users

Merge pull request #12192 from Security-Onion-Solutions/needsrestarted
Needsrestarted
2025-12-07 09:42:46 +01:00 · 2024-01-17 12:51:15 -05:00 · 2024-01-16 18:49:22 -05:00 · 2024-01-16 17:22:09 -05:00 · 2024-01-16 17:03:36 -05:00 · 2024-01-16 17:02:27 -05:00
325 changed files with 536037 additions and 376264 deletions
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -11,7 +11,7 @@ jobs:
    steps:
      - name: "Contributor Check"
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: cla-assistant/github-action@v2.1.3-beta
+        uses: cla-assistant/github-action@v2.3.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
--- a/.github/workflows/pythontest.yml
+++ b/.github/workflows/pythontest.yml
@@ -4,9 +4,11 @@ on:
  push:
    paths: 
      - "salt/sensoroni/files/analyzers/**"
      - "salt/manager/tools/sbin"
  pull_request:
    paths:
      - "salt/sensoroni/files/analyzers/**"
      - "salt/manager/tools/sbin"
 jobs:
  build:
@@ -16,7 +18,7 @@ jobs:
      fail-fast: false
      matrix:
        python-version: ["3.10"]
-        python-code-path: ["salt/sensoroni/files/analyzers"]
+        python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
    steps:
    - uses: actions/checkout@v3
@@ -34,4 +36,4 @@ jobs:
        flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12  --doctests --max-line-length=200 --statistics
    - name: Test with pytest
      run: |
-        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=${{ matrix.python-code-path }}/pytest.ini
+        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=pytest.ini
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,17 @@
-### 2.4.20-20231006 ISO image released on 2023/10/06
+### 2.4.30-20231228 ISO image released on 2024/01/02
 ### Download and Verify
-2.4.20-20231006 ISO image:  
+2.4.30-20231228 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231228.iso
-MD5: 269F00308C53976BF0EAE788D1DB29DB  
+MD5: DBD47645CD6FA8358C51D8753046FB54  
-SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27  
+SHA1: 2494091065434ACB028F71444A5D16E8F8A11EDF  
-SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65  
+SHA256: 3345AE1DC58AC7F29D82E60D9A36CDF8DE19B7DFF999D8C4F89C7BD36AEE7F1D  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231228.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231228.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231228.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso
+gpg --verify securityonion-2.4.30-20231228.iso.sig securityonion-2.4.30-20231228.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013
+gpg: Signature made Thu 28 Dec 2023 10:08:31 AM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/1
+++ b/1
@@ -1 +0,0 @@
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.20
+2.4.40
--- a/assets/images/screenshots/analyzers/echotrail.png
+++ b/assets/images/screenshots/analyzers/echotrail.png
--- a/assets/images/screenshots/analyzers/elasticsearch.png
+++ b/assets/images/screenshots/analyzers/elasticsearch.png
--- a/assets/images/screenshots/analyzers/sublime.png
+++ b/assets/images/screenshots/analyzers/sublime.png
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -12,7 +12,6 @@ role:
  eval:
  fleet:
  heavynode:
  helixsensor:
  idh:
  import:
  manager:
--- a/pillar/logstash/nodes.sls
+++ b/pillar/logstash/nodes.sls
@@ -7,6 +7,8 @@
    tgt_type='compound') | dictsort()
 %}
 # only add a node to the pillar if it returned an ip from the mine
 {%   if ip | length > 0%}
 {%     set hostname = cached_grains[minionid]['host'] %}
 {%     set node_type = minionid.split('_')[1] %}
 {%     if node_type not in node_types.keys() %}
@@ -18,8 +20,10 @@
 {%         do node_types[node_type][hostname].update(ip[0]) %}
 {%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}
 logstash:
  nodes:
 {% for node_type, values in node_types.items() %}
--- a/pillar/node_data/ips.sls
+++ b/pillar/node_data/ips.sls
@@ -4,6 +4,9 @@
 {%   set hostname = minionid.split('_')[0] %}
 {%   set node_type = minionid.split('_')[1] %}
 {%   set is_alive = False %}
 # only add a node to the pillar if it returned an ip from the mine
 {%   if ip | length > 0%}
 {%     if minionid in manage_alived.keys() %}
 {%       if ip[0] == manage_alived[minionid] %}
 {%         set is_alive = True %}
@@ -18,6 +21,7 @@
 {%         do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
