diff --git a/salt/curator/files/action/so-aws-close.yml b/salt/curator/files/action/so-aws-close.yml
new file mode 100644
index 000000000..44f0bfa97
--- /dev/null
+++ b/salt/curator/files/action/so-aws-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close aws indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-aws.*|so-aws.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-aws-delete.yml b/salt/curator/files/action/so-aws-delete.yml
new file mode 100644
index 000000000..a67ee88b8
--- /dev/null
+++ b/salt/curator/files/action/so-aws-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete aws indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-aws.*|so-aws.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-aws-warm.yml b/salt/curator/files/action/so-aws-warm.yml
new file mode 100644
index 000000000..5369ed9a9
--- /dev/null
+++ b/salt/curator/files/action/so-aws-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-aws
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-azure-close.yml b/salt/curator/files/action/so-azure-close.yml
new file mode 100644
index 000000000..901b2c0ba
--- /dev/null
+++ b/salt/curator/files/action/so-azure-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close azure indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-azure.*|so-azure.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-azure-delete.yml b/salt/curator/files/action/so-azure-delete.yml
new file mode 100644
index 000000000..102a69d3d
--- /dev/null
+++ b/salt/curator/files/action/so-azure-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete azure indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-azure.*|so-azure.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-azure-warm.yml b/salt/curator/files/action/so-azure-warm.yml
new file mode 100644
index 000000000..d6f606125
--- /dev/null
+++ b/salt/curator/files/action/so-azure-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-azure
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-barracuda-close.yml b/salt/curator/files/action/so-barracuda-close.yml
new file mode 100644
index 000000000..496832db7
--- /dev/null
+++ b/salt/curator/files/action/so-barracuda-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close barracuda indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-barracuda.*|so-barracuda.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-barracuda-delete.yml b/salt/curator/files/action/so-barracuda-delete.yml
new file mode 100644
index 000000000..49d472618
--- /dev/null
+++ b/salt/curator/files/action/so-barracuda-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete barracuda indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-barracuda.*|so-barracuda.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-barracuda-warm.yml b/salt/curator/files/action/so-barracuda-warm.yml
new file mode 100644
index 000000000..334a4114a
--- /dev/null
+++ b/salt/curator/files/action/so-barracuda-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-barracuda
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-beats-delete.yml b/salt/curator/files/action/so-beats-delete.yml
new file mode 100644
index 000000000..77931d661
--- /dev/null
+++ b/salt/curator/files/action/so-beats-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete beats indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-beats.*|so-beats.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-beats-warm.yml b/salt/curator/files/action/so-beats-warm.yml
new file mode 100644
index 000000000..da9f76656
--- /dev/null
+++ b/salt/curator/files/action/so-beats-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-beats
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-bluecoat-close.yml b/salt/curator/files/action/so-bluecoat-close.yml
new file mode 100644
index 000000000..86d9277eb
--- /dev/null
+++ b/salt/curator/files/action/so-bluecoat-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close bluecoat indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-bluecoat.*|so-bluecoat.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-bluecoat-delete.yml b/salt/curator/files/action/so-bluecoat-delete.yml
new file mode 100644
index 000000000..318624416
--- /dev/null
+++ b/salt/curator/files/action/so-bluecoat-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete bluecoat indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-bluecoat.*|so-bluecoat.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-bluecoat-warm.yml b/salt/curator/files/action/so-bluecoat-warm.yml
new file mode 100644
index 000000000..47a8d712f
--- /dev/null
+++ b/salt/curator/files/action/so-bluecoat-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-bluecoat
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-cef-close.yml b/salt/curator/files/action/so-cef-close.yml
new file mode 100644
index 000000000..49e07f764
--- /dev/null
+++ b/salt/curator/files/action/so-cef-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close cef indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cef.*|so-cef.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-cef-delete.yml b/salt/curator/files/action/so-cef-delete.yml
new file mode 100644
index 000000000..0ee7d6501
--- /dev/null
+++ b/salt/curator/files/action/so-cef-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete cef indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cef.*|so-cef.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-cef-warm.yml b/salt/curator/files/action/so-cef-warm.yml
new file mode 100644
index 000000000..0a79fd2ba
--- /dev/null
+++ b/salt/curator/files/action/so-cef-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-cef
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-checkpoint-close.yml b/salt/curator/files/action/so-checkpoint-close.yml
new file mode 100644
index 000000000..cffdf6473
--- /dev/null
+++ b/salt/curator/files/action/so-checkpoint-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close checkpoint indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-checkpoint.*|so-checkpoint.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-checkpoint-delete.yml b/salt/curator/files/action/so-checkpoint-delete.yml
new file mode 100644
index 000000000..d1ac13efe
--- /dev/null
+++ b/salt/curator/files/action/so-checkpoint-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete checkpoint indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-checkpoint.*|so-checkpoint.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-checkpoint-warm.yml b/salt/curator/files/action/so-checkpoint-warm.yml
new file mode 100644
index 000000000..0aaec1e19
--- /dev/null
+++ b/salt/curator/files/action/so-checkpoint-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-checkpoint
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-cisco-close.yml b/salt/curator/files/action/so-cisco-close.yml
new file mode 100644
index 000000000..cd1faade1
--- /dev/null
+++ b/salt/curator/files/action/so-cisco-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close cisco indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cisco.*|so-cisco.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-cisco-delete.yml b/salt/curator/files/action/so-cisco-delete.yml
new file mode 100644
index 000000000..bb5e06f7f
--- /dev/null
+++ b/salt/curator/files/action/so-cisco-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete cisco indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cisco.*|so-cisco.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-cisco-warm.yml b/salt/curator/files/action/so-cisco-warm.yml
new file mode 100644
index 000000000..a143a95c2
--- /dev/null
+++ b/salt/curator/files/action/so-cisco-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-cisco
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-cyberark-close.yml b/salt/curator/files/action/so-cyberark-close.yml
new file mode 100644
index 000000000..e352e8355
--- /dev/null
