Merge pull request #12195 from Security-Onion-Solutions/2.4/dev

2.4.40
2025-12-06 09:12:45 +01:00 · 2024-01-17 14:04:27 -05:00
parent 30bc02178a 049d0b53c2
commit aa294a7f41
247 changed files with 523148 additions and 370707 deletions
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -11,7 +11,7 @@ jobs:
    steps:
      - name: "Contributor Check"
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: cla-assistant/github-action@v2.1.3-beta
+        uses: cla-assistant/github-action@v2.3.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.30-20231228 ISO image released on 2024/01/02
+### 2.4.40-20240116 ISO image released on 2024/01/17
 ### Download and Verify
-2.4.30-20231228 ISO image:  
+2.4.40-20240116 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231228.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
-MD5: DBD47645CD6FA8358C51D8753046FB54  
+MD5: AC55D027B663F3CE0878FEBDAD9DD78B  
-SHA1: 2494091065434ACB028F71444A5D16E8F8A11EDF  
+SHA1: C2B51723B17F3DC843CC493EB80E93B123E3A3E1  
-SHA256: 3345AE1DC58AC7F29D82E60D9A36CDF8DE19B7DFF999D8C4F89C7BD36AEE7F1D  
+SHA256: C5F135FCF45A836BBFF58C231F95E1EA0CD894898322187AD5FBFCD24BC2F123  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231228.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.40-20240116.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231228.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.40-20240116.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231228.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.40-20240116.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.30-20231228.iso.sig securityonion-2.4.30-20231228.iso
+gpg --verify securityonion-2.4.40-20240116.iso.sig securityonion-2.4.40-20240116.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 28 Dec 2023 10:08:31 AM EST using RSA key ID FE507013
+gpg: Signature made Tue 16 Jan 2024 07:34:40 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/1
+++ b/1
@@ -1 +0,0 @@
 20231204
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.30
+2.4.40
--- a/assets/images/screenshots/analyzers/echotrail.png
+++ b/assets/images/screenshots/analyzers/echotrail.png
--- a/assets/images/screenshots/analyzers/elasticsearch.png
+++ b/assets/images/screenshots/analyzers/elasticsearch.png
--- a/assets/images/screenshots/analyzers/sublime.png
+++ b/assets/images/screenshots/analyzers/sublime.png
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -61,8 +61,6 @@ base:
    - elastalert.adv_elastalert
    - backup.soc_backup
    - backup.adv_backup
    - curator.soc_curator
    - curator.adv_curator
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - minions.{{ grains.id }}
@@ -113,8 +111,6 @@ base:
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
    - curator.adv_curator
    - kratos.soc_kratos
    - kratos.adv_kratos
    - redis.soc_redis
@@ -172,8 +168,6 @@ base:
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - zeek.soc_zeek
@@ -194,8 +188,6 @@ base:
    - logstash.adv_logstash
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - curator.soc_curator
    - curator.adv_curator
    - redis.soc_redis
    - redis.adv_redis
    - zeek.soc_zeek
@@ -268,8 +260,6 @@ base:
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - kratos.soc_kratos
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -219,10 +219,6 @@
    {% do allowed_states.append('kibana.secrets') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
    {% do allowed_states.append('curator') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -179,6 +179,14 @@ so-status_check_cron:
    - month: '*'
    - dayweek: '*'
 # This cronjob/script runs a check if the node needs restarted, but should be used for future status checks as well
 common_status_check_cron:
  cron.present:
    - name: '/usr/sbin/so-common-status-check > /dev/null 2>&1'
    - identifier: common_status_check
    - user: root
    - minute: '*/10'
 remove_post_setup_cron:
  cron.absent:
    - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
--- a/salt/common/tools/sbin/so-common-status-check
+++ b/salt/common/tools/sbin/so-common-status-check
@@ -0,0 +1,52 @@
 #!/usr/bin/env python3
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 import sys
 import subprocess
 import os
 sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
 import salt.config
 import salt.loader
 __opts__ = salt.config.minion_config('/etc/salt/minion')
 __grains__ = salt.loader.grains(__opts__)
 def check_needs_restarted():
  osfam = __grains__['os_family']
  val = '0'
  outfile = "/opt/so/log/sostatus/needs_restarted"
  if osfam == 'Debian':
    if os.path.exists('/var/run/reboot-required'):
      val = '1'
  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      val = '1'
  else:
    fail("Unsupported OS")
  with open(outfile, 'w') as f:
    f.write(val)
 def fail(msg):
  print(msg, file=sys.stderr)
  sys.exit(1)
 def main():
  proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
  if proc.stdout.strip() != "0":
    fail("This program must be run as root")
  check_needs_restarted()
 if __name__ == "__main__":
  main()
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -42,7 +42,6 @@ container_list() {
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=(
      "so-curator"
      "so-elastalert"
      "so-elastic-agent"
      "so-elastic-agent-builder"
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -109,6 +109,8 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connection timed out"         # server not yet ready (telegraf plugin unable to connect)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|command timed out"            # server not yet ready (telegraf plugin waiting for script to finish)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
@@ -119,6 +121,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
 fi
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -167,6 +170,9 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats"  # Elastic transform temporary error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cannot join on an empty table" # InfluxDB flux query, import nodes
