From d72219c5869e4aea39ccb285eca09ccf55c599ee Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Fri, 22 May 2026 09:59:17 -0500
Subject: [PATCH 01/10] use multiple or combined input

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 3bec13716..46785be3c 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1139,7 +1139,7 @@ verify_es_version_compatibility() {
 
             while IFS= read -r heavynode_minion; do
                 [[ -z "$heavynode_minion" ]] && continue
-                if ! echo "$HEAVYNODE_ES_VERSIONS" | jq -e --arg minion "$heavynode_minion" 'has($minion)' > /dev/null; then
+                if ! echo "$HEAVYNODE_ES_VERSIONS" | jq -se --arg minion "$heavynode_minion" 'add | has($minion)' > /dev/null; then
                     echo "Heavynode $heavynode_minion did not report an Elasticsearch version. It may be offline or still upgrading."
                     all_heavynodes_compatible=false
                 fi

From c0272ddb81a196648d93f9cbc7c1ee7a687e2562 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 26 May 2026 09:24:10 -0400
Subject: [PATCH 02/10] Add version number to HOTFIX file

---
 HOTFIX | 1 +
 1 file changed, 1 insertion(+)

diff --git a/HOTFIX b/HOTFIX
index e69de29bb..cb8d8ec41 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -0,0 +1 @@
+20260526

From 473f93f0ee20e2c307455b9c5e639a044d448927 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 27 May 2026 09:33:15 -0500
Subject: [PATCH 03/10] check for stale logstash pipeline name in pillars

---
 salt/manager/tools/sbin/soup | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 46785be3c..58cbbac43 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -1506,7 +1506,23 @@ EOF
 
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
-   echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
+    if [[ "$INSTALLEDVERSION" == "3.1.0" ]] ; then
+        echo "Checking for conflicting logstash defined_pipelines pillar value."
+        local LOGSTASH_FILE=/opt/so/saltstack/local/pillar/logstash/soc_logstash.sls
+        local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+
+        for pillar_file in "$LOGSTASH_FILE" "$MINIONDIR"/*.sls; do
+            [[ -f "$pillar_file" ]] || continue
+            if grep -q 'so/0013_input_lumberjack_fleet.conf$' "$pillar_file"; then
+                echo "Found conflicting defined_pipeline pillar value in $pillar_file. Updating to use the new logstash pipeline name."
+                sed -i 's#so/0013_input_lumberjack_fleet\.conf$#so/0013_input_lumberjack_fleet.conf.jinja#g' "$pillar_file"
+                chown socore:socore "$pillar_file"
+            fi
+
+        done
+    else
+        echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
+    fi
 }
 
 failed_soup_restore_items() {

From 0834998cca219394c49ea8116284285bef20b228 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 27 May 2026 09:52:29 -0500
Subject: [PATCH 04/10] usuable for next soup

---
 salt/manager/tools/sbin/soup | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 58cbbac43..6f4b936dd 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -533,6 +533,23 @@ elasticfleet_set_agent_logging_level_warn() {
     done <<< "$policies_to_update"
 }
 
+update_logstash_pipeline_name() {
+    local original_pipeline_name="$1"
+    local new_pipeline_name="$2"
+
+    echo "Checking for conflicting logstash defined_pipelines pillar value."
+    local LOGSTASH_FILE=/opt/so/saltstack/local/pillar/logstash/soc_logstash.sls
+    local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+    for pillar_file in "$LOGSTASH_FILE" "$MINIONDIR"/*.sls; do
+        [[ -f "$pillar_file" ]] || continue
+        if grep -q "$original_pipeline_name$" "$pillar_file"; then
+            echo "Found conflicting defined_pipeline pillar value in $pillar_file. Updating to use the new logstash pipeline name."
+            sed -i "s#$original_pipeline_name\$#$new_pipeline_name#g" "$pillar_file"
+            chown socore:socore "$pillar_file"
+        fi
+    done
+}
+
 check_transform_health_and_reauthorize() {
     . /usr/sbin/so-elastic-fleet-common
 