+++ b/salt/curator/files/action/so-cyberark-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close cyberark indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cyberark.*|so-cyberark.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-cyberark-delete.yml b/salt/curator/files/action/so-cyberark-delete.yml
new file mode 100644
index 000000000..784f6881e
--- /dev/null
+++ b/salt/curator/files/action/so-cyberark-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete cyberark indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cyberark.*|so-cyberark.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-cyberark-warm.yml b/salt/curator/files/action/so-cyberark-warm.yml
new file mode 100644
index 000000000..8eae0b542
--- /dev/null
+++ b/salt/curator/files/action/so-cyberark-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-cyberark
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-cylance-close.yml b/salt/curator/files/action/so-cylance-close.yml
new file mode 100644
index 000000000..d808569fb
--- /dev/null
+++ b/salt/curator/files/action/so-cylance-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close cylance indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cylance.*|so-cylance.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-cylance-delete.yml b/salt/curator/files/action/so-cylance-delete.yml
new file mode 100644
index 000000000..54cf3938b
--- /dev/null
+++ b/salt/curator/files/action/so-cylance-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete cylance indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-cylance.*|so-cylance.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-cylance-warm.yml b/salt/curator/files/action/so-cylance-warm.yml
new file mode 100644
index 000000000..c9da7e68a
--- /dev/null
+++ b/salt/curator/files/action/so-cylance-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-cylance
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml
new file mode 100644
index 000000000..3c4ff0dac
--- /dev/null
+++ b/salt/curator/files/action/so-elasticsearch-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close elasticsearch indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-elasticsearch-delete.yml b/salt/curator/files/action/so-elasticsearch-delete.yml
new file mode 100644
index 000000000..05cc68abe
--- /dev/null
+++ b/salt/curator/files/action/so-elasticsearch-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete elasticsearch indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-elasticsearch-warm.yml b/salt/curator/files/action/so-elasticsearch-warm.yml
new file mode 100644
index 000000000..9d82fc27b
--- /dev/null
+++ b/salt/curator/files/action/so-elasticsearch-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-elasticsearch
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-f5-close.yml b/salt/curator/files/action/so-f5-close.yml
new file mode 100644
index 000000000..e1cdb48a1
--- /dev/null
+++ b/salt/curator/files/action/so-f5-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close f5 indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-f5.*|so-f5.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-f5-delete.yml b/salt/curator/files/action/so-f5-delete.yml
new file mode 100644
index 000000000..06704010a
--- /dev/null
+++ b/salt/curator/files/action/so-f5-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete f5 indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-f5.*|so-f5.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-f5-warm.yml b/salt/curator/files/action/so-f5-warm.yml
new file mode 100644
index 000000000..12fbbe7ad
--- /dev/null
+++ b/salt/curator/files/action/so-f5-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-f5
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-firewall-delete.yml b/salt/curator/files/action/so-firewall-delete.yml
new file mode 100644
index 000000000..7588de437
--- /dev/null
+++ b/salt/curator/files/action/so-firewall-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete firewall indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-firewall.*|so-firewall.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-firewall-warm.yml b/salt/curator/files/action/so-firewall-warm.yml
new file mode 100644
index 000000000..2e9643dc3
--- /dev/null
+++ b/salt/curator/files/action/so-firewall-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-firewall
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-fortinet-close.yml b/salt/curator/files/action/so-fortinet-close.yml
new file mode 100644
index 000000000..e11fb86c6
--- /dev/null
+++ b/salt/curator/files/action/so-fortinet-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close fortinet indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-fortinet.*|so-fortinet.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-fortinet-delete.yml b/salt/curator/files/action/so-fortinet-delete.yml
new file mode 100644
index 000000000..9379e47c2
--- /dev/null
+++ b/salt/curator/files/action/so-fortinet-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete fortinet indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-fortinet.*|so-fortinet.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-fortinet-warm.yml b/salt/curator/files/action/so-fortinet-warm.yml
new file mode 100644
index 000000000..db9a6f2db
--- /dev/null
+++ b/salt/curator/files/action/so-fortinet-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-fortinet
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-gcp-close.yml b/salt/curator/files/action/so-gcp-close.yml
new file mode 100644
index 000000000..f9dd0af24
--- /dev/null
+++ b/salt/curator/files/action/so-gcp-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close gcp indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-gcp.*|so-gcp.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-gcp-delete.yml b/salt/curator/files/action/so-gcp-delete.yml
new file mode 100644
index 000000000..5c8ab33d8
--- /dev/null
+++ b/salt/curator/files/action/so-gcp-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete gcp indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-gcp.*|so-gcp.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-gcp-warm.yml b/salt/curator/files/action/so-gcp-warm.yml
new file mode 100644
index 000000000..3bb9eee80
--- /dev/null
+++ b/salt/curator/files/action/so-gcp-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-gcp
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-google_workspace-close.yml b/salt/curator/files/action/so-google_workspace-close.yml
new file mode 100644
index 000000000..1ecda5893
--- /dev/null
+++ b/salt/curator/files/action/so-google_workspace-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close google_workspace indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-google_workspace.*|so-google_workspace.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-google_workspace-delete.yml b/salt/curator/files/action/so-google_workspace-delete.yml
new file mode 100644
index 000000000..923feda8f
--- /dev/null
+++ b/salt/curator/files/action/so-google_workspace-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete google_workspace indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-google_workspace.*|so-google_workspace.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-google_workspace-warm.yml b/salt/curator/files/action/so-google_workspace-warm.yml
new file mode 100644
index 000000000..7eb2d883f
--- /dev/null
+++ b/salt/curator/files/action/so-google_workspace-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-google_workspace
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-ids-delete.yml b/salt/curator/files/action/so-ids-delete.yml
new file mode 100644
index 000000000..e5bda4e34
--- /dev/null
+++ b/salt/curator/files/action/so-ids-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete IDS indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-ids.*|so-ids.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-ids-warm.yml b/salt/curator/files/action/so-ids-warm.yml
new file mode 100644
