From b058bc8c05bc6c110c923c228c88986577623e02 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Tue, 9 Jan 2024 10:22:43 -0500
Subject: [PATCH] Move to non-destructive

---
 .../tools/sbin_jinja/so-elastic-fleet-reset        | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset b/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
index f1112c723..a7df34793 100644
--- a/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
+++ b/salt/manager/tools/sbin_jinja/so-elastic-fleet-reset
@@ -14,7 +14,6 @@ require_manager
 # Inform user we are about to remove Elastic Fleet data
 echo
 echo "This script will remove the current Elastic Fleet install and all of its data and then rerun Elastic Fleet setup."
-echo "This includes data previously ingested with Fleet such as Zeek and Suricata logs."
 echo "Deployed Elastic Agents will no longer be enrolled and will need to be reinstalled."
 echo "This script should only be used as a last resort to reinstall Elastic Fleet." 
 echo
@@ -33,8 +32,8 @@ so-elastic-fleet-stop --force
 
 status "Deleting Fleet Data from Pillars..."
 so-yaml.py remove /opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls elasticfleet
-sed -i "/fleet_grid_enrollment_token_general.*/d" /opt/so/saltstack/local/pillar/global/soc_global.sls
-sed -i "/fleet_grid_enrollment_token_heavy.*/d" /opt/so/saltstack/local/pillar/global/soc_global.sls
+so-yaml.py remove /opt/so/saltstack/local/pillar/global/soc_global.sls global.fleet_grid_enrollment_token_general
+so-yaml.py remove /opt/so/saltstack/local/pillar/global/soc_global.sls global.fleet_grid_enrollment_token_heavy
 
 status "Deleting Elastic Fleet data..."
 
@@ -62,15 +61,6 @@ do
     done
 done
 
-status "Deleting Fleet-related Data Streams..."
-DATASTREAMS="logs-suricata-so","logs-kratos-so","logs-soc-so","logs-zeek-so"
-JSON_STRING=$( jq -n \
-                --arg DATASTREAMLIST "$DATASTREAMS" \
-                '{"dataStreams":[$DATASTREAMLIST]}'
-                )
-curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/index_management/delete_data_streams" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
-
-
 status "Restarting Kibana..."
 so-kibana-restart --force