diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear
deleted file mode 100755
index f491fb62f..000000000
--- a/salt/common/tools/sbin/so-elastic-clear
+++ /dev/null
@@ -1,154 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
-. /usr/sbin/so-common
-
-SKIP=0
-#########################################
-# Options
-#########################################
-usage()
-{
-cat <<EOF
-Security Onion Elastic Clear
-  Options:
-  -h         This message
-  -y         Skip interactive mode
-EOF
-}
-while getopts "h:cdely" OPTION
-do
-        case $OPTION in
-                h)
-                        usage
-                        exit 0
-                        ;;
-                c)
-			DELETE_CASES_DATA=1
-			SKIP=1
-                        ;;
-                d)
-			DONT_STOP_SERVICES=1
-                        SKIP=1
-			;;
-                e)
-			DELETE_ELASTALERT_DATA=1
-                        SKIP=1
-                        ;;
-		l)
-			DELETE_LOG_DATA=1
-			SKIP=1
-			;;
-                y)
-                        DELETE_CASES_DATA=1
-                        DELETE_ELASTALERT_DATA=1
-			DELETE_LOG_DATA=1
-			SKIP=1
-                        ;;
-                *)
-                        usage
-                        exit 0
-                        ;;
-        esac
-done
-if [ $SKIP -ne 1 ]; then
-        # List indices
-        echo 
-        curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://{{ NODEIP }}:9200/_cat/indices?v
-        echo
-        # Inform user we are about to delete all data
-        echo
-        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
-        echo
-        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
-        echo
-        # Read user input
-        read INPUT
-        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
-fi
-
-
-if [ -z "$DONT_STOP_SERVICES" ]; then
-	# Stop Elastic Agent
-	for i in $(pgrep elastic-agent | grep -v grep); do
-		kill -9 $i;
-	done 
-
-	# Check to see if Elastic Fleet, Logstash, Elastalert are running
-	#EF_ENABLED=$(so-status | grep elastic-fleet)
-	LS_ENABLED=$(so-status | grep logstash)
-	EA_ENABLED=$(so-status | grep elastalert)
-
-	#if [ ! -z "$EF_ENABLED" ]; then
-        #	/usr/sbin/so-elastic-fleet-stop
-	#fi
-
-	if [ ! -z "$LS_ENABLED" ]; then
-        	/usr/sbin/so-logstash-stop
-	fi
-
-	if [ ! -z "$EA_ENABLED" ]; then
-        	/usr/sbin/so-elastalert-stop
-	fi
-fi
-
-if [ ! -z "$DELETE_CASES_DATA" ]; then
-        # Delete Cases data
-        echo "Deleting Cases data..."
-        INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "so-case")
-        for INDX in ${INDXS}
-        do
-                echo "Deleting $INDX"
-                /usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
-        done
-fi
-
-# Delete Elastalert data
-if [ ! -z "$DELETE_ELASTALERT_DATA" ]; then
-        # Delete Elastalert data
-        echo "Deleting Elastalert data..."
-        INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "elastalert")
-        for INDX in ${INDXS}
-        do
-                echo "Deleting $INDX"
-                /usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
-        done
-fi
-
-# Delete log data
-if [ ! -z "$DELETE_LOG_DATA" ]; then
-	echo "Deleting log data ..."
-	DATASTREAMS=$(/usr/sbin/so-elasticsearch-query _data_stream | jq -r '.[] |.[].name')
-	for DATASTREAM in ${DATASTREAMS}
-	do
-		# Delete the data stream
-        	echo "Deleting $DATASTREAM..."