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exhausting result iterator"   # InfluxDB flux query mismatched table results (temporary data issue)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to finish run"         # InfluxDB rare error, self-recoverable
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
@@ -223,6 +229,9 @@ exclude_log "spool"        # disregard zeek analyze logs as this is data specifi
 exclude_log "import"       # disregard imported test data the contains error strings
 exclude_log "update.log"   # ignore playbook updates due to several known issues
 exclude_log "playbook.log" # ignore due to several playbook known issues
 exclude_log "cron-cluster-delete.log" # ignore since Curator has been removed
 exclude_log "cron-close.log" # ignore since Curator has been removed
 exclude_log "curator.log" # ignore since Curator has been removed
 for log_file in $(cat /tmp/log_check_files); do
    status "Checking log file $log_file"
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -41,8 +41,13 @@ done
 if [ $SKIP -ne 1 ]; then
        # Inform user we are about to delete all data
        echo
-        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "This script will delete all NSM data from /nsm."
-        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
        echo "This includes Suricata data, Zeek data, and full packet capture (PCAP)."
        echo
        echo "This will NOT delete any Suricata or Zeek logs that have already been ingested into Elasticsearch."
        echo
        echo "If you would like to proceed, then type AGREE and press ENTER."
        echo
        # Read user input
        read INPUT
@@ -54,8 +59,8 @@ delete_pcap() {
  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
-  SURI_LOG="/opt/so/log/suricata/eve.json"
+  SURI_LOG="/nsm/suricata/"
-  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
 }
 delete_zeek() {
  ZEEK_LOG="/nsm/zeek/logs/"
--- a/salt/common/tools/sbin_jinja/so-raid-status
+++ b/salt/common/tools/sbin_jinja/so-raid-status
@@ -49,11 +49,18 @@ check_nsm_raid() {
 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
  MVTEST=$(/usr/local/bin/mvcli info -o vd | grep "No adapter")
-  if [[ -n $MVCLI ]]; then
+  # Check to see if this is a SM based system
-    BOSSRAID=0
+  if [[ -z $MVTEST ]]; then
    if [[ -n $MVCLI ]]; then
      BOSSRAID=0
    else
      BOSSRAID=1
    fi
  else
-    BOSSRAID=1
+    # This doesn't have boss raid so lets make it 0
    BOSSRAID=0
  fi
 }
--- a/salt/curator/config.sls
+++ b/salt/curator/config.sls
@@ -1,81 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from "curator/map.jinja" import CURATORMERGED %}
 # Create the group
 curatorgroup:
  group.present:
    - name: curator
    - gid: 934
 # Add user
 curator:
  user.present:
    - uid: 934
    - gid: 934
    - home: /opt/so/conf/curator
    - createhome: False
 # Create the log directory
 curlogdir:
  file.directory:
    - name: /opt/so/log/curator
    - user: 934
    - group: 939
 curactiondir:
  file.directory:
    - name: /opt/so/conf/curator/action
    - user: 934
    - group: 939
    - makedirs: True
 actionconfs:
  file.recurse:
    - name: /opt/so/conf/curator/action
    - source: salt://curator/files/action
    - user: 934
    - group: 939
    - template: jinja
    - defaults:
        CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
 curconf:
  file.managed:
    - name: /opt/so/conf/curator/curator.yml
    - source: salt://curator/files/curator.yml
    - user: 934
    - group: 939
    - mode: 660
    - template: jinja
    - show_changes: False
 curator_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 curator_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin_jinja
    - user: 934
    - group: 939 
    - file_mode: 755
    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/defaults.yaml
+++ b/salt/curator/defaults.yaml
@@ -1,100 +0,0 @@
 curator:
  enabled: False
  elasticsearch:
    index_settings:
      logs-import-so:
        close: 73000
        delete: 73001
      logs-strelka-so:
        close: 30
        delete: 365
      logs-suricata-so:
        close: 30
        delete: 365
      logs-syslog-so:
        close: 30
        delete: 365
      logs-zeek-so:
        close: 30
        delete: 365
      logs-elastic_agent-metricbeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-osquerybeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-fleet_server-default:
        close: 30
        delete: 365
      logs-elastic_agent-filebeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-default:
        close: 30
        delete: 365
      logs-system-auth-default:
        close: 30
        delete: 365
      logs-system-application-default:
        close: 30
        delete: 365
      logs-system-security-default:
        close: 30
        delete: 365
      logs-system-system-default:
        close: 30
        delete: 365
      logs-system-syslog-default:
        close: 30
        delete: 365
      logs-windows-powershell-default:
        close: 30
        delete: 365
      logs-windows-sysmon_operational-default:
        close: 30
        delete: 365
      so-beats:
        close: 30
        delete: 365
      so-elasticsearch:
        close: 30
        delete: 365
      so-firewall:
        close: 30
        delete: 365
      so-ids:
        close: 30
        delete: 365
      so-import:
        close: 73000
        delete: 73001
      so-kratos:
        close: 30
        delete: 365
      so-kibana:
        close: 30
        delete: 365
      so-logstash:
        close: 30
        delete: 365
      so-netflow:
        close: 30
        delete: 365
      so-osquery:
        close: 30
        delete: 365
      so-ossec:
        close: 30
        delete: 365
      so-redis:
        close: 30
        delete: 365
      so-strelka:
        close: 30
        delete: 365
      so-syslog:
        close: 30
        delete: 365
      so-zeek:
        close: 30
        delete: 365
