diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5956759..0bb95c3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,56 @@
 cookbook-logstash CHANGELOG
 ===============
 
+## 2.6.0
+
+  - Miguel Negrón
+    - [1eb9214] Merge pull request #60 from redBorder/feature/18535_send_alarm_to_vault
+    - [641aa2e] Merge pull request #62 from redBorder/bugfix/#18728_incidents_priority_filter
+    - [bdaefe0] Merge pull request #54 from redBorder/development
+    - [0dbb598] Merge pull request #53 from redBorder/development
+    - [c3ca31a] Merge pull request #52 from redBorder/development
+    - [3efc332] Merge pull request #51 from redBorder/development
+  - Miguel Negron
+    - [f37905c] Fix lint
+    - [45335ef] Update vault alarms
+    - [861f9ab] clean 06
+    - [570bcc2] Add app_name check
+    - [d0f4ab4] Merge branch 'development' into feature/18535_send_alarm_to_vault
+    - [e8b306d] Bump version
+    - [3778a2a] Release 2.3.3
+    - [eed18f3] Fix bug consul port as string
+    - [564144d] Add Application to sflow
+    - [c4aacf7] Bump version
+    - [1830258] Add missing default values on sflow normalization step
+  - vimesa
+    - [d936099] Add default value for incidents_priority_filter
+  - nilsver
+    - [8b9a14b] enrich data
+  - Rafa Gómez
+    - [dbccece] Merge pull request #59 from redBorder/development
+    - [034df07] Update CHANGELOG.md
+    - [f39a72b] Merge pull request #58 from redBorder/improvement/#18488_modify_logstash-filter-incident-enrichment_to_use_cookbooks
+  - Rafael Gomez
+    - [dc5ec28] Release 2.4.1
+  - Pablo Pérez
+    - [39bfe8b] lint
+    - [36ebff5] fix syntax
+    - [3ef6f83] Added the incident priority filter
+    - [b4df9a6] Release 2.3.4
+    - [e5d879a] Merge pull request #56 from redBorder/bugfix/#18398_fix_radius_output
+    - [ada6b97] Fix
+  - Juan Soto
+    - [cf6df39] Merge pull request #57 from redBorder/development
+  - Luis Blanco
+    - [c9b2ba4] Update CHANGELOG.md
+    - [be75f19] auto bump
+    - [b24f519] Merge pull request #55 from redBorder/feature/#18174_resolve_differences_between_legacy_and_ng
+    - [ceb7e0b] auto lint
+  - JuanSheba
+    - [48467fe] Remove sflow_rename.conf template and corresponding resource from config.rb.
+    - [a233ae8] Refactor Logstash filter to simplify direction-based field renaming, set default values, handle observation_id, and optimize data processing
+    - [a622562] Refactor filter to set default 'direction' as 'upstream' and determine 'direction' dynamically based on IP match within homenets
+
 ## 2.5.1
 
   - Miguel Negrón
diff --git a/resources/metadata.rb b/resources/metadata.rb
index e81da52..dc4cba5 100644
--- a/resources/metadata.rb
+++ b/resources/metadata.rb
@@ -3,4 +3,4 @@
 maintainer_email 'git@redborder.com'
 license          'AGPL-3.0'
 description      'Installs/Configures cookbook-logstash'
-version          '2.5.1'
+version          '2.6.0'
diff --git a/resources/providers/config.rb b/resources/providers/config.rb
index 6c49773..b81bb3f 100644
--- a/resources/providers/config.rb
+++ b/resources/providers/config.rb
@@ -180,7 +180,22 @@
         notifies :restart, 'service[logstash]', :delayed
       end
 
-      template "#{pipelines_dir}/vault/06_addfields.conf" do
+      template "#{pipelines_dir}/vault/06_alarms.conf" do
+        source 'vault_alarms.conf.erb'
+        owner user
+        group user
+        mode '0644'
+        ignore_failure true
+        cookbook 'logstash'
+        notifies :restart, 'service[logstash]', :delayed
+      end
+
+      # Renamed to 07, this cleans curren installations
+      file "#{pipelines_dir}/vault/06_addfields.conf" do
+        action :delete
+      end
+
+      template "#{pipelines_dir}/vault/07_addfields.conf" do
         source 'vault_addfields.conf.erb'
         owner user
         group user
diff --git a/resources/templates/default/vault_alarms.conf.erb b/resources/templates/default/vault_alarms.conf.erb
new file mode 100644
index 0000000..3b7ac02
--- /dev/null
+++ b/resources/templates/default/vault_alarms.conf.erb
@@ -0,0 +1,30 @@
+filter {
+  if "alarmsjob" in [app_name] {
+  ruby {
+      code => '
+        message = event.get("message")
+
+        if message
+          regex = /(\w+)="([^"]*)"/
+          message.scan(regex).each do |field, value|
+            event.set(field, value)
+          end
+        end
+
+        alert_msg = event.get("alert_msg")
+        if alert_msg
+          event.set("message", alert_msg)
+          event.remove("alert_msg")
+        end
+
+        # We "simulate" the alert comes from the sensor_ip
+        # To correlate later with the incidents
+        # TODO: find a nicer way of doing this
+        sensor_ip = event.get("sensor_ip")
+        if sensor_ip
+          event.set("fromhost_ip", sensor_ip)
+        end
+      '
+    }
+  }
+}