Merge pull request #12540 from Security-Onion-Solutions/dougburks-patch-1

FIX: Update SOC annotations for Stenographer PCAP #12539

salt/pcap/soc_pcap.yaml

@@ -4,32 +4,32 @@ pcap:
     helpLink: stenographer.html
   config:
     maxdirectoryfiles:
-      description: The maximum number of packet/index files to create before deleting old files.
+      description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting.
       helpLink: stenographer.html
     diskfreepercentage:
-      description: The disk space percent to always keep free for PCAP
+      description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated forward nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and :ref:`elasticsearch` at the same time (like eval and standalone installations), then you’ll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21.
       helpLink: stenographer.html
     blocks:
-      description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
+      description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
       advanced: True
       helpLink: stenographer.html
     preallocate_file_mb:
-      description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this. 
+      description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this. 
       advanced: True
       helpLink: stenographer.html
     aiops:
-      description: The max number of async writes to allow at once.
+      description: The max number of async writes to allow for Stenographer at once.
       advanced: True
       helpLink: stenographer.html
     pin_to_cpu:
-      description: Enable CPU pinning for PCAP.
+      description: Enable CPU pinning for Stenographer PCAP.
       advanced: True
       helpLink: stenographer.html
     cpus_to_pin_to:
-      description: CPU to pin PCAP to. Currently only a single CPU is supported.
+      description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported.
       advanced: True
       helpLink: stenographer.html
     disks:
-      description: List of disks to use for PCAP. This is currently not used.
+      description: List of disks to use for Stenographer PCAP. This is currently not used.
       advanced: True
       helpLink: stenographer.html