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -3,20 +3,15 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - curator.sostatus
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
-  file.comment:
+  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
+    - match: ^so-curator$
    - mode: delete
 so-curator-cluster-close:
  cron.absent:
@@ -26,10 +21,14 @@ so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
-{% else %}
+delete_curator_configuration:
-
+  file.absent:
-{{sls}}_state_not_allowed:
+    - name: /opt/so/conf/curator
-  test.fail_without_changes:
+    - recurse: True
    - name: {{sls}}_state_not_allowed
 {% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
 {% if files|length > 0 %}
 delete_curator_scripts:
  file.absent:
    - names: {{files|yaml}}
 {% endif %}
--- a/salt/curator/enabled.sls
+++ b/salt/curator/enabled.sls
@@ -1,88 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - curator.config
  - curator.sostatus
 so-curator:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
    - start: True
    - hostname: curator
    - name: so-curator
    - user: curator
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
      {% if DOCKER.containers['so-curator'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-curator'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
      {% if DOCKER.containers['so-curator'].extra_hosts %}
    - extra_hosts:
        {% for XTRAHOST in DOCKER.containers['so-curator'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
      {% if DOCKER.containers['so-curator'].extra_env %}
    - environment:
        {% for XTRAENV in DOCKER.containers['so-curator'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - require:
      - file: actionconfs
      - file: curconf
      - file: curlogdir
    - watch:
      - file: curconf
 delete_so-curator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
 so-curator-cluster-close:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
    - identifier: so-curator-cluster-close
    - user: root
    - minute: '2'
    - hour: '*/1'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 so-curator-cluster-delete:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
    - identifier: so-curator-cluster-delete
    - user: root
    - minute: '*/5'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/files/action/delete.yml
+++ b/salt/curator/files/action/delete.yml
@@ -1,31 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %}
 {% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %}
 {{ ELASTICMERGED.retention_pct }}
 {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete indices when {{log_size_limit}}(GB) is exceeded.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-.*|so-.*|.ds-logs-.*-so.*)$'
    - filtertype: pattern
      kind: regex
      value: '^(so-case.*)$'
      exclude: True
    - filtertype: space
      source: creation_date
      use_age: True
      disk_space: {{log_size_limit}}
--- a/salt/curator/files/action/logs-elastic_agent-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent default indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Filebeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-import-so-close.yml
+++ b/salt/curator/files/action/logs-import-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-import-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close import indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-import-so-delete.yml
+++ b/salt/curator/files/action/logs-import-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-strelka-so-close.yml
+++ b/salt/curator/files/action/logs-strelka-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Strelka indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-strelka-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-strelka-so-delete.yml
+++ b/salt/curator/files/action/logs-strelka-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-strelka-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-suricata-so-close.yml
+++ b/salt/curator/files/action/logs-suricata-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Suricata indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-suricata-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-suricata-so-delete.yml
+++ b/salt/curator/files/action/logs-suricata-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Suricata indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-suricata-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-syslog-so-close.yml
+++ b/salt/curator/files/action/logs-syslog-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-syslog-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-syslog-so-delete.yml
+++ b/salt/curator/files/action/logs-syslog-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-syslog-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-application-default-close.yaml
+++ b/salt/curator/files/action/logs-system-application-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system application indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.application-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-application-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-application-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.application-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-auth-default-close.yaml
+++ b/salt/curator/files/action/logs-system-auth-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system auth indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.auth-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-auth-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.auth-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-security-default-close.yaml
+++ b/salt/curator/files/action/logs-system-security-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system security indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.security-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-security-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-security-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.security-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-syslog-default-close.yaml