index 000000000..0edad5b5b
--- /dev/null
+++ b/salt/curator/files/action/so-ids-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-ids
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-imperva-close.yml b/salt/curator/files/action/so-imperva-close.yml
new file mode 100644
index 000000000..55ec2e472
--- /dev/null
+++ b/salt/curator/files/action/so-imperva-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close imperva indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-imperva.*|so-imperva.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-imperva-delete.yml b/salt/curator/files/action/so-imperva-delete.yml
new file mode 100644
index 000000000..b5526e2fb
--- /dev/null
+++ b/salt/curator/files/action/so-imperva-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete imperva indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-imperva.*|so-imperva.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-imperva-warm.yml b/salt/curator/files/action/so-imperva-warm.yml
new file mode 100644
index 000000000..0297d5cd6
--- /dev/null
+++ b/salt/curator/files/action/so-imperva-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-imperva
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-import-delete.yml b/salt/curator/files/action/so-import-delete.yml
new file mode 100644
index 000000000..aa9808c5f
--- /dev/null
+++ b/salt/curator/files/action/so-import-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete import indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-import.*|so-import.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-import-warm.yml b/salt/curator/files/action/so-import-warm.yml
new file mode 100644
index 000000000..3a6fa3d3d
--- /dev/null
+++ b/salt/curator/files/action/so-import-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-import
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-infoblox-close.yml b/salt/curator/files/action/so-infoblox-close.yml
new file mode 100644
index 000000000..9fd4c5070
--- /dev/null
+++ b/salt/curator/files/action/so-infoblox-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close infoblox indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-infoblox.*|so-infoblox.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-infoblox-delete.yml b/salt/curator/files/action/so-infoblox-delete.yml
new file mode 100644
index 000000000..0a7fdafbe
--- /dev/null
+++ b/salt/curator/files/action/so-infoblox-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete infoblox indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-infoblox.*|so-infoblox.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-infoblox-warm.yml b/salt/curator/files/action/so-infoblox-warm.yml
new file mode 100644
index 000000000..a2f571b7a
--- /dev/null
+++ b/salt/curator/files/action/so-infoblox-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-infoblox
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-juniper-close.yml b/salt/curator/files/action/so-juniper-close.yml
new file mode 100644
index 000000000..466a51eca
--- /dev/null
+++ b/salt/curator/files/action/so-juniper-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close juniper indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-juniper.*|so-juniper.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-juniper-delete.yml b/salt/curator/files/action/so-juniper-delete.yml
new file mode 100644
index 000000000..18abc86ac
--- /dev/null
+++ b/salt/curator/files/action/so-juniper-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete juniper indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-juniper.*|so-juniper.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-juniper-warm.yml b/salt/curator/files/action/so-juniper-warm.yml
new file mode 100644
index 000000000..5369ed9a9
--- /dev/null
+++ b/salt/curator/files/action/so-juniper-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-aws
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml
new file mode 100644
index 000000000..7347fb01c
--- /dev/null
+++ b/salt/curator/files/action/so-kibana-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close kibana indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-kibana.*|so-kibana.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-kibana-delete.yml b/salt/curator/files/action/so-kibana-delete.yml
new file mode 100644
index 000000000..5a775b8de
--- /dev/null
+++ b/salt/curator/files/action/so-kibana-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete kibana indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-kibana.*|so-kibana.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-kibana-warm.yml b/salt/curator/files/action/so-kibana-warm.yml
new file mode 100644
index 000000000..b5674c8c3
--- /dev/null
+++ b/salt/curator/files/action/so-kibana-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-kibana
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml
new file mode 100644
index 000000000..23787e237
--- /dev/null
+++ b/salt/curator/files/action/so-logstash-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close logstash indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-logstash.*|so-logstash.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-logstash-delete.yml b/salt/curator/files/action/so-logstash-delete.yml
new file mode 100644
index 000000000..d9ff848da
--- /dev/null
+++ b/salt/curator/files/action/so-logstash-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete logstash indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-logstash.*|so-logstash.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-logstash-warm.yml b/salt/curator/files/action/so-logstash-warm.yml
new file mode 100644
index 000000000..826bf2975
--- /dev/null
+++ b/salt/curator/files/action/so-logstash-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-logstash
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-microsoft-close.yml b/salt/curator/files/action/so-microsoft-close.yml
new file mode 100644
index 000000000..f4eaf738f
--- /dev/null
+++ b/salt/curator/files/action/so-microsoft-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close microsoft indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-microsoft.*|so-microsoft.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-microsoft-delete.yml b/salt/curator/files/action/so-microsoft-delete.yml
new file mode 100644
index 000000000..f1a854c83
--- /dev/null
+++ b/salt/curator/files/action/so-microsoft-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete microsoft indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-microsoft.*|so-microsoft.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-microsoft-warm.yml b/salt/curator/files/action/so-microsoft-warm.yml
new file mode 100644
index 000000000..551d0cb56
--- /dev/null
+++ b/salt/curator/files/action/so-microsoft-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-microsoft
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-misp-close.yml b/salt/curator/files/action/so-misp-close.yml
new file mode 100644
index 000000000..e39781353
--- /dev/null
+++ b/salt/curator/files/action/so-misp-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close misp indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-misp.*|so-misp.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-misp-delete.yml b/salt/curator/files/action/so-misp-delete.yml
new file mode 100644
index 000000000..ceaa9c73d
--- /dev/null
+++ b/salt/curator/files/action/so-misp-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete misp indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-misp.*|so-misp.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-misp-warm.yml b/salt/curator/files/action/so-misp-warm.yml
new file mode 100644
index 000000000..af29975b0
--- /dev/null
+++ b/salt/curator/files/action/so-misp-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-misp
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml
new file mode 100644
index 000000000..cc9ade28d
--- /dev/null
