From ae1ddf38173d2e46eea36233b7797bcadea3ddf0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 15 Jun 2026 12:33:08 -0400 Subject: [PATCH 1/3] es|ql defaults --- salt/soc/defaults.yaml | 1 + salt/soc/soc_soc.yaml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index c9399eab4..7e8e76094 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1464,6 +1464,7 @@ soc: sigmaRulePackages: - core - emerging_threats_addon + useEsql: false elastic: hostUrl: remoteHostUrls: [] diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b2ac6d175..19853196a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -383,6 +383,11 @@ soc: global: True advanced: False helpLink: sigma + useEsql: + description: "(Pre-release) Use Elasticsearch Piped Query Language (ES|QL) instead of EQL (Elastic Query Language) for Elasticsearch queries. The Sigma converter will output ES|QL instead of EQL, allowing support for correlations." + global: True + advanced: True + forcedType: bool elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. From 6a18f35020173a2f68fb9a1c087382e219c27042 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 16 Jun 2026 17:47:46 -0500 Subject: [PATCH 2/3] add context to soup errors and optional soup debug log with xtrace output --- salt/manager/tools/sbin/soup | 58 +++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 96313aea4..a64524bff 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -16,6 +16,7 @@ POSTVERSION=$INSTALLEDVERSION INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}') BATCHSIZE=5 SOUP_LOG=/root/soup.log +SOUP_DEBUG_LOG=/root/soup-debug.log WHATWOULDYOUSAYYAHDOHERE=soup whiptail_title='Security Onion UPdater' NOTIFYCUSTOMELASTICCONFIG=false @@ -34,6 +35,7 @@ if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then fi # used to display messages to the user at the end of soup declare -a FINAL_MESSAGE_QUEUE=() +SOUP_ERR_CONTEXT= check_err() { @@ -114,11 +116,49 @@ check_err() { echo "$err_msg" fi + if [[ -n $SOUP_ERR_CONTEXT ]]; then + echo "" + printf '%s\n' "$SOUP_ERR_CONTEXT" + fi + + echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG" + exit $exit_code fi } +# Collect bash error context before passing off to check_err() +on_err() { + local exit_code=$? + # Use first error context, multiple errors can happen with command substitutions or nested functions. We just need context from the initial error. + [[ -n $SOUP_ERR_CONTEXT ]] && return $exit_code + # turn off xtrace to prevent added noise in debug log + [[ $- == *x* ]] && set +x + + local cmd=$BASH_COMMAND + local line=${BASH_LINENO[0]} + local function=${FUNCNAME[1]:-main} + local source=${BASH_SOURCE[1]##*/} + local -a err_lines=( + "ERROR on: ${cmd}" + " source: ${source}:${line} in ${function}()" + ) + local i caller_line caller_src caller_func + + for ((i=2; i<${#FUNCNAME[@]}-1; i++)); do + caller_line=${BASH_LINENO[$((i-1))]} + [[ -n $caller_line && $caller_line -gt 0 ]] || continue + caller_src=${BASH_SOURCE[$i]##*/} + caller_func=${FUNCNAME[$i]:-main} + err_lines+=(" called by: ${caller_src}:${caller_line} in ${caller_func}()") + done + + SOUP_ERR_CONTEXT=$(printf '%s\n' "${err_lines[@]}") + + return $exit_code +} + airgap_mounted() { # Let's see if the ISO is already mounted. if [[ -f /tmp/soagupdate/SecurityOnion/VERSION ]]; then @@ -1982,4 +2022,20 @@ EOF read -r input fi -main "$@" | tee -a $SOUP_LOG +set -o errtrace +trap on_err ERR + +if [[ $SOUP_DEBUG == 1 ]]; then + if [ -f $SOUP_DEBUG_LOG ]; then + current_time=$(date +%Y%m%d.%H%M%S) + mv $SOUP_DEBUG_LOG $SOUP_DEBUG_LOG.$INSTALLEDVERSION.$current_time + fi + exec {SOUP_XTRACE_FD}>>"$SOUP_DEBUG_LOG" + export SOUP_XTRACE_FD + BASH_XTRACEFD=$SOUP_XTRACE_FD + PS4='[${BASH_SOURCE##*/}:${LINENO} ${FUNCNAME[0]:-main}] | ' + set -x + export SOUP_DEBUG +fi + +main "$@" 2>&1 | tee -a $SOUP_LOG From 16149df71fd25c797e318c057c02dac1ead0ee6c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 16 Jun 2026 18:06:27 -0500 Subject: [PATCH 3/3] formatting --- salt/manager/tools/sbin/soup | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index a64524bff..fcde61d9e 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -131,10 +131,11 @@ check_err() { # Collect bash error context before passing off to check_err() on_err() { local exit_code=$? + # turn off xtrace to prevent added noise in debug log + set +x 2>/dev/null || true + # Use first error context, multiple errors can happen with command substitutions or nested functions. We just need context from the initial error. [[ -n $SOUP_ERR_CONTEXT ]] && return $exit_code - # turn off xtrace to prevent added noise in debug log - [[ $- == *x* ]] && set +x local cmd=$BASH_COMMAND local line=${BASH_LINENO[0]} @@ -2033,7 +2034,7 @@ if [[ $SOUP_DEBUG == 1 ]]; then exec {SOUP_XTRACE_FD}>>"$SOUP_DEBUG_LOG" export SOUP_XTRACE_FD BASH_XTRACEFD=$SOUP_XTRACE_FD - PS4='[${BASH_SOURCE##*/}:${LINENO} ${FUNCNAME[0]:-main}] | ' + PS4='+ [${BASH_SOURCE##*/}:${LINENO} ${FUNCNAME[0]:-main}()] | ' set -x export SOUP_DEBUG fi