 {%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}
 node_data:
--- a/pillar/thresholding/pillar.example
+++ b/pillar/thresholding/pillar.example
@@ -1,44 +0,0 @@
 thresholding:
  sids:
    8675309:
      - threshold:
          gen_id: 1
          type: threshold
          track: by_src
          count: 10
          seconds: 10
      - threshold:
          gen_id: 1
          type: limit
          track: by_dst
          count: 100
          seconds: 30
      - rate_filter:
          gen_id: 1
          track: by_rule
          count: 50
          seconds: 30
          new_action: alert
          timeout: 30
      - suppress:
          gen_id: 1
          track: by_either
          ip: 10.10.3.7
    11223344:
      - threshold:
          gen_id: 1
          type: limit
          track: by_dst
          count: 10
          seconds: 10
      - rate_filter:
          gen_id: 1
          track: by_src
          count: 50
          seconds: 20
          new_action: pass
          timeout: 60
      - suppress:
          gen_id: 1
          track: by_src
          ip: 10.10.3.0/24
--- a/pillar/thresholding/pillar.usage
+++ b/pillar/thresholding/pillar.usage
@@ -1,20 +0,0 @@
 thresholding:
  sids:
    <signature id>:
      - threshold:
          gen_id: <generator id>
          type: <threshold | limit | both>
          track: <by_src | by_dst>
          count: <count>
          seconds: <seconds>
      - rate_filter:
          gen_id: <generator id>
          track: <by_src | by_dst | by_rule | by_both>
          count: <count>
          seconds: <seconds>
          new_action: <alert | pass>
          timeout: <seconds>
      - suppress:
          gen_id: <generator id>
          track: <by_src | by_dst | by_either>
          ip: <ip | subnet>
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -16,6 +16,7 @@ base:
    - sensoroni.adv_sensoroni
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf
    - users
  '* and not *_desktop':
    - firewall.soc_firewall
@@ -61,8 +62,6 @@ base:
    - elastalert.adv_elastalert
    - backup.soc_backup
    - backup.adv_backup
    - curator.soc_curator
    - curator.adv_curator
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - minions.{{ grains.id }}
@@ -113,8 +112,6 @@ base:
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
    - curator.adv_curator
    - kratos.soc_kratos
    - kratos.adv_kratos
    - redis.soc_redis
@@ -172,8 +169,6 @@ base:
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - zeek.soc_zeek
@@ -194,8 +189,6 @@ base:
    - logstash.adv_logstash
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - curator.soc_curator
    - curator.adv_curator
    - redis.soc_redis
    - redis.adv_redis
    - zeek.soc_zeek
@@ -268,8 +261,6 @@ base:
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - kratos.soc_kratos
--- a/pillar/users/init.sls
+++ b/pillar/users/init.sls
@@ -0,0 +1,2 @@
 # users pillar goes in /opt/so/saltstack/local/pillar/users/init.sls
 # the users directory may need to be created under /opt/so/saltstack/local/pillar
--- a/pillar/users/pillar.example
+++ b/pillar/users/pillar.example
@@ -0,0 +1,18 @@
 users:
  sclapton:
    # required fields
    status: present
    # node_access determines which node types the user can access.
    # this can either be by grains.role or by final part of the minion id after the _
    node_access:
      - standalone
      - searchnode
    # optional fields
    fullname: Stevie Claptoon
    uid: 1001
    gid: 1001
    homephone: does not have a phone
    groups:
      - mygroup1
      - mygroup2
      - wheel # give sudo access
--- a/pillar/users/pillar.usage
+++ b/pillar/users/pillar.usage
@@ -0,0 +1,20 @@
 users:
  sclapton:
    # required fields
    status: <present | absent>
    # node_access determines which node types the user can access.
    # this can either be by grains.role or by final part of the minion id after the _
    node_access:
      - standalone
      - searchnode
    # optional fields
    fullname: <string>
    uid: <integer>
    gid: <integer>
    roomnumber: <string>
    workphone: <string>
    homephone: <string>
    groups:
      - <string>
      - <string>
      - wheel # give sudo access
--- a/pyci.sh
+++ b/pyci.sh
@@ -0,0 +1,26 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 if [[ $# -ne 1 ]]; then
    echo "Usage: $0 <python_script_dir>"
    echo "Runs tests on all *_test.py files in the given directory."