+++ b/salt/curator/files/action/so-netflow-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close netflow indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-netflow.*|so-netflow.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-netflow-delete.yml b/salt/curator/files/action/so-netflow-delete.yml
new file mode 100644
index 000000000..5bc76ad15
--- /dev/null
+++ b/salt/curator/files/action/so-netflow-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete netflow indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-netflow.*|so-netflow.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-netflow-warm.yml b/salt/curator/files/action/so-netflow-warm.yml
new file mode 100644
index 000000000..ea57bb72b
--- /dev/null
+++ b/salt/curator/files/action/so-netflow-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-netflow
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-netscout-close.yml b/salt/curator/files/action/so-netscout-close.yml
new file mode 100644
index 000000000..d99374d2f
--- /dev/null
+++ b/salt/curator/files/action/so-netscout-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close netscout indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-netscout.*|so-netscout.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-netscout-delete.yml b/salt/curator/files/action/so-netscout-delete.yml
new file mode 100644
index 000000000..3c0e249b5
--- /dev/null
+++ b/salt/curator/files/action/so-netscout-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete netscout indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-netscout.*|so-netscout.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-netscout-warm.yml b/salt/curator/files/action/so-netscout-warm.yml
new file mode 100644
index 000000000..1b93c3118
--- /dev/null
+++ b/salt/curator/files/action/so-netscout-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-netscout
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-o365-close.yml b/salt/curator/files/action/so-o365-close.yml
new file mode 100644
index 000000000..4dece060f
--- /dev/null
+++ b/salt/curator/files/action/so-o365-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close o365 indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-o365.*|so-o365.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-o365-delete.yml b/salt/curator/files/action/so-o365-delete.yml
new file mode 100644
index 000000000..13c7c1344
--- /dev/null
+++ b/salt/curator/files/action/so-o365-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete o365 indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-o365.*|so-o365.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-o365-warm.yml b/salt/curator/files/action/so-o365-warm.yml
new file mode 100644
index 000000000..cbb7bc24e
--- /dev/null
+++ b/salt/curator/files/action/so-o365-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-o365
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-okta-close.yml b/salt/curator/files/action/so-okta-close.yml
new file mode 100644
index 000000000..10f7e4b60
--- /dev/null
+++ b/salt/curator/files/action/so-okta-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-okta:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close okta indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-okta.*|so-okta.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-okta-warm.yml b/salt/curator/files/action/so-okta-warm.yml
new file mode 100644
index 000000000..75764860d
--- /dev/null
+++ b/salt/curator/files/action/so-okta-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-okta
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-okta.delete.yml b/salt/curator/files/action/so-okta.delete.yml
new file mode 100644
index 000000000..1beeb0fc0
--- /dev/null
+++ b/salt/curator/files/action/so-okta.delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete okta indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-okta.*|so-okta.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml
new file mode 100644
index 000000000..d77b1b3d1
--- /dev/null
+++ b/salt/curator/files/action/so-osquery-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete import indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-osquery.*|so-osquery.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-osquery-warm.yml b/salt/curator/files/action/so-osquery-warm.yml
new file mode 100644
index 000000000..156a83c7a
--- /dev/null
+++ b/salt/curator/files/action/so-osquery-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-osquery
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-ossec-delete.yml b/salt/curator/files/action/so-ossec-delete.yml
new file mode 100644
index 000000000..7aea13e41
--- /dev/null
+++ b/salt/curator/files/action/so-ossec-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete ossec indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-ossec.*|so-ossec.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-ossec-warm.yml b/salt/curator/files/action/so-ossec-warm.yml
new file mode 100644
index 000000000..769d6cbea
--- /dev/null
+++ b/salt/curator/files/action/so-ossec-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-ossec
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-proofpoint-close.yml b/salt/curator/files/action/so-proofpoint-close.yml
new file mode 100644
index 000000000..888c9fc64
--- /dev/null
+++ b/salt/curator/files/action/so-proofpoint-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close proofpoint indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-proofpoint.*|so-proofpoint.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-proofpoint-delete.yml b/salt/curator/files/action/so-proofpoint-delete.yml
new file mode 100644
index 000000000..903dde204
--- /dev/null
+++ b/salt/curator/files/action/so-proofpoint-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete proofpoint indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-proofpoint.*|so-proofpoint.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-proofpoint-warm.yml b/salt/curator/files/action/so-proofpoint-warm.yml
new file mode 100644
index 000000000..8304ae41a
--- /dev/null
+++ b/salt/curator/files/action/so-proofpoint-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-proofpoint
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-radware-close.yml b/salt/curator/files/action/so-radware-close.yml
new file mode 100644
index 000000000..59a7bbafd
--- /dev/null
+++ b/salt/curator/files/action/so-radware-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-radware:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close radware indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-radware.*|so-radware.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-radware-delete.yml b/salt/curator/files/action/so-radware-delete.yml
new file mode 100644
index 000000000..1fe09cded
--- /dev/null
+++ b/salt/curator/files/action/so-radware-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete radware indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-radware.*|so-radware.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-radware-warm.yml b/salt/curator/files/action/so-radware-warm.yml
new file mode 100644
index 000000000..8d4337aaf
--- /dev/null
+++ b/salt/curator/files/action/so-radware-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-radware
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml
new file mode 100644
index 000000000..b69935f21
--- /dev/null
+++ b/salt/curator/files/action/so-redis-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-redis:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close redis indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-redis.*|so-redis.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-redis-delete.yml b/salt/curator/files/action/so-redis-delete.yml
new file mode 100644
index 000000000..f6e73dce8
--- /dev/null
