diff --git a/salt/logstash/pipelines/config/so/8000_postprocess_bro_cleanup.conf b/salt/logstash/pipelines/config/so/8000_postprocess_bro_cleanup.conf
deleted file mode 100644
index 3998df8a4..000000000
--- a/salt/logstash/pipelines/config/so/8000_postprocess_bro_cleanup.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if "bro" in [tags] {
-    if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
-      #mutate {
-      #  remove_field => [ "message" ]
-      #}
-    }
-	mutate {
-		#add_tag => [ "conf_file_8000"]
-	}
-  }
-}
diff --git a/salt/logstash/pipelines/config/so/8001_postprocess_common_ip_augmentation.conf b/salt/logstash/pipelines/config/so/8001_postprocess_common_ip_augmentation.conf
deleted file mode 100644
index d28449da6..000000000
--- a/salt/logstash/pipelines/config/so/8001_postprocess_common_ip_augmentation.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/20/2017
-
-filter {
-  if [source_ip] {
-    if [source_ip] == "-" {
-      mutate {
-        replace => { "source_ip" => "0.0.0.0" }
-      }
-    }
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
-	mutate {
-	}
-      } else {
-        geoip {
-          source => "[source_ip]"
-          target => "source_geo"
-        }
-      }
-    if [source_ip] {
-      mutate {
-        add_field => { "ips" => "%{source_ip}" }
-        add_field => { "source_ips" => [ "%{source_ip}" ] }
-      }
-    }
-  }
-  if [destination_ip] {
-    if [destination_ip] == "-" {
-      mutate {
-        replace => { "destination_ip" => "0.0.0.0" }
-      }
-    }
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
-      mutate {
-      }
-    }
-    else {
-      geoip {
-      source => "[destination_ip]"
-      target => "destination_geo"
-      }
-    }
-  }
-  if [destination_ip] {
-    mutate {
-      add_field => { "ips" => "%{destination_ip}" }
-      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
-    }
-  }
-}
-  #if [source_ip] or [destination_ip] {
-  #  mutate {
-	  #add_tag => [ "conf_file_8001"]
-  #	}
-  #}
-
diff --git a/salt/logstash/pipelines/config/so/8006_postprocess_dns.conf b/salt/logstash/pipelines/config/so/8006_postprocess_dns.conf
deleted file mode 100644
index a1520e6dc..000000000
--- a/salt/logstash/pipelines/config/so/8006_postprocess_dns.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-
-filter {
-  if [type] == "bro_dns" or "dns" in [tags] {
-    # Used for whois lookups - can create log loop
-    if [query] =~ "^whois\." {
-      drop { }
-    }
-    # REPLACE test.int with your internal domain
-    if [query] and [query] !~ "\.test\.int$" {
-      mutate {
-        lowercase => [ "query" ]
-      }
-      if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
-        tld {
-          source => "query"
-        }
-        ruby {
-          code => "event.set('query_length', event.get('query').length)"
-        }
-        mutate {
-          rename => { "[SubLog][sessionid]" => "sub_session_id" }
-          rename => { "[tld][domain]" => "highest_registered_domain" }
-          rename => { "[tld][trd]" => "subdomain" }
-          rename => { "[tld][tld]" => "top_level_domain" }
-          rename => { "[tld][sld]" => "parent_domain" }
-        }
-        if [parent_domain] {
-          ruby {
-            code => "event.set('parent_domain_length', event.get('parent_domain').length)"
-          }
-        }
-        if [subdomain] {
-          ruby {
-            code => "event.set('subdomain_length', event.get('subdomain').length)"
-          }
-        }
-      }
-    }
-	mutate {
-		#add_tag => [ "conf_file_8006"]
-	}
-  }
-}
diff --git a/salt/logstash/pipelines/config/so/8007_postprocess_http.conf b/salt/logstash/pipelines/config/so/8007_postprocess_http.conf
deleted file mode 100644
index b9c9d224b..000000000
--- a/salt/logstash/pipelines/config/so/8007_postprocess_http.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Original Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Updated by: Doug Burks
-# Last Update: 5/13/2017
-
-filter {
-  if [type] == "bro_http" {
-    if [uri] {
-      ruby {
-        code => "event.set('uri_length', event.get('uri').length)"
-      }
-    }
-    if [virtual_host] {
-      ruby {
-        code => "event.set('virtual_host_length', event.get('virtual_host').length)"
-      }
-    }
-    if [useragent] {
-      ruby {
-        code => "event.set('useragent_length', event.get('useragent').length)"
-      }
-    }
-	mutate {
-	  ##add_tag => [ "conf_file_8007"]
-	}
-  }
-}
diff --git a/salt/logstash/pipelines/config/so/8200_postprocess_tagging.conf b/salt/logstash/pipelines/config/so/8200_postprocess_tagging.conf
deleted file mode 100644
index e698b3ce3..000000000
--- a/salt/logstash/pipelines/config/so/8200_postprocess_tagging.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  if [destination_ip] {
-    if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_destination" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_destination" ]
-      }
-    }
-    if "internal_destination" not in [tags] {
-      if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-  }
-  if [source_ip] {
-    if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
-      mutate {
-        add_tag => [ "internal_source" ]
-      }
-    } else {
-      mutate {
-        add_tag => [ "external_source" ]
-      }
-    }
-    if "internal_source" not in [tags] {
-      if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
-        mutate {
-          add_tag => [ "root_dns_server" ]
-        }
-      }
-    }
-    # Customize this section to your environment
-    if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
-      mutate {
-        add_tag => [ "authorized_dns_server" ]
-      }
-    }
-	mutate {
-		##add_tag => [ "conf_file_8200"]
-	}
-  }
-  if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
-      mutate {
-          remove_tag => [ "syslog" ]
-      }
-  }
-}
diff --git a/salt/logstash/pipelines/config/so/8998_postprocess_log_elapsed.conf b/salt/logstash/pipelines/config/so/8998_postprocess_log_elapsed.conf
deleted file mode 100644
index 478c6b0e0..000000000
--- a/salt/logstash/pipelines/config/so/8998_postprocess_log_elapsed.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Author: Justin Henderson
-#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolution.com
-# Last Update: 12/9/2016
-
-filter {
-  ruby {
-    code => "event.set('task_end', Time.now.to_f)"
-  }
-  ruby {
-    code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
-  }
-  mutate {
-    remove_field => [ 'task_start', 'task_end' ]
-  }
-  mutate {
-	#add_tag => [ "conf_file_8998"]
-  }
-}
diff --git a/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf b/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf
deleted file mode 100644
index c7a37e15c..000000000
--- a/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Author: Doug Burks
-# Last Update: 12/10/2017
-
-filter {
-    mutate {
-	  rename => [ "type", "event_type" ]
-          remove_field => [ "host" ]
-	}
-}