    exit 1
 fi
 HOME_DIR=$(dirname "$0")
 TARGET_DIR=${1:-.}
 PATH=$PATH:/usr/local/bin
 if ! which pytest &> /dev/null || ! which flake8 &> /dev/null ; then
    echo "Missing dependencies. Consider running the following command:"
    echo "  python -m pip install flake8 pytest pytest-cov"
    exit 1
 fi
 pip install pytest pytest-cov
 flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini"
 python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100  "$TARGET_DIR" 
--- a/salt/sensoroni/files/analyzers/pytest.ini
+++ b/salt/sensoroni/files/analyzers/pytest.ini
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -219,10 +219,6 @@
    {% do allowed_states.append('kibana.secrets') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
    {% do allowed_states.append('curator') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}
--- a/salt/bpf/macros.jinja
+++ b/salt/bpf/macros.jinja
@@ -0,0 +1,10 @@
 {% macro remove_comments(bpfmerged, app) %}
 {# remove comments from the bpf #}
 {% for bpf in bpfmerged[app] %}
 {%   if bpf.strip().startswith('#') %}
 {%     do bpfmerged[app].pop(loop.index0) %}
 {%   endif %}
 {% endfor %}
 {% endmacro %}
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
 {% import 'bpf/macros.jinja' as MACROS %}
 {{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {% set PCAPBPF = BPFMERGED.pcap %}
--- a/salt/bpf/suricata.map.jinja
+++ b/salt/bpf/suricata.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
 {% import 'bpf/macros.jinja' as MACROS %}
 {{ MACROS.remove_comments(BPFMERGED, 'suricata') }}
 {% set SURICATABPF = BPFMERGED.suricata %}
--- a/salt/bpf/zeek.map.jinja
+++ b/salt/bpf/zeek.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
 {% import 'bpf/macros.jinja' as MACROS %}
 {{ MACROS.remove_comments(BPFMERGED, 'zeek') }}
 {% set ZEEKBPF = BPFMERGED.zeek %}
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -37,7 +37,7 @@ x509_signing_policies:
    - ST: Utah
    - L: Salt Lake City
    - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -50,6 +50,12 @@ pki_public_ca_crt:
        attempts: 5
        interval: 30
 mine_update_ca_crt:
  module.run:
    - mine.update: []
    - onchanges:
      - x509: pki_public_ca_crt
 cakeyperms:
  file.managed:
    - replace: False
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -8,6 +8,7 @@ include:
  - common.packages
 {% if GLOBALS.role in GLOBALS.manager_roles %}
  - manager.elasticsearch # needed for elastic_curl_config state
  - manager.kibana
 {% endif %}
 net.core.wmem_default:
@@ -178,6 +179,14 @@ so-status_check_cron:
    - month: '*'
    - dayweek: '*'
 # This cronjob/script runs a check if the node needs restarted, but should be used for future status checks as well
 common_status_check_cron:
  cron.present:
    - name: '/usr/sbin/so-common-status-check > /dev/null 2>&1'
    - identifier: common_status_check
    - user: root
    - minute: '*/10'
 remove_post_setup_cron:
  cron.absent:
    - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -8,7 +8,7 @@
 # Elastic agent is not managed by salt. Because of this we must store this base information in a 
 # script that accompanies the soup system. Since so-common is one of those special soup files, 
 # and since this same logic is required during installation, it's included in this file.
-ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
+ELASTIC_AGENT_TARBALL_VERSION="8.10.4"
 ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
 ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
 ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
@@ -133,22 +133,37 @@ check_elastic_license() {
 }
 check_salt_master_status() {
-	local timeout=$1
+	local count=0
-	echo "Checking if we can talk to the salt master"
+    local attempts="${1:- 10}"
-	salt-call state.show_top concurrent=true
+	current_time="$(date '+%b %d %H:%M:%S')"
-
+	echo "Checking if we can access the salt master and that it is ready at: ${current_time}"
-	return
+    while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do
        current_time="$(date '+%b %d %H:%M:%S')"
        echo "Can't access salt master or it is not ready at: ${current_time}"
        ((count+=1))
        if [[ $count -eq $attempts ]]; then
 			# 10 attempts takes about 5.5 minutes
            echo "Gave up trying to access salt-master"
            return 1
        fi
    done
 	current_time="$(date '+%b %d %H:%M:%S')"
 	echo "Successfully accessed and salt master ready at: ${current_time}"
    return 0
 }
 # this is only intended to be used to check the status of the minion from a salt master
 check_salt_minion_status() {
-	local timeout=$1
+	local minion="$1"
-	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
+	local timeout="${2:-5}"
-	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
+	local logfile="${3:-'/dev/stdout'}"
 	echo "Checking if the salt minion: $minion will respond to jobs" >> "$logfile" 2>&1
 	salt "$minion" test.ping -t $timeout > /dev/null 2>&1
 	local status=$?
 	if [ $status -gt 0 ]; then
-		echo "  Minion did not respond" >> "$setup_log" 2>&1
+		echo "  Minion did not respond" >> "$logfile" 2>&1
 	else
-		echo "  Received job response from salt minion" >> "$setup_log" 2>&1
+		echo "  Received job response from salt minion" >> "$logfile" 2>&1
 	fi
 	return $status
@@ -382,6 +397,10 @@ retry() {
 								echo "<Start of output>"
 								echo "$output"
 								echo "<End of output>"
 								if [[ $exitcode -eq 0 ]]; then
 									echo "Forcing exit code to 1"
 									exitcode=1
 								fi
                        fi
                elif [ -n "$failedOutput" ]; then
                        if [[ "$output" =~ "$failedOutput" ]]; then
@@ -390,7 +409,7 @@ retry() {
 								echo "$output"
 								echo "<End of output>"
 								if [[ $exitcode -eq 0 ]]; then
-									echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output."
+									echo "Forcing exit code to 1"
 									exitcode=1
 								fi
                        else
@@ -428,6 +447,24 @@ run_check_net_err() {
 	fi
 }
 wait_for_salt_minion() {
 	local minion="$1"
 	local timeout="${2:-5}"
 	local logfile="${3:-'/dev/stdout'}"
 	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
 	local attempt=0
 	# each attempts would take about 15 seconds
 	local maxAttempts=20
 	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
 		attempt=$((attempt+1))
 		if [[ $attempt -eq $maxAttempts ]]; then
 			return 1
 		fi
 		sleep 10
 	done
 	return 0
 }
 salt_minion_count() {
 	local MINIONDIR="/opt/so/saltstack/local/pillar/minions"
 	MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l)
@@ -440,19 +477,51 @@ set_os() {
 			OS=rocky
 			OSVER=9
 			is_rocky=true
 			is_rpm=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
-		elif grep -q "Oracle Linux Server release 9" /etc/system-release; then
+			is_rpm=true
-			OS=oel
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
 			OS=alma
 			OSVER=9
 			is_alma=true
 			is_rpm=true
 		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
 			if [ -f /etc/oracle-release ]; then
 				OS=oracle
 				OSVER=9
 				is_oracle=true
 				is_rpm=true
 			else
 				OS=rhel
 				OSVER=9
 				is_rhel=true
 				is_rpm=true
 			fi
 		fi
 		cron_service_name="crond"
-	else
+	elif [ -f /etc/os-release ]; then
 		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
 			OSVER=focal
 			UBVER=20.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
 			OSVER=jammy
 			UBVER=22.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
 			OSVER=bookworm
 			DEBVER=12
 			is_debian=true
 			OS=debian
 			is_deb=true
 		fi
 		cron_service_name="cron"
 	fi
 }
@@ -486,6 +555,10 @@ set_version() {
 	fi
 }
 status () {
    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
 }
 systemctl_func() {
 	local action=$1