+++ b/salt/curator/files/action/so-redis-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete redis indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-redis.*|so-redis.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-redis-warm.yml b/salt/curator/files/action/so-redis-warm.yml
new file mode 100644
index 000000000..a5b1055c3
--- /dev/null
+++ b/salt/curator/files/action/so-redis-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-redis
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-snort-close.yml b/salt/curator/files/action/so-snort-close.yml
new file mode 100644
index 000000000..8f6209255
--- /dev/null
+++ b/salt/curator/files/action/so-snort-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snort:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close snort indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-snort.*|so-snort.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-snort-delete.yml b/salt/curator/files/action/so-snort-delete.yml
new file mode 100644
index 000000000..50f68988b
--- /dev/null
+++ b/salt/curator/files/action/so-snort-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete snort indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-snort.*|so-snort.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-snort-warm.yml b/salt/curator/files/action/so-snort-warm.yml
new file mode 100644
index 000000000..3bbc977e2
--- /dev/null
+++ b/salt/curator/files/action/so-snort-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-snort
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-snyk-close.yml b/salt/curator/files/action/so-snyk-close.yml
new file mode 100644
index 000000000..e13d8f98d
--- /dev/null
+++ b/salt/curator/files/action/so-snyk-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snyk:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close snyk indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-snyk.*|so-snyk.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-snyk-delete.yml b/salt/curator/files/action/so-snyk-delete.yml
new file mode 100644
index 000000000..cec0b942f
--- /dev/null
+++ b/salt/curator/files/action/so-snyk-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete snyk indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-snyk.*|so-snyk.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-snyk-warm.yml b/salt/curator/files/action/so-snyk-warm.yml
new file mode 100644
index 000000000..f9b10bbdd
--- /dev/null
+++ b/salt/curator/files/action/so-snyk-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-snyk
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-sonicwall-close.yml b/salt/curator/files/action/so-sonicwall-close.yml
new file mode 100644
index 000000000..9cc23d3af
--- /dev/null
+++ b/salt/curator/files/action/so-sonicwall-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close sonicwall indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-sonicwall.*|so-sonicwall.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-sonicwall-delete.yml b/salt/curator/files/action/so-sonicwall-delete.yml
new file mode 100644
index 000000000..c7d38361f
--- /dev/null
+++ b/salt/curator/files/action/so-sonicwall-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete sonicwall indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-sonicwall.*|so-sonicwall.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-sonicwall-warm.yml b/salt/curator/files/action/so-sonicwall-warm.yml
new file mode 100644
index 000000000..fa8ceb3e4
--- /dev/null
+++ b/salt/curator/files/action/so-sonicwall-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-sonicwall
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-sophos-close.yml b/salt/curator/files/action/so-sophos-close.yml
new file mode 100644
index 000000000..b7574b996
--- /dev/null
+++ b/salt/curator/files/action/so-sophos-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sophos:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close sophos indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-sophos.*|so-sophos.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-sophos-delete.yml b/salt/curator/files/action/so-sophos-delete.yml
new file mode 100644
index 000000000..433df908a
--- /dev/null
+++ b/salt/curator/files/action/so-sophos-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete sophos indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-sophos.*|so-sophos.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-sophos-warm.yml b/salt/curator/files/action/so-sophos-warm.yml
new file mode 100644
index 000000000..40cc60084
--- /dev/null
+++ b/salt/curator/files/action/so-sophos-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-sophos
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-strelka-delete.yml b/salt/curator/files/action/so-strelka-delete.yml
new file mode 100644
index 000000000..3487aeb6d
--- /dev/null
+++ b/salt/curator/files/action/so-strelka-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete Strelka indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-strelka.*|so-strelka.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-strelka-warm.yml b/salt/curator/files/action/so-strelka-warm.yml
new file mode 100644
index 000000000..cfa88b0c1
--- /dev/null
+++ b/salt/curator/files/action/so-strelka-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-strelka
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-syslog-delete.yml b/salt/curator/files/action/so-syslog-delete.yml
new file mode 100644
index 000000000..5fe7417ad
--- /dev/null
+++ b/salt/curator/files/action/so-syslog-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete syslog indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-syslog.*|so-syslog.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-syslog-warm.yml b/salt/curator/files/action/so-syslog-warm.yml
new file mode 100644
index 000000000..e5ebb2fa6
--- /dev/null
+++ b/salt/curator/files/action/so-syslog-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-syslog
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-tomcat-close.yml b/salt/curator/files/action/so-tomcat-close.yml
new file mode 100644
index 000000000..ea0d95b0a
--- /dev/null
+++ b/salt/curator/files/action/so-tomcat-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close tomcat indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-tomcat.*|so-tomcat.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-tomcat-delete.yml b/salt/curator/files/action/so-tomcat-delete.yml
new file mode 100644
index 000000000..77035613f
--- /dev/null
+++ b/salt/curator/files/action/so-tomcat-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete tomcat indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-tomcat.*|so-tomcat.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-tomcat-warm.yml b/salt/curator/files/action/so-tomcat-warm.yml
new file mode 100644
index 000000000..8fb7884c0
--- /dev/null
+++ b/salt/curator/files/action/so-tomcat-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-tomcat
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-zeek-delete.yml b/salt/curator/files/action/so-zeek-delete.yml
new file mode 100644
index 000000000..0694c2aed
--- /dev/null
+++ b/salt/curator/files/action/so-zeek-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete Zeek indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-zeek.*|so-zeek.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-zeek-warm.yml b/salt/curator/files/action/so-zeek-warm.yml
new file mode 100644
index 000000000..2b4b6a729
--- /dev/null
+++ b/salt/curator/files/action/so-zeek-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-zeek
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/so-zscaler-close.yml b/salt/curator/files/action/so-zscaler-close.yml
new file mode 100644
index 000000000..5a008a27d
--- /dev/null
+++ b/salt/curator/files/action/so-zscaler-close.yml
@@ -0,0 +1,29 @@
+{%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:close', 30) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: close
+ description: >-
+ Close zscaler indices older than {{cur_close_days}} days.