-        	/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE > /dev/null 2>&1
-	done
-fi
-
-if [ -z "$DONT_STOP_SERVICES" ]; then
-	#Start Logstash
-	if [ ! -z "$LS_ENABLED" ]; then
-        	/usr/sbin/so-logstash-start
-
-	fi
-
-	#Start Elastic Fleet
-	#if [ ! -z "$EF_ENABLED" ]; then
-        # 	/usr/sbin/so-elastic-fleet-start
-	#fi
-
-	#Start Elastalert
-	if [ ! -z "$EA_ENABLED" ]; then
-        	/usr/sbin/so-elastalert-start
-	fi
-
-	# Start Elastic Agent
-	/usr/bin/elastic-agent restart
-fi
diff --git a/salt/common/tools/sbin/so-elastic-diagnose b/salt/common/tools/sbin/so-elastic-diagnose
deleted file mode 100755
index a94384fe8..000000000
--- a/salt/common/tools/sbin/so-elastic-diagnose
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-# Source common settings
-. /usr/sbin/so-common
-
-# Check for log files
-for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
-
-# If file exists, then look for errors or warnings 
-if [ -f $FILE ]; then
-	MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE` 
-	if [ ! -z "$MESSAGE" ]; then
-		header $FILE
-		echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
-		echo
-	fi
-fi
-done
diff --git a/salt/common/tools/sbin/so-elastic-restart b/salt/common/tools/sbin/so-elastic-restart
deleted file mode 100755
index 67988193f..000000000
--- a/salt/common/tools/sbin/so-elastic-restart
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-restart elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-restart kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-restart logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-restart curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-restart elastalert $1
-{%- endif %}
diff --git a/salt/common/tools/sbin/so-elastic-start b/salt/common/tools/sbin/so-elastic-start
deleted file mode 100755
index fd78d1859..000000000
--- a/salt/common/tools/sbin/so-elastic-start
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-start elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-start kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-start logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-start curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-start elastalert $1
-{%- endif %}
diff --git a/salt/common/tools/sbin/so-elastic-stop b/salt/common/tools/sbin/so-elastic-stop
deleted file mode 100755
index 88350a8fe..000000000
--- a/salt/common/tools/sbin/so-elastic-stop
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
-/usr/sbin/so-stop elasticsearch $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%}
-/usr/sbin/so-stop kibana $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-stop logstash $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
-/usr/sbin/so-stop curator $1
-{%- endif %}
-
-{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%}
-/usr/sbin/so-stop elastalert $1
-{%- endif %}
diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin/so-elastic-agent-gen-installers.jinja
similarity index 100%
rename from salt/common/tools/sbin/so-elastic-agent-gen-installers
rename to salt/elasticfleet/tools/sbin/so-elastic-agent-gen-installers.jinja
diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin/so-elastic-fleet-setup.jinja
similarity index 100%
rename from salt/elasticfleet/tools/sbin/so-elastic-fleet-setup
rename to salt/elasticfleet/tools/sbin/so-elastic-fleet-setup.jinja
diff --git a/salt/common/tools/sbin/so-index-list b/salt/elasticsearch/tools/sbin/so-index-list
similarity index 100%
rename from salt/common/tools/sbin/so-index-list
rename to salt/elasticsearch/tools/sbin/so-index-list
diff --git a/salt/common/tools/sbin/so-rule b/salt/idstools/tools/sbin/so-rule
similarity index 100%
rename from salt/common/tools/sbin/so-rule
rename to salt/idstools/tools/sbin/so-rule
diff --git a/salt/common/tools/sbin/so-rule-update b/salt/idstools/tools/sbin/so-rule-update
similarity index 100%
rename from salt/common/tools/sbin/so-rule-update
rename to salt/idstools/tools/sbin/so-rule-update
diff --git a/salt/kibana/tools/sbin/so-kibana-config-export b/salt/kibana/tools/sbin/so-kibana-config-export.jinja
similarity index 100%
rename from salt/kibana/tools/sbin/so-kibana-config-export
rename to salt/kibana/tools/sbin/so-kibana-config-export.jinja
diff --git a/salt/kibana/tools/sbin/so-kibana-config-load b/salt/kibana/tools/sbin/so-kibana-config-load.jinja
similarity index 100%
rename from salt/kibana/tools/sbin/so-kibana-config-load
rename to salt/kibana/tools/sbin/so-kibana-config-load.jinja
diff --git a/salt/kibana/tools/sbin/so-kibana-space-defaults b/salt/kibana/tools/sbin/so-kibana-space-defaults.jinja
similarity index 100%
rename from salt/kibana/tools/sbin/so-kibana-space-defaults
rename to salt/kibana/tools/sbin/so-kibana-space-defaults.jinja
diff --git a/salt/manager/sbin/so-saltstack-update b/salt/manager/sbin/so-saltstack-update
deleted file mode 100755
index 73c9c7791..000000000
--- a/salt/manager/sbin/so-saltstack-update
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-default_salt_dir=/opt/so/saltstack/default
-clone_to_tmp() {
-
-  # Make a temp location for the files
-  mkdir /tmp/sogh
-  cd /tmp/sogh
-  git clone https://github.com/Security-Onion-Solutions/securityonion.git
-  cd /tmp
-
-}
-
-copy_new_files() {
-
-  # Copy new files over to the salt dir
-  cd /tmp/sogh/securityonion
-  git checkout $BRANCH
-  VERSION=$(cat VERSION)
-  # We need to overwrite if there is a repo file
-  if [ -d /opt/so/repo ]; then
-    tar -czf /opt/so/repo/"$VERSION".tar.gz -C "$(pwd)/.." .
