Merge pull request #15630 from Security-Onion-Solutions/reyesj2-449

use elasticsearch recommended vm.max_map_count

salt/elasticsearch/config.sls

@@ -10,7 +10,7 @@
 
 vm.max_map_count:
   sysctl.present:
-    - value: 262144
+    - value: {{ ELASTICSEARCHMERGED.vm.max_map_count }}
 
 # Add ES Group
 elasticsearchgroup:

salt/elasticsearch/defaults.yaml

@@ -2,6 +2,8 @@ elasticsearch:
   enabled: false
   version: 9.0.8
   index_clean: true
+  vm:
+    max_map_count: 1048576
   config:
     action:
       destructive_requires_name: true

salt/elasticsearch/soc_elasticsearch.yaml

@@ -15,6 +15,11 @@ elasticsearch:
     description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
     forcedType: bool
     helpLink: elasticsearch.html
+  vm:
+    max_map_count:
+      description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
+      forcedType: int
+      helpLink: elasticsearch.html
   retention: 
     retention_pct:
       decription: Total percentage of space used by Elasticsearch for multi node clusters