+ options:
+ delete_aliases: False
+ timeout_override:
+ continue_if_exception: False
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-zscaler.*|so-zscaler.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{cur_close_days}}
+ exclude:
diff --git a/salt/curator/files/action/so-zscaler-delete.yml b/salt/curator/files/action/so-zscaler-delete.yml
new file mode 100644
index 000000000..238fea083
--- /dev/null
+++ b/salt/curator/files/action/so-zscaler-delete.yml
@@ -0,0 +1,29 @@
+{%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:delete', 365) -%}
+---
+# Remember, leave a key empty if there is no value. None will be a string,
+# not a Python "NoneType"
+#
+# Also remember that all examples have 'disable_action' set to True. If you
+# want to use this action as a template, be sure to set this to False after
+# copying it.
+actions:
+ 1:
+ action: delete_indices
+ description: >-
+ Delete zscaler indices when older than {{ DELETE_DAYS }} days.
+ options:
+ ignore_empty_list: True
+ disable_action: False
+ filters:
+ - filtertype: pattern
+ kind: regex
+ value: '^(logstash-zscaler.*|so-zscaler.*)$'
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ DELETE_DAYS }}
+ exclude:
+
+
\ No newline at end of file
diff --git a/salt/curator/files/action/so-zscaler-warm.yml b/salt/curator/files/action/so-zscaler-warm.yml
new file mode 100644
index 000000000..8a7d8187a
--- /dev/null
+++ b/salt/curator/files/action/so-zscaler-warm.yml
@@ -0,0 +1,24 @@
+{%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:warm', 7) -%}
+actions:
+ 1:
+ action: allocation
+ description: "Apply shard allocation filtering rules to the specified indices"
+ options:
+ key: box_type
+ value: warm
+ allocation_type: require
+ wait_for_completion: true
+ timeout_override:
+ continue_if_exception: false
+ disable_action: false
+ filters:
+ - filtertype: pattern
+ kind: prefix
+ value: so-zscaler
+ - filtertype: age
+ source: name
+ direction: older
+ timestring: '%Y.%m.%d'
+ unit: days
+ unit_count: {{ WARM_DAYS }}
+
diff --git a/salt/curator/files/action/warm.yml b/salt/curator/files/action/warm.yml
deleted file mode 100644
index efa2196b2..000000000
--- a/salt/curator/files/action/warm.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-#actions:
-# 1:
-# action: allocation
-# description: "Apply shard allocation filtering rules to the specified indices"
-# options:
-# key: box_type
-# value: warm
-# allocation_type: require
-# wait_for_completion: true
-# timeout_override:
-# continue_if_exception: false
-# disable_action: false
-# filters:
-# - filtertype: pattern
-# kind: prefix
-# value: so-
-# - filtertype: age
-# source: name
-# direction: older
-# timestring: '%Y.%m.%d'
-# unit: days
-# unit_count: 3
-
diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close
new file mode 100644
index 000000000..7b8c41c9e
--- /dev/null
+++ b/salt/curator/files/bin/so-curator-cluster-close
@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=close
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+{% from 'filebeat/map.jinja' import THIRDPARTY with context %}
+{% from 'filebeat/map.jinja' import SO with context %}
+
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1;
+{% for INDEX in THIRDPARTY.modules.keys() -%}
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1;
+{% endfor -%}
+{% for INDEX in SO.modules.keys() -%}
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %}
+{% endfor -%}
\ No newline at end of file
diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete
new file mode 100644
index 000000000..21195da5d
--- /dev/null
+++ b/salt/curator/files/bin/so-curator-cluster-delete
@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=delete
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+{% from 'filebeat/map.jinja' import THIRDPARTY with context %}
+{% from 'filebeat/map.jinja' import SO with context %}
+
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1;
+{% for INDEX in THIRDPARTY.modules.keys() -%}
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1;
+{% endfor -%}
+{% for INDEX in SO.modules.keys() -%}
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1{% if not loop.last %};{% endif %}
+{% endfor -%}
\ No newline at end of file
diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm
new file mode 100644
index 000000000..4348ba2e3
--- /dev/null
+++ b/salt/curator/files/bin/so-curator-cluster-warm
@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+APP=warm
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+{% from 'filebeat/map.jinja' import THIRDPARTY with context %}
+{% from 'filebeat/map.jinja' import SO with context %}
+
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1;
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-warm.yml > /dev/null 2>&1;
+{% for INDEX in THIRDPARTY.modules.keys() -%}
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1;
+{% endfor -%}
+{% for INDEX in SO.modules.keys() -%}
+docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1{% if not loop.last %};{% endif %}
+{% endfor -%}
\ No newline at end of file
diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index 1acea5d25..87e1fec33 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -5,6 +5,9 @@
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}
{% set REMOVECURATORCRON = False %}
+{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
+{% set HOTWARM = salt['pillar.get']('elasticsearch:hot_warm_enabled', False) %}
+
{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %}
{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
{% from "curator/map.jinja" import CURATOROPTIONS with context %}
@@ -89,6 +92,33 @@ curdel:
- group: 939
- mode: 755
+curclusterclose:
+ file.managed:
+ - name: /usr/sbin/so-curator-cluster-close
+ - source: salt://curator/files/bin/so-curator-cluster-close
+ - user: 934
+ - group: 939
+ - mode: 755
+ - template: jinja
+
+curclusterdelete:
+ file.managed:
+ - name: /usr/sbin/so-curator-cluster-delete
+ - source: salt://curator/files/bin/so-curator-cluster-delete
+ - user: 934
+ - group: 939
+ - mode: 755
+ - template: jinja
+
+curclustercwarm:
+ file.managed:
+ - name: /usr/sbin/so-curator-cluster-warm
+ - source: salt://curator/files/bin/so-curator-cluster-warm
+ - user: 934
+ - group: 939
+ - mode: 755
+ - template: jinja
+
so-curator:
docker_container.{{ CURATOROPTIONS.status }}:
{% if CURATOROPTIONS.status == 'running' %}
@@ -148,62 +178,87 @@ delete_so-curator_so-status:
