Merge pull request #8930 from Security-Onion-Solutions/statesglobals

Statesglobals

pillar/top.sls

@@ -43,6 +43,8 @@ base:
     - manager.adv_manager
     - soc.soc_soc
     - soc.adv_soc
+    - backup.soc_backup
+    - backup.adv_backup
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -67,6 +69,8 @@ base:
     - elasticsearch.soc_elasticsearch
     - manager.soc_manager
     - soc.soc_soc
+    - backup.soc_backup
+    - backup.adv_backup
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -89,6 +93,8 @@ base:
     - elasticsearch.soc_elasticsearch
     - manager.soc_manager
     - soc.soc_soc
+    - backup.soc_backup
+    - backup.adv_backup
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -140,6 +146,8 @@ base:
     - soc_global
     - adv_global
     - manager.soc_manager
+    - backup.soc_backup
+    - backup.adv_backup
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 

salt/allowed_states.map.jinja

@@ -235,7 +235,7 @@
     {% do allowed_states.append('kibana.secrets') %}
   {% endif %}
 
-  {% if grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
+  {% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
     {% do allowed_states.append('curator') %}
   {% endif %}
 

salt/backup/config_backup.sls

@@ -0,0 +1,32 @@
+{% from 'backup/map.jinja' import BACKUP_MERGED %}
+
+# Lock permissions on the backup directory
+backupdir:
+  file.directory:
+    - name: /nsm/backup
+    - user: 0
+    - group: 0
+    - makedirs: True
+    - mode: 700
+
+config_backup_script:
+  file.managed:
+    - name: /usr/sbin/so-config-backup
+    - user: root
+    - group: root
+    - mode: 755
+    - template: jinja
+    - source: salt://backup/tools/sbin/so-config-backup.jinja
+    - defaults:
+        BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }}
+  
+# Add config backup
+so_config_backup:
+  cron.present:
+    - name: /usr/sbin/so-config-backup > /dev/null 2>&1
+    - user: root
+    - minute: '1'
+    - hour: '0'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'

salt/backup/defaults.yaml

@@ -0,0 +1,6 @@
+backup:
+  locations:
+    - /opt/so/saltstack/local
+    - /etc/pki
+    - /etc/salt
+    - /opt/so/conf/kratos

salt/backup/map.jinja

@@ -0,0 +1,2 @@
+{% import_yaml 'backup/defaults.yaml' as BACKUP_DEFAULTS %}
+{% set BACKUP_MERGED = salt['pillar.get']('backup', BACKUP_DEFAULTS.backup, merge=true, merge_nested_lists=true) %}

salt/backup/tools/sbin/so-config-backup.jinja

@@ -6,7 +6,6 @@
 # Elastic License 2.0.
 
 . /usr/sbin/so-common
-{% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %}
 
 TODAY=$(date '+%Y_%m_%d')
 BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar"
@@ -25,9 +24,6 @@ if [ ! -f $BACKUPFILE ]; then
   {%- for LOCATION in BACKUPLOCATIONS %}
   tar -rf $BACKUPFILE {{ LOCATION }}
   {%- endfor %}
-  tar -rf $BACKUPFILE /etc/pki
-  tar -rf $BACKUPFILE /etc/salt
-  tar -rf $BACKUPFILE /opt/so/conf/kratos
 
 fi
 

salt/common/init.sls

@@ -1,12 +1,12 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-{% set role = grains.id.split('_') | last %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
   - common.soup_scripts
   - common.packages
-{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+{% if GLOBALS.role in GLOBALS.manager_roles %}
   - manager.elasticsearch # needed for elastic_curl_config state
 {% endif %}
 
@@ -104,7 +104,7 @@ elastic_curl_config:
     - mode: 600
     - show_changes: False
     - makedirs: True
-  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+  {% if GLOBALS.role in GLOBALS.manager_roles %}
     - require:
       - file: elastic_curl_config_distributed
   {% endif %}
@@ -131,7 +131,7 @@ so-status_script:
     - source: salt://common/tools/sbin/so-status
     - mode: 755
 
-{% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %}
+{% if GLOBALS.role in GLOBALS.sensor_roles %}
 # Add sensor cleanup
 /usr/sbin/so-sensor-clean:
   cron.present:
@@ -208,8 +208,9 @@ common_pip_dependencies:
     - target: /usr/lib64/python3.6/site-packages
 
