Alrighty! So now to actually start feeding ElasticSearch some data. journalbeat looks reasonable to gather system logs and ship them to ElasticSearch. First up, a little more YAML Salt:

/srv/elastic/journalbeat:
  archive.extracted:
    - source: https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-7.1.1-linux-x86_64.tar.gz
    - source_hash: https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-7.1.1-linux-x86_64.tar.gz.sha512
    - options: "-v --strip-components=1 -C /srv/elastic/journalbeat"
    - enforce_toplevel: False
  file.directory:
    - user: root
    - group: root
    - recurse:
      - user
      - group

/etc/journalbeat.yml:
  file.managed:
    - source: salt://journalbeat.yml
    - user: root
    - group: root
    - mode: 0444

/etc/systemd/system/journalbeat.service:
  file.managed:
    - source: salt://journalbeat.service
    - user: root
    - group: root
    - mode: 0444
  service.running:
    - name: journalbeat
    - enable: True
    - reload: True

Well, that was super easy. The service file I am currently using is:

[Unit]
Description=journalbeat
Wants=elasticsearch.service
After=elasticsearch.service

[Service]
User=root
Group=root
Type=simple

ExecStart=/srv/elastic/journalbeat/journalbeat -c /etc/journalbeat.yml

# Set Sandboxing
PrivateTmp=true
PrivateUsers=true
Restart=on-failure
RestartSec=2