{% if REMOVECURATORCRON %}
so-curatorcloseddeletecron:
- cron.absent:
- - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
- - user: root
+ cron.absent:
+ - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
+ - user: root
so-curatorclosecron:
- cron.absent:
- - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
- - user: root
+ cron.absent:
+ - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
+ - user: root
so-curatordeletecron:
- cron.absent:
- - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
- - user: root
+ cron.absent:
+ - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
+ - user: root
{% else %}
+ {% if TRUECLUSTER is sameas true %}
+so-curatorclusterclose:
+ cron.present:
+ - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
+ - user: root
+ - minute: '2'
+ - hour: '*/1'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
+
+so-curatorclusterdelete:
+ cron.present:
+ - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-delete.log 2>&1
+ - user: root
+ - minute: '2'
+ - hour: '*/1'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
+ {% if HOTWARM is sameas true %}
+so-curatorclusterwarm:
+ cron.present:
+ - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1
+ - user: root
+ - minute: '2'
+ - hour: '*/1'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
+ {% endif %}
+
+ {% else %}
so-curatorcloseddeletecron:
- cron.present:
- - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
- - user: root
- - minute: '*'
- - hour: '*'
- - daymonth: '*'
- - month: '*'
- - dayweek: '*'
+ cron.present:
+ - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
+ - user: root
+ - minute: '*/5'
+ - hour: '*'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
so-curatorclosecron:
- cron.present:
- - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
- - user: root
- - minute: '*'
- - hour: '*'
- - daymonth: '*'
- - month: '*'
- - dayweek: '*'
+ cron.present:
+ - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
+ - user: root
+ - minute: '*/5'
+ - hour: '*'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
so-curatordeletecron:
- cron.present:
- - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
- - user: root
- - minute: '*'
- - hour: '*'
- - daymonth: '*'
- - month: '*'
- - dayweek: '*'
-
+ cron.present:
+ - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
+ - user: root
+ - minute: '*/5'
+ - hour: '*'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
+
+ {% endif %}
{% endif %}
-
-# Begin Curator Cron Jobs
-
-# Close
-# Delete
-# Hot Warm
-# Segment Merge
-
-# End Curator Cron Jobs
{% endif %}
{% else %}
diff --git a/salt/curator/map.jinja b/salt/curator/map.jinja
index 470143a4f..bbcff2a9c 100644
--- a/salt/curator/map.jinja
+++ b/salt/curator/map.jinja
@@ -4,10 +4,10 @@
{% do CURATOROPTIONS.update({'manage_sostatus': True}) %}
# don't start the docker container if curator is disabled via pillar
-{% if not ENABLED or grains.id.split('_')|last == 'manager'%}
+{% if not ENABLED or (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %}
{% do CURATOROPTIONS.update({'start': False}) %}
{% do CURATOROPTIONS.update({'status': 'absent'}) %}
- {% if grains.id.split('_')|last == 'manager' %}
+ {% if (TRUECLUSTER and grains.id.split('_')|last == 'searchnode') or (not TRUECLUSTER and grains.id.split('_')|last == 'manager') %}
{% do CURATOROPTIONS.update({'manage_sostatus': False}) %}
{% endif %}
{% else %}
diff --git a/salt/elasticsearch/templates/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/so/so-aws-template.json.jinja
new file mode 100644
index 000000000..19b23dfba
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-aws-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
+{
+ "index_patterns": ["so-aws-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/so/so-azure-template.json.jinja
new file mode 100644
index 000000000..51a266479
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-azure-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
+{
+ "index_patterns": ["so-azure-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja
new file mode 100644
index 000000000..66967d6d1
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %}
+{
+ "index_patterns": ["so-barracuda-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja
new file mode 100644
index 000000000..b1714183e
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %}
+{
+ "index_patterns": ["so-bluecoat-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/so/so-cef-template.json.jinja
new file mode 100644
index 000000000..0081d42e1
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-cef-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %}
+{
+ "index_patterns": ["so-cef-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja
new file mode 100644
index 000000000..5d41946cf
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %}
+{
+ "index_patterns": ["so-checkpoint-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/so/so-cisco-template.json.jinja
new file mode 100644
index 000000000..e6e6d14d0
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-cisco-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %}
+{
+ "index_patterns": ["so-cisco-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja
new file mode 100644
index 000000000..1647d600f
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %}
+{
+ "index_patterns": ["so-cyberark-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/so/so-cylance-template.json.jinja
new file mode 100644
index 000000000..4ba7d0316
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-cylance-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %}
+{
+ "index_patterns": ["so-cylance-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja
new file mode 100644
index 000000000..16aaaec13
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %}
+{
+ "index_patterns": ["so-elasticsearch-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/so/so-f5-template.json.jinja
new file mode 100644
index 000000000..682a37c59
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-f5-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %}
+{
+ "index_patterns": ["so-f5-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja
new file mode 100644
index 000000000..616607f52
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %}
+{
+ "index_patterns": ["so-zeek-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/so/so-gcp-template.json.jinja
new file mode 100644
index 000000000..4f1db4f20