 	local echo_action=$1
--- a/salt/common/tools/sbin/so-common-status-check
+++ b/salt/common/tools/sbin/so-common-status-check
@@ -0,0 +1,52 @@
 #!/usr/bin/env python3
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 import sys
 import subprocess
 import os
 sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
 import salt.config
 import salt.loader
 __opts__ = salt.config.minion_config('/etc/salt/minion')
 __grains__ = salt.loader.grains(__opts__)
 def check_needs_restarted():
  osfam = __grains__['os_family']
  val = '0'
  outfile = "/opt/so/log/sostatus/needs_restarted"
  if osfam == 'Debian':
    if os.path.exists('/var/run/reboot-required'):
      val = '1'
  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      val = '1'
  else:
    fail("Unsupported OS")
  with open(outfile, 'w') as f:
    f.write(val)
 def fail(msg):
  print(msg, file=sys.stderr)
  sys.exit(1)
 def main():
  proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
  if proc.stdout.strip() != "0":
    fail("This program must be run as root")
  check_needs_restarted()
 if __name__ == "__main__":
  main()
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -42,7 +42,6 @@ container_list() {
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=(
      "so-curator"
      "so-elastalert"
      "so-elastic-agent"
      "so-elastic-agent-builder"
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -109,11 +109,19 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connection timed out"         # server not yet ready (telegraf plugin unable to connect)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|command timed out"            # server not yet ready (telegraf plugin waiting for script to finish)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non"    # server not yet ready (salt waiting on minions)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term"                 # server not yet ready (influxdb not yet setup)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|search_phase_execution_exception" # server not yet ready (elastalert running searches before ES is ready)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving docker"    # Telegraf unable to reach Docker engine, rare
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
 fi
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -136,6 +144,8 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input"          # false positive (Invalid user input in hunt query)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example"                      # false positive (example test data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200"                   # false positive (request successful, contained error string in content)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error"              # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal"  # false positive (Open Canary logging out blank IP addresses)
 fi
 if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
@@ -157,6 +167,12 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats"  # Elastic transform temporary error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cannot join on an empty table" # InfluxDB flux query, import nodes
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exhausting result iterator"   # InfluxDB flux query mismatched table results (temporary data issue)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to finish run"         # InfluxDB rare error, self-recoverable
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
@@ -213,6 +229,9 @@ exclude_log "spool"        # disregard zeek analyze logs as this is data specifi
 exclude_log "import"       # disregard imported test data the contains error strings
 exclude_log "update.log"   # ignore playbook updates due to several known issues
 exclude_log "playbook.log" # ignore due to several playbook known issues
 exclude_log "cron-cluster-delete.log" # ignore since Curator has been removed
 exclude_log "cron-close.log" # ignore since Curator has been removed
 exclude_log "curator.log" # ignore since Curator has been removed
 for log_file in $(cat /tmp/log_check_files); do
    status "Checking log file $log_file"
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -41,8 +41,13 @@ done
 if [ $SKIP -ne 1 ]; then
        # Inform user we are about to delete all data
        echo
-        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "This script will delete all NSM data from /nsm."
-        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
        echo "This includes Suricata data, Zeek data, and full packet capture (PCAP)."
        echo
        echo "This will NOT delete any Suricata or Zeek logs that have already been ingested into Elasticsearch."
        echo
        echo "If you would like to proceed, then type AGREE and press ENTER."