+++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.syslog-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.syslog-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-system-default-close.yaml
+++ b/salt/curator/files/action/logs-system-system-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system system indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.system-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-system-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-system-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.system-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-windows-powershell-default-close.yaml
+++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-windows.powershell-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-windows.powershell-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-zeek-so-close.yml
+++ b/salt/curator/files/action/logs-zeek-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Zeek indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-zeek-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-zeek-so-delete.yml
+++ b/salt/curator/files/action/logs-zeek-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Zeek indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-zeek-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-beats-close.yml
+++ b/salt/curator/files/action/so-beats-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-beats'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Beats indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-beats.*|so-beats.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-beats-delete.yml
+++ b/salt/curator/files/action/so-beats-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-beats'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete beats indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-beats.*|so-beats.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-elasticsearch-close.yml
+++ b/salt/curator/files/action/so-elasticsearch-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-elasticsearch'].close %}
 actions:
  1:
    action: close
    description: >-
      Close elasticsearch indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-elasticsearch-delete.yml
+++ b/salt/curator/files/action/so-elasticsearch-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-elasticsearch'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete elasticsearch indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-firewall-close.yml
+++ b/salt/curator/files/action/so-firewall-close.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-firewall'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Firewall indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-firewall-delete.yml
+++ b/salt/curator/files/action/so-firewall-delete.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-firewall'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete firewall indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-ids-close.yml
+++ b/salt/curator/files/action/so-ids-close.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-ids'].close %}
 actions:
  1:
    action: close
    description: >-
      Close IDS indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-ids.*|so-ids.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-ids-delete.yml
+++ b/salt/curator/files/action/so-ids-delete.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-ids'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete IDS indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-ids.*|so-ids.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-import-close.yml
+++ b/salt/curator/files/action/so-import-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-import'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Import indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-import.*|so-import.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-import-delete.yml
+++ b/salt/curator/files/action/so-import-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-import'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-import.*|so-import.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-kibana-close.yml
+++ b/salt/curator/files/action/so-kibana-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-kibana'].close %}
 actions:
  1:
    action: close
    description: >-
      Close kibana indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-kibana.*|so-kibana.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-kibana-delete.yml
+++ b/salt/curator/files/action/so-kibana-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-kibana'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete kibana indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kibana.*|so-kibana.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-kratos-close.yml
+++ b/salt/curator/files/action/so-kratos-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-kratos'].close %}
 actions:
  1:
    action: close
    description: >-
      Close kratos indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kratos.*|so-kratos.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-kratos-delete.yml
+++ b/salt/curator/files/action/so-kratos-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-kratos'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete kratos indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kratos.*|so-kratos.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-logstash-close.yml
+++ b/salt/curator/files/action/so-logstash-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-logstash'].close %}
 actions:
  1:
    action: close
    description: >-
      Close logstash indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-logstash.*|so-logstash.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-logstash-delete.yml
+++ b/salt/curator/files/action/so-logstash-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-logstash'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete logstash indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-logstash.*|so-logstash.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-netflow-close.yml