@@ -1507,19 +1524,7 @@ EOF
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
     if [[ "$INSTALLEDVERSION" == "3.1.0" ]] ; then
-        echo "Checking for conflicting logstash defined_pipelines pillar value."
-        local LOGSTASH_FILE=/opt/so/saltstack/local/pillar/logstash/soc_logstash.sls
-        local MINIONDIR=/opt/so/saltstack/local/pillar/minions
-
-        for pillar_file in "$LOGSTASH_FILE" "$MINIONDIR"/*.sls; do
-            [[ -f "$pillar_file" ]] || continue
-            if grep -q 'so/0013_input_lumberjack_fleet.conf$' "$pillar_file"; then
-                echo "Found conflicting defined_pipeline pillar value in $pillar_file. Updating to use the new logstash pipeline name."
-                sed -i 's#so/0013_input_lumberjack_fleet\.conf$#so/0013_input_lumberjack_fleet.conf.jinja#g' "$pillar_file"
-                chown socore:socore "$pillar_file"
-            fi
-
-        done
+       update_logstash_pipeline_name "so/0013_input_lumberjack_fleet.conf" "so/0013_input_lumberjack_fleet.conf.jinja"
     else
         echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
     fi

From 0b4a4de609e8f55c63d79e91f68b6bfc4e1d1a60 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 27 May 2026 12:21:22 -0500
Subject: [PATCH 05/10] always run logstash pipeline rename

---
 salt/manager/tools/sbin/soup | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 6f4b936dd..473ef79c5 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -701,6 +701,7 @@ up_to_3.1.0() {
   # Clear existing component template state file.
   rm -f /opt/so/state/esfleet_component_templates.json
   rename_strelka_scan_lnk
+  update_logstash_pipeline_name "so/0013_input_lumberjack_fleet.conf" "so/0013_input_lumberjack_fleet.conf.jinja"
 
   INSTALLEDVERSION=3.1.0
 }

From bf609a112eed5001ec73745d6ea00fdda8de4267 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 27 May 2026 12:21:44 -0500
Subject: [PATCH 06/10] LF

---
 HOTFIX | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOTFIX b/HOTFIX
index cb8d8ec41..8d594f290 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -1 +1 @@
-20260526
+20260526

From 613eca52fcd800570e444d271202429531c731cd Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 27 May 2026 13:24:10 -0500
Subject: [PATCH 07/10] update hotfix date

---
 HOTFIX | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOTFIX b/HOTFIX
index 8d594f290..70406bf9d 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -1 +1 @@
-20260526
+20260528

From b2a82fec29b25a5718c7a903f38402af905e2a4a Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 27 May 2026 13:24:23 -0500
Subject: [PATCH 08/10] fix_logstash_0013_lumberjack_pipeline_name

Before removing from apply_hotfix function first verify that older installs < 3.1.0 are still upgradable when referencing 'so/0013_input_lumberjack_fleet.conf' via pillar. Failure to do so will prevent logstash from starting
---
 salt/manager/tools/sbin/soup | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 473ef79c5..ba76d2a3e 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -693,6 +693,10 @@ rename_strelka_scan_lnk() {
   rm -f "$TMP_VALUE_FILE"
 }
 
+fix_logstash_0013_lumberjack_pipeline_name() {
+    update_logstash_pipeline_name "so/0013_input_lumberjack_fleet.conf" "so/0013_input_lumberjack_fleet.conf.jinja"
+}
+
 up_to_3.1.0() {
   ensure_postgres_local_pillar
   ensure_postgres_secret
@@ -701,7 +705,7 @@ up_to_3.1.0() {
   # Clear existing component template state file.
   rm -f /opt/so/state/esfleet_component_templates.json
   rename_strelka_scan_lnk
-  update_logstash_pipeline_name "so/0013_input_lumberjack_fleet.conf" "so/0013_input_lumberjack_fleet.conf.jinja"
+  fix_logstash_0013_lumberjack_pipeline_name
 
   INSTALLEDVERSION=3.1.0
 }
@@ -1525,7 +1529,9 @@ EOF
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
     if [[ "$INSTALLEDVERSION" == "3.1.0" ]] ; then
-       update_logstash_pipeline_name "so/0013_input_lumberjack_fleet.conf" "so/0013_input_lumberjack_fleet.conf.jinja"
+       # Do not remove this fix_logstash_0013_lumberjack_pipeline_name in future hotfixes without first validating older
+       #  installs referencing "so/0013_input_lumberjack_fleet.conf" via pillar are upgradable
+       fix_logstash_0013_lumberjack_pipeline_name
     else
         echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
     fi

From 5abd6de4b55b2c3c8965620bdbcc371a944da3cb Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Thu, 28 May 2026 09:34:17 -0400
Subject: [PATCH 09/10] 3.1.0 hotfix