-  fi
-  rsync -a salt $default_salt_dir/
-  rsync -a pillar $default_salt_dir/
-  chown -R socore:socore $default_salt_dir/salt
-  chown -R socore:socore $default_salt_dir/pillar
-  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
-
-  rm -rf /tmp/sogh
-}
-
-got_root(){
-    if [ "$(id -u)" -ne 0 ]; then
-        echo "This script must be run using sudo!"
-        exit 1
-    fi
-}
-
-got_root
-if [ $# -ne 1 ] ; then
-  BRANCH=2.4/main
-else
-  BRANCH=$1
-fi
-clone_to_tmp
-copy_new_files
diff --git a/salt/common/tools/sbin/so-allow b/salt/manager/tools/sbin/so-allow
similarity index 100%
rename from salt/common/tools/sbin/so-allow
rename to salt/manager/tools/sbin/so-allow
diff --git a/salt/common/tools/sbin/so-allow-view b/salt/manager/tools/sbin/so-allow-view
similarity index 100%
rename from salt/common/tools/sbin/so-allow-view
rename to salt/manager/tools/sbin/so-allow-view
diff --git a/salt/common/tools/sbin/so-deny b/salt/manager/tools/sbin/so-deny
similarity index 100%
rename from salt/common/tools/sbin/so-deny
rename to salt/manager/tools/sbin/so-deny
diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/manager/tools/sbin/so-docker-refresh
similarity index 100%
rename from salt/common/tools/sbin/so-docker-refresh
rename to salt/manager/tools/sbin/so-docker-refresh
diff --git a/salt/common/tools/sbin/so-elastic-auth-password-reset b/salt/manager/tools/sbin/so-elastic-auth-password-reset
similarity index 100%
rename from salt/common/tools/sbin/so-elastic-auth-password-reset
rename to salt/manager/tools/sbin/so-elastic-auth-password-reset
diff --git a/salt/common/tools/sbin/so-firewall b/salt/manager/tools/sbin/so-firewall
similarity index 100%
rename from salt/common/tools/sbin/so-firewall
rename to salt/manager/tools/sbin/so-firewall
diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/manager/tools/sbin/so-firewall-minion
similarity index 100%
rename from salt/common/tools/sbin/so-firewall-minion
rename to salt/manager/tools/sbin/so-firewall-minion
diff --git a/salt/common/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion
similarity index 100%
rename from salt/common/tools/sbin/so-minion
rename to salt/manager/tools/sbin/so-minion
diff --git a/salt/manager/sbin/so-repo-sync b/salt/manager/tools/sbin/so-repo-sync
similarity index 100%
rename from salt/manager/sbin/so-repo-sync
rename to salt/manager/tools/sbin/so-repo-sync
diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/manager/tools/sbin/so-saltstack-update
similarity index 100%
rename from salt/common/tools/sbin/so-saltstack-update
rename to salt/manager/tools/sbin/so-saltstack-update
diff --git a/salt/common/tools/sbin/so-user b/salt/manager/tools/sbin/so-user
similarity index 100%
rename from salt/common/tools/sbin/so-user
rename to salt/manager/tools/sbin/so-user
diff --git a/salt/common/tools/sbin/so-user-add b/salt/manager/tools/sbin/so-user-add
similarity index 100%
rename from salt/common/tools/sbin/so-user-add
rename to salt/manager/tools/sbin/so-user-add
diff --git a/salt/common/tools/sbin/so-user-disable b/salt/manager/tools/sbin/so-user-disable
similarity index 100%
rename from salt/common/tools/sbin/so-user-disable
rename to salt/manager/tools/sbin/so-user-disable
diff --git a/salt/common/tools/sbin/so-user-enable b/salt/manager/tools/sbin/so-user-enable
similarity index 100%
rename from salt/common/tools/sbin/so-user-enable
rename to salt/manager/tools/sbin/so-user-enable
diff --git a/salt/common/tools/sbin/so-user-list b/salt/manager/tools/sbin/so-user-list
similarity index 100%
rename from salt/common/tools/sbin/so-user-list
rename to salt/manager/tools/sbin/so-user-list
diff --git a/salt/common/tools/sbin/soup b/salt/manager/tools/sbin/soup
similarity index 100%
rename from salt/common/tools/sbin/soup