+++ b/salt/curator/files/action/so-netflow-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-netflow'].close %}
 actions:
  1:
    action: close
    description: >-
      Close netflow indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-netflow.*|so-netflow.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-netflow-delete.yml
+++ b/salt/curator/files/action/so-netflow-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-netflow'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete netflow indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-netflow.*|so-netflow.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-osquery-close.yml
+++ b/salt/curator/files/action/so-osquery-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-osquery'].close %}
 actions:
  1:
    action: close
    description: >-
      Close osquery indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-osquery.*|so-osquery.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-osquery-delete.yml
+++ b/salt/curator/files/action/so-osquery-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-osquery'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-osquery.*|so-osquery.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-ossec-close.yml
+++ b/salt/curator/files/action/so-ossec-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-ossec'].close %}
 actions:
  1:
    action: close
    description: >-
      Close ossec indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-ossec.*|so-ossec.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-ossec-delete.yml
+++ b/salt/curator/files/action/so-ossec-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-ossec'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete ossec indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-ossec.*|so-ossec.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-redis-close.yml
+++ b/salt/curator/files/action/so-redis-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-redis'].close %}
 actions:
  1:
    action: close
    description: >-
      Close redis indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-redis.*|so-redis.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-redis-delete.yml
+++ b/salt/curator/files/action/so-redis-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-redis'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete redis indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-redis.*|so-redis.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-strelka-close.yml
+++ b/salt/curator/files/action/so-strelka-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-strelka'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Strelka indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-strelka.*|so-strelka.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-strelka-delete.yml
+++ b/salt/curator/files/action/so-strelka-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-strelka'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-strelka.*|so-strelka.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-syslog-close.yml
+++ b/salt/curator/files/action/so-syslog-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-syslog'].close %}
 actions:
  1:
    action: close
    description: >-
      Close syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-syslog.*|so-syslog.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-syslog-delete.yml
+++ b/salt/curator/files/action/so-syslog-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-syslog'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-syslog.*|so-syslog.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-zeek-close.yml
+++ b/salt/curator/files/action/so-zeek-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-zeek'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Zeek indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-zeek.*|so-zeek.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-zeek-delete.yml
+++ b/salt/curator/files/action/so-zeek-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-zeek'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Zeek indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-zeek.*|so-zeek.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/curator.yml
+++ b/salt/curator/files/curator.yml
@@ -1,40 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if GLOBALS.role in ['so-searchnode', 'so-heavynode'] %}
  {%- set elasticsearch = GLOBALS.node_ip -%}
 {% elif GLOBALS.role in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
  {%- set elasticsearch = GLOBALS.manager_ip -%}
 {%- endif %}
 {%-   set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%-   set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
 # not a Python "NoneType"
 elasticsearch:
  client:
    hosts:
      - https://{{elasticsearch}}:9200
    cloud_id:
    ca_certs:
    client_cert:
    client_key:
    verify_certs: False
    request_timeout: 30
  other_settings:
    api_key:
      id:
      api_key:
    master_only: False
    username: "{{ ES_USER }}"
    password: "{{ ES_PASS }}"
 logging:
  loglevel: INFO
  logfile: '/var/log/curator/curator.log'
  logformat: default
  blacklist: ['elasticsearch', 'urllib3']
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,13 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'curator/map.jinja' import CURATORMERGED %}
 include:
 {% if CURATORMERGED.enabled %}
  - curator.enabled
 {% else %}
  - curator.disabled
 {% endif %}
--- a/salt/curator/map.jinja
+++ b/salt/curator/map.jinja
@@ -1,7 +0,0 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% import_yaml 'curator/defaults.yaml' as CURATORDEFAULTS %}
 {% set CURATORMERGED = salt['pillar.get']('curator', CURATORDEFAULTS.curator, merge=true) %}
--- a/salt/curator/soc_curator.yaml
+++ b/salt/curator/soc_curator.yaml
@@ -1,108 +0,0 @@
 curator:
  enabled:
    description: You can enable or disable Curator.