---
 DOWNLOAD_AND_VERIFY_ISO.md                |  22 +++++++++++-----------
 sigs/securityonion-3.1.0-20260528.iso.sig | Bin 0 -> 566 bytes
 2 files changed, 11 insertions(+), 11 deletions(-)
 create mode 100644 sigs/securityonion-3.1.0-20260528.iso.sig

diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md
index a0ea874fa..bae49c4ac 100644
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 3.1.0-20260521 ISO image released on 2026/05/21
+### 3.1.0-20260528 ISO image released on 2026/05/28
 
 
 ### Download and Verify
 
-3.1.0-20260521 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-3.1.0-20260521.iso
+3.1.0-20260528 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-3.1.0-20260528.iso
  
-MD5: A853BC118639ABCE1795D6E313BFFBDE  
-SHA1: FCA615AD6E31710B33AE5870FEF447861FDB3B8F  
-SHA256: CE2A5947274D9ED2C5068A1FD46B64C4FEF70445EA9B61A98DD3621781329F2C  
+MD5: 9D6FF58DEEE24089D722C73169765B3E  
+SHA1: 2B8B816B6CEC3B7F96B3C5E040EBF502DD2C412F  
+SHA256: 62FAB57E247C843D6A04F0796D8162C732B65D82FC3E4A59D087135B9FD32912  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/3/main/sigs/securityonion-3.1.0-20260521.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/3/main/sigs/securityonion-3.1.0-20260528.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/3/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/3/
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/3/main/sigs/securityonion-3.1.0-20260521.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/3/main/sigs/securityonion-3.1.0-20260528.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-3.1.0-20260521.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-3.1.0-20260528.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-3.1.0-20260521.iso.sig securityonion-3.1.0-20260521.iso
+gpg --verify securityonion-3.1.0-20260528.iso.sig securityonion-3.1.0-20260528.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 21 May 2026 11:10:01 AM EDT using RSA key ID FE507013
+gpg: Signature made Wed 27 May 2026 03:03:59 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
diff --git a/sigs/securityonion-3.1.0-20260528.iso.sig b/sigs/securityonion-3.1.0-20260528.iso.sig
new file mode 100644
index 0000000000000000000000000000000000000000..e4bead44df3b87b3f8f037867841feada61581a2
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%{jP9{>so5PT3|
zxBgIY6Ei^%|6UnlNTps}bX?WU@<OVjKQ|QXHb;xB_!^uj7%MHmG6kXVr@mIf$5(m-
zF!Ddc@are#84!$-zrPh#^K88*?M&kZ&yAS-m>Vh_C?-M|n}<~50wVGXXGoD8W3KDy
z=ZYPL6fKH1GNVpuJ^)}-r-<G4bbE&%60OO#Y7J7twjnnTD&0JN8i99-LT45$RN|Kv
z23e9dv4cb90@5nL4wYTPRUGWzOJnBeAdDyhX_hQ&ai^-qFI^NcS{nBsYQ<3*8A(5p
za^2~>-D30lb_cgD%wZnXQ45n7fB0fT`F(k_%Xy#}A(Ws^Obh|St0AeMB6z&!7o&T7
zp=tatlM-=K)<EVvei@cmW=}5vS>1EHl3Cb$hB&|O52e!UHZNL=;?pHa#16K$n|AWd
z)vl}W%vr`V#&5!~(`lP#V(2C>vGbH>2=4ggFFj*5pMZ|+vES?u+77OpxzU$otkQX@
zLtD9EAjr>rTD3OA7lYK3XqlWNjt#DJMaCg{V$BvxKCYi|fd5UPD=|I-2Sv&aPF-v8
zHAWRBPEKp**n0iwqd8Dv@x0>_Yw1N&%nj4r+waMCN&|`*2dOB!(-wW;NvXPPB(Dov
zm<uC2j=y<?JoM^0*5^4B(+UfG!X*!W5JlTy?n&5So7BM`^!l8X(fKz)8uoY8AlGT<
E*=Rxr?f?J)

literal 0
HcmV?d00001


From 68d783e7607703a3024286d43130f2fc24278e9f Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 28 May 2026 10:24:47 -0400
Subject: [PATCH 10/10] Remove outdated HOTFIX version number

---
 HOTFIX | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOTFIX b/HOTFIX
index 70406bf9d..8b1378917 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -1 +1 @@
-20260528
+