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-gcp-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %}
+{
+ "index_patterns": ["so-gcp-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja
new file mode 100644
index 000000000..5ae26780a
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %}
+{
+ "index_patterns": ["so-google_workspace-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/so/so-imperva-template.json.jinja
new file mode 100644
index 000000000..1f574f33a
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-imperva-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %}
+{
+ "index_patterns": ["so-imperva-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja
new file mode 100644
index 000000000..de613de7f
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %}
+{
+ "index_patterns": ["so-infoblox-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/so/so-juniper-template.json.jinja
new file mode 100644
index 000000000..f637271a9
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-juniper-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %}
+{
+ "index_patterns": ["so-juniper-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/so/so-kibana-template.json.jinja
new file mode 100644
index 000000000..fe2004b0e
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-kibana-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %}
+{
+ "index_patterns": ["so-kibana-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/so/so-logstash-template.json.jinja
new file mode 100644
index 000000000..2cf0aba42
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-logstash-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %}
+{
+ "index_patterns": ["so-logstash-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja
new file mode 100644
index 000000000..3493ccbb2
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %}
+{
+ "index_patterns": ["so-microsoft-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/so/so-misp-template.json.jinja
new file mode 100644
index 000000000..67af1efde
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-misp-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %}
+{
+ "index_patterns": ["so-misp-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/so/so-netflow-template.json.jinja
new file mode 100644
index 000000000..62c0972bf
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-netflow-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %}
+{
+ "index_patterns": ["so-netflow-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/so/so-netscout-template.json.jinja
new file mode 100644
index 000000000..1dfe336d9
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-netscout-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %}
+{
+ "index_patterns": ["so-netscout-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/so/so-o365-template.json.jinja
new file mode 100644
index 000000000..c1f4826f4
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-o365-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %}
+{
+ "index_patterns": ["so-o365-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/so/so-okta-template.json.jinja
new file mode 100644
index 000000000..a4f2df44e
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-okta-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %}
+{
+ "index_patterns": ["so-okta-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja
new file mode 100644
index 000000000..d7b0ecbe2
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %}
+{
+ "index_patterns": ["so-proofpoint-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/so/so-radware-template.json.jinja
new file mode 100644
index 000000000..4efef6a4f
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-radware-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %}
+{
+ "index_patterns": ["so-radware-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/so/so-redis-template.json.jinja
new file mode 100644
index 000000000..616607f52
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-redis-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %}
+{
+ "index_patterns": ["so-zeek-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/so/so-snort-template.json.jinja
new file mode 100644
index 000000000..325f86bde
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-snort-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %}
+{
+ "index_patterns": ["so-snort-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/so/so-snyk-template.json.jinja
new file mode 100644
index 000000000..0c2d291cc
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-snyk-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %}
+{
+ "index_patterns": ["so-snyk-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja
new file mode 100644
index 000000000..b912e4d66
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %}
+{
+ "index_patterns": ["so-sonicwall-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/so/so-sophos-template.json.jinja
new file mode 100644
index 000000000..689e19999
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-sophos-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %}
+{
+ "index_patterns": ["so-sophos-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/so/so-squid-template.json.jinja
new file mode 100644
index 000000000..9398b8a99
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-squid-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %}
+{
+ "index_patterns": ["so-squid-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja
new file mode 100644
index 000000000..797e71bcf
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %}
+{
+ "index_patterns": ["so-tomcat-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja
new file mode 100644
index 000000000..01d1cab2d
--- /dev/null
+++ b/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja
@@ -0,0 +1,13 @@
+{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %}
+{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
+{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %}
+{
+ "index_patterns": ["so-zscaler-*"],
+ "version":50001,
+ "order":11,
+ "settings":{
+ "number_of_replicas":{{ REPLICAS }},
+ "number_of_shards":{{ SHARDS }},
+ "index.refresh_interval":"{{ REFRESH }}"
+ }
+}
diff --git a/salt/top.sls b/salt/top.sls
index b38d315d8..e2c980e1d 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -189,6 +189,7 @@ base:
{%- if KIBANA %}
- kibana
{%- endif %}
+ - curator
{%- if ELASTALERT %}
- elastalert
{%- endif %}