From 8b503e2ffa722977841947590195b1aae1a90663 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 30 Jan 2024 15:58:11 -0500
Subject: [PATCH] telegraf dont run stenoloss script if suricata is pcap engine

---
 salt/telegraf/map.jinja | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/telegraf/map.jinja b/salt/telegraf/map.jinja
index e6d3460d6..b56c8a64d 100644
--- a/salt/telegraf/map.jinja
+++ b/salt/telegraf/map.jinja
@@ -14,4 +14,11 @@
 {%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
 {%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
 {%   endif %}
+
+{%   from 'pcap/config.map.jinja' import PCAPMERGED %}
+{#   PCAPMERGED.enabled is set false in soc ui or if suricata is the pcap engine #}
+{%   if not PCAPMERGED.enabled %}
+{%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('stenoloss.sh') %}
+{%   endif %}
+
 {% endif %}