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.src_port",       "target_field": "source.port",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
     { "rename":         { "field": "message2.community_id",        "target_field": "network.community_id",     "ignore_missing": true  } },
+    { "remove":{ "field": "dataset", 						"ignore_failure": true	} },
+    { "rename":{ "field": "message2.event_type",		"target_field": "dataset",		"ignore_failure": true 	} },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
-    { "remove":         { "field": ["agent"],     "ignore_failure": true                                                                  } },
-    { "pipeline": { "name": "common" } }
+    { "remove":{ "field": "agent", 						"ignore_failure": true	} },
+    { "pipeline": { "name": "suricata.{{dataset}}" } }
   ]
 }
diff --git a/salt/elasticsearch/files/ingest/suricata.dhcp b/salt/elasticsearch/files/ingest/suricata.dhcp
new file mode 100644
index 000000000..66ab1140e
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.dhcp
@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.dhcp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.client_mac", 		"target_field": "host.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 		"target_field": "dhcp.message_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.type", 		"target_field": "dhcp.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.dnp3 b/salt/elasticsearch/files/ingest/suricata.dnp3
new file mode 100644
index 000000000..f63702337
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.dnp3
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.dnp3",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns
new file mode 100644
index 000000000..0a2e1b2ae
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.dns
@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.dns",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers",			"ignore_missing": true 	} },
+
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.fileinfo b/salt/elasticsearch/files/ingest/suricata.fileinfo
new file mode 100644
index 000000000..c319b4a3c
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.fileinfo
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.fileinfo",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.flow b/salt/elasticsearch/files/ingest/suricata.flow
new file mode 100644
index 000000000..c51961c05
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.flow
@@ -0,0 +1,9 @@
+{
+  "description" : "suricata.flow",
+  "processors" : [
+    { "set":      { "field": "dataset",        "value": "conn"  } },
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.ftp b/salt/elasticsearch/files/ingest/suricata.ftp
new file mode 100644
index 000000000..7d29fa708
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.ftp
@@ -0,0 +1,14 @@
+{
+  "description" : "suricata.ftp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.http b/salt/elasticsearch/files/ingest/suricata.http
new file mode 100644
index 000000000..2d12a435d
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.http
@@ -0,0 +1,17 @@
+{
+  "description" : "suricata.http",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.hostname", 		"target_field": "http.virtual_host",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_user_agent", 		"target_field": "http.useragent",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_content_type", 		"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_refer", 		"target_field": "http.referrer",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.http_method", 		"target_field": "http.method",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.status", 		"target_field": "http.status_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
\ No newline at end of file
diff --git a/salt/elasticsearch/files/ingest/suricata.ikev2 b/salt/elasticsearch/files/ingest/suricata.ikev2
new file mode 100644
index 000000000..1916f6369
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.ikev2
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.ikev2",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.krb5 b/salt/elasticsearch/files/ingest/suricata.krb5
new file mode 100644
index 000000000..83e950128
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.krb5
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.krb5",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.nfs b/salt/elasticsearch/files/ingest/suricata.nfs
new file mode 100644
index 000000000..39ffee455
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.nfs
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.nfs",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.rdp b/salt/elasticsearch/files/ingest/suricata.rdp
new file mode 100644
index 000000000..229c5bd86
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.rdp
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.rdp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.sip b/salt/elasticsearch/files/ingest/suricata.sip
new file mode 100644
index 000000000..0b0ee1e8c
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.sip
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.sip",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.smb b/salt/elasticsearch/files/ingest/suricata.smb
new file mode 100644
index 000000000..c84dc8136
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.smb
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.smb",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.smtp b/salt/elasticsearch/files/ingest/suricata.smtp
new file mode 100644
index 000000000..ba2144ad5
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.smtp
@@ -0,0 +1,13 @@
+{
+  "description" : "suricata.smtp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smtp.helo", 		"target_field": "smtp.helo",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.from", 		"target_field": "smtp.from",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.to", 		"target_field": "smtp.to",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.cc", 		"target_field": "smtp.cc",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.email.attachment", 		"target_field": "smtp.attachment",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.snmp b/salt/elasticsearch/files/ingest/suricata.snmp
new file mode 100644
index 000000000..bda17f6eb
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.snmp
@@ -0,0 +1,10 @@
+{
+  "description" : "suricata.snmp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.snmp.version", 		"target_field": "snmp.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.snmp.community", 		"target_field": "snmp.community",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.ssh b/salt/elasticsearch/files/ingest/suricata.ssh
new file mode 100644
index 000000000..b142d94a2
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.ssh
@@ -0,0 +1,11 @@
+{
+  "description" : "suricata.ssh",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.client.proto_version", 		"target_field": "ssh.version",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.client.software_version", 		"target_field": "ssh.client",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ssh.server.proto_version", 		"target_field": "ssh.server",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.tftp b/salt/elasticsearch/files/ingest/suricata.tftp
new file mode 100644
index 000000000..cb148e9d7
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.tftp
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.tftp",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/elasticsearch/files/ingest/suricata.tls b/salt/elasticsearch/files/ingest/suricata.tls
new file mode 100644
index 000000000..e6b6081d3
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/suricata.tls
@@ -0,0 +1,8 @@
+{
+  "description" : "suricata.tls",
+  "processors" : [
+    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "pipeline": { "name": "common" } }
+  ]
+}
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 76c26b51d..da116cf2c 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -123,10 +123,10 @@ filebeat.inputs:
 
   - type: log
     paths:
-      - /suricata/eve.json
+      - /suricata/eve*.json
     fields:
       module: suricata
-      dataset: alert
+      dataset: common
       category: network
 
     processors:
diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml
index c87c75447..28e5b4bcf 100644
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -95,8 +95,8 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: /nsm/eve.json
-      rotate-interval: day
+      filename: /nsm/eve-%Y-%m-%d-%H:%M.json
+      rotate-interval: hour
       
       #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml
index 964d3fab7..61e3be6ec 100644
--- a/salt/suricata/files/suricataMETA.yaml
+++ b/salt/suricata/files/suricataMETA.yaml
@@ -95,7 +95,7 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: /nsm/eve.json
+      filename: /nsm/eve-%Y-%m-%d-%H:%M.json
       rotate-interval: hour
       
       #prefix: "@cee: " # prefix to prepend to each log entry
diff --git a/salt/top.sls b/salt/top.sls
index 5a823d452..3629fbe0b 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -86,7 +86,9 @@ base:
     - kibana
     - pcap
     - suricata
+    {%- if BROVER != 'SURICATA' %}
     - zeek
+    {%- endif %}
     {%- if STRELKA %}
     - strelka
     {%- endif %}
@@ -194,7 +196,9 @@ base:
     - kibana
     - pcap
     - suricata
+    {%- if BROVER != 'SURICATA' %}
     - zeek
+    {%- endif %}
     {%- if STRELKA %}
     - strelka
     {%- endif %}