        echo
        # Read user input
        read INPUT
@@ -54,8 +59,8 @@ delete_pcap() {
  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
-  SURI_LOG="/opt/so/log/suricata/eve.json"
+  SURI_LOG="/nsm/suricata/"
-  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
 }
 delete_zeek() {
  ZEEK_LOG="/nsm/zeek/logs/"
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -1,67 +0,0 @@
 #!/bin/bash
 local_salt_dir=/opt/so/saltstack/local
 zeek_logs_enabled() {
  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
  for BLOG in "${BLOGS[@]}"; do
    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
  done
 }
 whiptail_manager_adv_service_zeeklogs() {
  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
  "conn" "Connection Logging" ON \
  "dce_rpc" "RPC Logs" ON \
  "dhcp" "DHCP Logs" ON \
  "dnp3" "DNP3 Logs" ON \
  "dns" "DNS Logs" ON \
  "dpd" "DPD Logs" ON \
  "files" "Files Logs" ON \
  "ftp" "FTP Logs" ON \
  "http" "HTTP Logs" ON \
  "intel" "Intel Hits Logs" ON \
  "irc" "IRC Chat Logs" ON \
  "kerberos" "Kerberos Logs" ON \
  "modbus" "MODBUS Logs" ON \
  "notice" "Zeek Notice Logs" ON \
  "ntlm" "NTLM Logs" ON \
  "pe" "PE Logs" ON \
  "radius" "Radius Logs" ON \
  "rfb" "RFB Logs" ON \
  "rdp" "RDP Logs" ON \
  "sip" "SIP Logs" ON \
  "smb_files" "SMB Files Logs" ON \
  "smb_mapping" "SMB Mapping Logs" ON \
  "smtp" "SMTP Logs" ON \
  "snmp" "SNMP Logs" ON \
  "ssh" "SSH Logs" ON \
  "ssl" "SSL Logs" ON \
  "syslog" "Syslog Logs" ON \
  "tunnel" "Tunnel Logs" ON \
  "weird" "Zeek Weird Logs" ON \
  "mysql" "MySQL Logs" ON \
  "socks" "SOCKS Logs" ON \
  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
  local exitstatus=$?
  IFS=' ' read -ra BLOGS <<< "$BLOGS"
  return $exitstatus
 }
 whiptail_manager_adv_service_zeeklogs
 return_code=$?
 case $return_code in
  1)
    whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75
    ;;
  255)
    whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75
    ;;
  *)
    zeek_logs_enabled
    ;;
 esac
--- a/salt/common/tools/sbin_jinja/so-raid-status
+++ b/salt/common/tools/sbin_jinja/so-raid-status
@@ -49,12 +49,19 @@ check_nsm_raid() {
 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
  MVTEST=$(/usr/local/bin/mvcli info -o vd | grep "No adapter")
  # Check to see if this is a SM based system
  if [[ -z $MVTEST ]]; then
    if [[ -n $MVCLI ]]; then
      BOSSRAID=0
    else
      BOSSRAID=1
    fi
  else
    # This doesn't have boss raid so lets make it 0
    BOSSRAID=0
  fi
 }
 check_software_raid() {
--- a/salt/curator/config.sls
+++ b/salt/curator/config.sls
@@ -1,81 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from "curator/map.jinja" import CURATORMERGED %}
 # Create the group
 curatorgroup:
  group.present:
    - name: curator
    - gid: 934
 # Add user
 curator:
  user.present:
    - uid: 934
    - gid: 934
    - home: /opt/so/conf/curator
    - createhome: False
 # Create the log directory
 curlogdir:
  file.directory:
    - name: /opt/so/log/curator
    - user: 934
    - group: 939
 curactiondir:
  file.directory:
    - name: /opt/so/conf/curator/action
    - user: 934
    - group: 939
    - makedirs: True
 actionconfs:
  file.recurse:
    - name: /opt/so/conf/curator/action
    - source: salt://curator/files/action
    - user: 934
    - group: 939
    - template: jinja
    - defaults:
        CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
 curconf:
  file.managed:
    - name: /opt/so/conf/curator/curator.yml
    - source: salt://curator/files/curator.yml
    - user: 934
    - group: 939
    - mode: 660
    - template: jinja
    - show_changes: False
 curator_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 curator_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin_jinja
    - user: 934
    - group: 939 
    - file_mode: 755
    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/defaults.yaml
+++ b/salt/curator/defaults.yaml
@@ -1,100 +0,0 @@
 curator:
  enabled: False
  elasticsearch:
    index_settings:
      logs-import-so:
        close: 73000
        delete: 73001
      logs-strelka-so:
        close: 30
        delete: 365
      logs-suricata-so:
        close: 30
        delete: 365
      logs-syslog-so:
        close: 30
        delete: 365
      logs-zeek-so:
        close: 30
        delete: 365
      logs-elastic_agent-metricbeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-osquerybeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-fleet_server-default:
        close: 30
        delete: 365
      logs-elastic_agent-filebeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-default:
        close: 30
        delete: 365
      logs-system-auth-default:
        close: 30
        delete: 365
      logs-system-application-default:
