Move telegraf_output from global pillar to telegraf pillar

The Telegraf backend selector lived at global.telegraf_output but it is
a Telegraf-scoped setting, not a cross-cutting grid global. Move both
the value and the UI annotation under the telegraf pillar so it shows
up alongside the other Telegraf tuning knobs in the Configuration UI.

- salt/telegraf/defaults.yaml:    add telegraf.output: BOTH
- salt/telegraf/soc_telegraf.yaml: add telegraf.output annotation
- salt/global/defaults.yaml:      remove global.telegraf_output
- salt/global/soc_global.yaml:    remove global.telegraf_output annotation
- salt/vars/globals.map.jinja:    drop telegraf_output from GLOBALS
- salt/firewall/map.jinja:        read via pillar.get('telegraf:output')
- salt/postgres/telegraf_users.sls: read via pillar.get('telegraf:output')
- salt/telegraf/etc/telegraf.conf: read via TELEGRAFMERGED.output
- salt/postgres/tools/sbin/so-stats-show: update user-facing docs

No behavioral change — default stays BOTH.

salt/firewall/map.jinja

@@ -56,7 +56,7 @@
 {% endif %}
 
 {# Open Postgres (5432) to minion hostgroups when Telegraf is configured to write to Postgres #}
-{% set TG_OUT = (GLOBALS.telegraf_output | default('INFLUXDB')) | upper %}
+{% set TG_OUT = salt['pillar.get']('telegraf:output', 'BOTH') | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}
 {%   if role.startswith('manager') or role == 'standalone' or role == 'eval' %}
 {%     for r in ['sensor', 'searchnode', 'heavynode', 'receiver', 'fleet', 'idh', 'desktop', 'import'] %}

salt/global/defaults.yaml

@@ -1,4 +1,3 @@
 global:
   pcapengine: SURICATA
-  pipeline: REDIS
-  telegraf_output: BOTH
+  pipeline: REDIS

salt/global/soc_global.yaml

@@ -59,13 +59,5 @@ global:
     description: Allows use of Endgame with Security Onion. This feature requires a license from Endgame.
     global: True
     advanced: True
-  telegraf_output:
-    description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation.
-    options:
-      - INFLUXDB
-      - POSTGRES
-      - BOTH
-    global: True
-    advanced: True
     helpLink: influxdb
 

salt/postgres/telegraf_users.sls

@@ -7,7 +7,7 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% set TG_OUT = (GLOBALS.telegraf_output | default('INFLUXDB')) | upper %}
+{% set TG_OUT = salt['pillar.get']('telegraf:output', 'BOTH') | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}
 
 # docker_container.running returns as soon as the container starts, but on

salt/postgres/tools/sbin/so-stats-show

@@ -24,7 +24,7 @@ Shows the most recent CPU, memory, disk, and load metrics for each host
 from the so_telegraf Postgres database. Without an argument, reports on
 every host that has data. With a host, limits output to that one.
 
-Requires: sudo, so-postgres running, global.telegraf_output set to
+Requires: sudo, so-postgres running, telegraf.output set to
 POSTGRES or BOTH.
 EOF
   exit 1
@@ -56,7 +56,7 @@ so_psql() {
 }
 
 if ! docker exec so-postgres psql -U postgres -lqt 2>/dev/null | cut -d\| -f1 | grep -qw so_telegraf; then
-  echo "Database so_telegraf not found. Is global.telegraf_output set to POSTGRES or BOTH?"
+  echo "Database so_telegraf not found. Is telegraf.output set to POSTGRES or BOTH?"
   exit 2
 fi
 

salt/telegraf/defaults.yaml

@@ -1,5 +1,6 @@
 telegraf:
   enabled: False
+  output: BOTH
   config:
     interval: '30s'
     metric_batch_size: 1000

salt/telegraf/etc/telegraf.conf

@@ -8,7 +8,7 @@
 {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %}
 {%- set MDENGINE = GLOBALS.md_engine %}
 {%- set LOGSTASH_ENABLED = LOGSTASH_MERGED.enabled %}
-{%- set TG_OUT = GLOBALS.telegraf_output | upper %}
+{%- set TG_OUT = TELEGRAFMERGED.output | upper %}
 {%- set PG_HOST = GLOBALS.manager_ip %}
 {%- set PG_SAFE = GLOBALS.minion_id | replace('.','_') | replace('-','_') | lower %}
 {%- set PG_USER = 'so_telegraf_' ~ PG_SAFE %}

salt/telegraf/soc_telegraf.yaml

@@ -4,6 +4,15 @@ telegraf:
     forcedType: bool
     advanced: True
     helpLink: influxdb
+  output:
+    description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation.
+    options:
+      - INFLUXDB
+      - POSTGRES
+      - BOTH
+    global: True
+    advanced: True
+    helpLink: influxdb
   config:
     interval:
       description: Data collection interval.

salt/vars/globals.map.jinja

@@ -24,7 +24,6 @@
     'md_engine': INIT.PILLAR.global.mdengine,
     'pcap_engine': GLOBALMERGED.pcapengine,
     'pipeline': GLOBALMERGED.pipeline,
-    'telegraf_output': GLOBALMERGED.telegraf_output,
     'so_version': INIT.PILLAR.global.soversion,
     'so_docker_gateway': DOCKERMERGED.gateway,
     'so_docker_range': DOCKERMERGED.range,