 # Install sostatus check cron
-'/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1':
+sostatus_check_cron:
   cron.present:
+    - name: '/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1'
     - user: root
     - minute: '*/1'
     - hour: '*'
@@ -217,36 +218,8 @@ common_pip_dependencies:
     - month: '*'
     - dayweek: '*'
 
-{% if role in ['eval', 'manager', 'managersearch', 'standalone'] %}
+{% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %}
-# Install cron job to determine size of influxdb for telegraf
+
-'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1':
-  cron.present:
-    - user: root
-    - minute: '*/1'
-    - hour: '*'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-    
-# Lock permissions on the backup directory
-backupdir:
-  file.directory:
-    - name: /nsm/backup
-    - user: 0
-    - group: 0
-    - makedirs: True
-    - mode: 700
-  
-# Add config backup
-/usr/sbin/so-config-backup > /dev/null 2>&1:
-  cron.present:
-    - user: root
-    - minute: '1'
-    - hour: '0'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-{% else %}
 soversionfile:
   file.managed:
     - name: /etc/soversion
@@ -256,8 +229,8 @@ soversionfile:
     
 {% endif %}
 
-{% if salt['grains.get']('sosmodel', '') %}
+{% if GLOBALS.so_model %}
-  {% if grains['os'] == 'CentOS' %}     
+  {% if GLOBALS.os == 'CentOS' %}     
 # Install Raid tools
 raidpkgs:
   pkg.installed:
@@ -268,8 +241,9 @@ raidpkgs:
   {% endif %}
 
 # Install raid check cron
-/usr/sbin/so-raid-status > /dev/null 2>&1:
+so_raid_status:
   cron.present:
+    - name: '/usr/sbin/so-raid-status > /dev/null 2>&1'
     - user: root
     - minute: '*/15'
     - hour: '*'

salt/common/packages.sls

@@ -1,4 +1,6 @@
-{% if grains['os'] != 'CentOS' %}     
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.os != 'CentOS' %}     
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
@@ -23,8 +25,6 @@ commonpkgs:
       - git
       - vim-enhanced
       - python3-docker
-
-
 {% else %}
 commonpkgs:
   pkg.installed:
@@ -57,5 +57,4 @@ commonpkgs:
       - git
       - vim-enhanced
       - yum-plugin-versionlock
-
+{% endif %}
-{% endif %}

salt/cron/dead.sls

@@ -1,4 +1,4 @@
-{% from "cron/map.jinja" import cronmap with context %}
+{% from "cron/map.jinja" import cronmap %}
 
 crond_service:
   service.dead:

salt/cron/running.sls

@@ -1,4 +1,4 @@
-{% from "cron/map.jinja" import cronmap with context %}
+{% from "cron/map.jinja" import cronmap %}
 
 crond_service:
   service.running:

salt/curator/files/action/delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%}
+{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-aws-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-aws-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-aws-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-azure-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-azure-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-azure-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-barracuda-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-barracuda-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-barracuda-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-beats-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-beats-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-beats-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-bluecoat-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-bluecoat-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-bluecoat-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-cef-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-cef-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-cef-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-checkpoint-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-checkpoint-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-checkpoint-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-cisco-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-cisco-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-cisco-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-cyberark-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-cyberark-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-cyberark-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-cylance-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-cylance-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-cylance-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-elasticsearch-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-elasticsearch-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-elasticsearch-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-endgame-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-endgame-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-endgame-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-f5-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-f5-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-f5-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-firewall-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-firewall-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-firewall-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-fortinet-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-fortinet-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-fortinet-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-gcp-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-gcp-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-gcp-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-google_workspace-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-google_workspace-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-google_workspace-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-ids-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-ids-delete.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-ids-warm.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-imperva-close.yml

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-imperva-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-imperva-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-import-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-import-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-import-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-infoblox-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-infoblox-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-infoblox-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-juniper-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-juniper-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-juniper-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-kibana-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-kibana-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-kibana-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-kratos-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-kratos-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-kratos-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-logstash-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-logstash-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-logstash-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-microsoft-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-microsoft-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-microsoft-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-misp-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-misp-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-misp-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-netflow-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-netflow-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-netflow-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-netscout-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-netscout-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete') -%}
 actions:
   1:
     action: delete_indices

salt/curator/files/action/so-netscout-warm.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm', 7) -%}
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm') -%}
 actions:
   1:
     action: allocation

salt/curator/files/action/so-o365-close.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close', 30) -%}
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close') -%}
 actions:
   1:
     action: close

salt/curator/files/action/so-o365-delete.yml

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete', 365) -%}
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete') -%}
 actions:
   1:
     action: delete_indices