    helpLink: curator.html
  elasticsearch:
    index_settings:
      logs-import-so:
        close: &close
          description: Age, in days, when Curator closes the index.
          helpLink: curator.html
          forcedType: int
        delete: &delete
          description: Age, in days, when Curator deletes the index.
          helpLink: curator.html
          forcedType: int
      logs-strelka-so:
        close: *close
        delete: *delete
      logs-suricata-so:
        close: *close
        delete: *delete
      logs-syslog-so:
        close: *close
        delete: *delete
      logs-zeek-so:
        close: *close
        delete: *delete
      logs-elastic_agent-metricbeat-default:
        close: *close
        delete: *delete
      logs-elastic_agent-osquerybeat-default:
        close: *close
        delete: *delete
      logs-elastic_agent-fleet_server-default:
        close: *close
        delete: *delete
      logs-elastic_agent-filebeat-default:
        close: *close
        delete: *delete
      logs-elastic_agent-default:
        close: *close
        delete: *delete
      logs-system-auth-default:
        close: *close
        delete: *delete
      logs-system-application-default:
        close: *close
        delete: *delete
      logs-system-security-default:
        close: *close
        delete: *delete
      logs-system-system-default:
        close: *close
        delete: *delete
      logs-system-syslog-default:
        close: *close
        delete: *delete
      logs-windows-powershell-default:
        close: *close
        delete: *delete
      logs-windows-sysmon_operational-default:
        close: *close
        delete: *delete
      so-beats:
        close: *close
        delete: *delete
      so-elasticsearch:
        close: *close
        delete: *delete
      so-firewall:
        close: *close
        delete: *delete
      so-ids:
        close: *close
        delete: *delete
      so-import:
        close: *close
        delete: *delete
      so-kratos:
        close: *close
        delete: *delete
      so-kibana:
        close: *close
        delete: *delete
      so-logstash:
        close: *close
        delete: *delete
      so-netflow:
        close: *close
        delete: *delete
      so-osquery:
        close: *close
        delete: *delete
      so-ossec:
        close: *close
        delete: *delete
      so-redis:
        close: *close
        delete: *delete
      so-strelka:
        close: *close
        delete: *delete
      so-syslog:
        close: *close
        delete: *delete
      so-zeek:
        close: *close
        delete: *delete
--- a/salt/curator/sostatus.sls
+++ b/salt/curator/sostatus.sls
@@ -1,21 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-curator_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-curator
    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/tools/sbin/so-curator-close
+++ b/salt/curator/tools/sbin/so-curator-close
@@ -1,32 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 APP=close
 lf=/tmp/$APP-pidLockFile
 # create empty lock file if none exists
 cat /dev/null >> $lf
 read lastPID < $lf
 # if lastPID is not null and a process with that pid exists , exit
 [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
 echo $$ > $lf
 /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kibana-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1;
--- a/salt/curator/tools/sbin/so-curator-cluster-close
+++ b/salt/curator/tools/sbin/so-curator-cluster-close
@@ -1,30 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 APP=close
 lf=/tmp/$APP-pidLockFile
 # create empty lock file if none exists
 cat /dev/null >> $lf
 read lastPID < $lf
 # if lastPID is not null and a process with that pid exists , exit
 [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
 echo $$ > $lf
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; 