rename to salt/manager/tools/sbin/soup
diff --git a/salt/common/tools/sbin/so-nginx-restart b/salt/nginx/toos/sbin/so-nginx-restart
similarity index 100%
rename from salt/common/tools/sbin/so-nginx-restart
rename to salt/nginx/toos/sbin/so-nginx-restart
diff --git a/salt/common/tools/sbin/so-nginx-start b/salt/nginx/toos/sbin/so-nginx-start
similarity index 100%
rename from salt/common/tools/sbin/so-nginx-start
rename to salt/nginx/toos/sbin/so-nginx-start
diff --git a/salt/common/tools/sbin/so-nginx-stop b/salt/nginx/toos/sbin/so-nginx-stop
similarity index 100%
rename from salt/common/tools/sbin/so-nginx-stop
rename to salt/nginx/toos/sbin/so-nginx-stop
diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/pcap/tools/sbin/so-pcap-export
similarity index 100%
rename from salt/common/tools/sbin/so-pcap-export
rename to salt/pcap/tools/sbin/so-pcap-export
diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/pcap/tools/sbin/so-pcap-restart
similarity index 100%
rename from salt/common/tools/sbin/so-pcap-restart
rename to salt/pcap/tools/sbin/so-pcap-restart
diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/pcap/tools/sbin/so-pcap-start
similarity index 100%
rename from salt/common/tools/sbin/so-pcap-start
rename to salt/pcap/tools/sbin/so-pcap-start
diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/pcap/tools/sbin/so-pcap-stop
similarity index 100%
rename from salt/common/tools/sbin/so-pcap-stop
rename to salt/pcap/tools/sbin/so-pcap-stop
diff --git a/salt/common/tools/sbin/so-sensoroni-restart b/salt/sensoroni/tools/sbin/so-sensoroni-restart
similarity index 100%
rename from salt/common/tools/sbin/so-sensoroni-restart
rename to salt/sensoroni/tools/sbin/so-sensoroni-restart
diff --git a/salt/common/tools/sbin/so-sensoroni-start b/salt/sensoroni/tools/sbin/so-sensoroni-start
similarity index 100%
rename from salt/common/tools/sbin/so-sensoroni-start
rename to salt/sensoroni/tools/sbin/so-sensoroni-start
diff --git a/salt/common/tools/sbin/so-sensoroni-stop b/salt/sensoroni/tools/sbin/so-sensoroni-stop
similarity index 100%
rename from salt/common/tools/sbin/so-sensoroni-stop
rename to salt/sensoroni/tools/sbin/so-sensoroni-stop
diff --git a/salt/common/tools/sbin/so-soctopus-restart b/salt/soctopus/tools/sbin/so-soctopus-restart
similarity index 100%
rename from salt/common/tools/sbin/so-soctopus-restart
rename to salt/soctopus/tools/sbin/so-soctopus-restart
diff --git a/salt/common/tools/sbin/so-soctopus-start b/salt/soctopus/tools/sbin/so-soctopus-start
similarity index 100%
rename from salt/common/tools/sbin/so-soctopus-start
rename to salt/soctopus/tools/sbin/so-soctopus-start
diff --git a/salt/common/tools/sbin/so-soctopus-stop b/salt/soctopus/tools/sbin/so-soctopus-stop
similarity index 100%
rename from salt/common/tools/sbin/so-soctopus-stop
rename to salt/soctopus/tools/sbin/so-soctopus-stop
diff --git a/salt/common/tools/sbin/so-suricata-restart b/salt/suricata/tools/sbin/so-suricata-restart
similarity index 100%
rename from salt/common/tools/sbin/so-suricata-restart
rename to salt/suricata/tools/sbin/so-suricata-restart
diff --git a/salt/common/tools/sbin/so-suricata-start b/salt/suricata/tools/sbin/so-suricata-start
similarity index 100%
rename from salt/common/tools/sbin/so-suricata-start
rename to salt/suricata/tools/sbin/so-suricata-start
diff --git a/salt/common/tools/sbin/so-suricata-stop b/salt/suricata/tools/sbin/so-suricata-stop
similarity index 100%
rename from salt/common/tools/sbin/so-suricata-stop
rename to salt/suricata/tools/sbin/so-suricata-stop
diff --git a/salt/common/tools/sbin/so-suricata-testrule b/salt/suricata/tools/sbin/so-suricata-testrule
similarity index 100%
rename from salt/common/tools/sbin/so-suricata-testrule
rename to salt/suricata/tools/sbin/so-suricata-testrule