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1;
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1;
--- a/salt/curator/tools/sbin/so-curator-delete
+++ b/salt/curator/tools/sbin/so-curator-delete
@@ -1,17 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 APP=delete
 lf=/tmp/$APP-pidLockFile
 # create empty lock file if none exists
 cat /dev/null >> $lf
 read lastPID < $lf
 # if lastPID is not null and a process with that pid exists , exit
 [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
 echo $$ > $lf
 docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/delete.yml > /dev/null 2>&1
--- a/salt/curator/tools/sbin/so-curator-start
+++ b/salt/curator/tools/sbin/so-curator-start
@@ -1,12 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 /usr/sbin/so-start curator $1
--- a/salt/curator/tools/sbin/so-curator-stop
+++ b/salt/curator/tools/sbin/so-curator-stop
@@ -1,12 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 /usr/sbin/so-stop curator $1
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -35,6 +35,7 @@ desktop_packages:
      - bluez-libs
      - bluez-obexd
      - bolt
      - brasero
      - bzip2
      - bzip2-libs
      - c-ares
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -159,11 +159,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
    'so-curator':
      final_octet: 43
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
    'so-elastic-fleet-package-registry':
      final_octet: 44
      port_bindings:
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -60,7 +60,6 @@ docker:
    so-strelka-gatekeeper: *dockerOptions
    so-strelka-coordinator: *dockerOptions
    so-elastalert: *dockerOptions
    so-curator: *dockerOptions
    so-elastic-fleet-package-registry: *dockerOptions
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -6,6 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if sls.split('.')[0] in allowed_states %}
 {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {% set node_data = salt['pillar.get']('node_data') %}
 # Add EA Group
@@ -104,8 +105,8 @@ eaoptionalintegrationsdir:
 {% for minion in node_data %}
 {% set role = node_data[minion]["role"] %}
 {% if role in [ "eval","fleet","heavynode","import","manager","managersearch","standalone" ] %}
-{% set optional_integrations = salt['pillar.get']('elasticfleet:optional_integrations', {}) %}
+{% set optional_integrations = ELASTICFLEETMERGED.optional_integrations %}
-{% set integration_keys = salt['pillar.get']('elasticfleet:optional_integrations', {}).keys() %}
+{% set integration_keys = optional_integrations.keys() %}
 fleet_server_integrations_{{ minion }}:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -1,5 +1,6 @@
 elasticfleet:
  enabled: False
  enable_manager_output: True
  config:
    server:
      custom_fqdn: []
@@ -10,6 +11,7 @@ elasticfleet:
  logging:
    zeek:
      excluded:
        - analyzer
        - broker
        - capture_loss
        - cluster
@@ -38,6 +40,9 @@ elasticfleet:
    - checkpoint
    - cisco_asa
    - cisco_duo
    - cisco_ftd
    - cisco_ios
    - cisco_ise
    - cisco_meraki
    - cisco_umbrella
    - cloudflare
@@ -57,6 +62,7 @@ elasticfleet:
    - google_workspace
    - http_endpoint
    - httpjson
    - iis
    - juniper
    - juniper_srx
    - kafka_log
@@ -65,16 +71,20 @@ elasticfleet:
    - m365_defender
    - microsoft_defender_endpoint
    - microsoft_dhcp
    - microsoft_sqlserver
    - mimecast
    - mysql
    - netflow
    - o365
    - okta
    - osquery_manager
    - panw
    - pfsense
    - proofpoint_tap
    - pulse_connect_secure
    - redis
    - sentinel_one
    - snort
    - snyk
    - sonicwall_firewall
    - sophos
@@ -84,9 +94,12 @@ elasticfleet:
    - tcp
    - tenable_sc
    - ti_abusech
    - ti_anomali
    - ti_cybersixgill
    - ti_misp
    - ti_otx
    - ti_recordedfuture
    - ti_threatq
    - udp
    - vsphere
    - windows
--- a/Show More
+++ b/Show More