        close: 30
        delete: 365
      logs-system-security-default:
        close: 30
        delete: 365
      logs-system-system-default:
        close: 30
        delete: 365
      logs-system-syslog-default:
        close: 30
        delete: 365
      logs-windows-powershell-default:
        close: 30
        delete: 365
      logs-windows-sysmon_operational-default:
        close: 30
        delete: 365
      so-beats:
        close: 30
        delete: 365
      so-elasticsearch:
        close: 30
        delete: 365
      so-firewall:
        close: 30
        delete: 365
      so-ids:
        close: 30
        delete: 365
      so-import:
        close: 73000
        delete: 73001
      so-kratos:
        close: 30
        delete: 365
      so-kibana:
        close: 30
        delete: 365
      so-logstash:
        close: 30
        delete: 365
      so-netflow:
        close: 30
        delete: 365
      so-osquery:
        close: 30
        delete: 365
      so-ossec:
        close: 30
        delete: 365
      so-redis:
        close: 30
        delete: 365
      so-strelka:
        close: 30
        delete: 365
      so-syslog:
        close: 30
        delete: 365
      so-zeek:
        close: 30
        delete: 365
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -3,20 +3,15 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - curator.sostatus
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
-  file.comment:
+  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
+    - match: ^so-curator$
    - mode: delete
 so-curator-cluster-close:
  cron.absent:
@@ -26,10 +21,14 @@ so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
-{% else %}
+delete_curator_configuration:
-
+  file.absent:
-{{sls}}_state_not_allowed:
+    - name: /opt/so/conf/curator
-  test.fail_without_changes:
+    - recurse: True
    - name: {{sls}}_state_not_allowed
 {% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
 {% if files|length > 0 %}
 delete_curator_scripts:
  file.absent:
    - names: {{files|yaml}}
 {% endif %}
--- a/salt/curator/enabled.sls
+++ b/salt/curator/enabled.sls
@@ -1,88 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - curator.config
  - curator.sostatus
 so-curator:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
    - start: True
    - hostname: curator
    - name: so-curator
    - user: curator
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
      {% if DOCKER.containers['so-curator'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-curator'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
      {% if DOCKER.containers['so-curator'].extra_hosts %}
    - extra_hosts:
        {% for XTRAHOST in DOCKER.containers['so-curator'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
      {% if DOCKER.containers['so-curator'].extra_env %}
    - environment:
        {% for XTRAENV in DOCKER.containers['so-curator'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - require:
      - file: actionconfs
      - file: curconf
      - file: curlogdir
    - watch:
      - file: curconf
 delete_so-curator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
 so-curator-cluster-close:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
    - identifier: so-curator-cluster-close
    - user: root
    - minute: '2'
    - hour: '*/1'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 so-curator-cluster-delete:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
    - identifier: so-curator-cluster-delete
    - user: root
    - minute: '*/5'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/files/action/delete.yml
+++ b/salt/curator/files/action/delete.yml
@@ -1,31 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %}
 {% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %}
 {{ ELASTICMERGED.retention_pct }}
 {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete indices when {{log_size_limit}}(GB) is exceeded.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-.*|so-.*|.ds-logs-.*-so.*)$'
    - filtertype: pattern
      kind: regex
      value: '^(so-case.*)$'
      exclude: True
    - filtertype: space
      source: creation_date
      use_age: True
      disk_space: {{log_size_limit}}
--- a/salt/curator/files/action/logs-elastic_agent-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent default indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Filebeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-import-so-close.yml
+++ b/salt/curator/files/action/logs-import-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-import-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close import indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-import-so-delete.yml
+++ b/salt/curator/files/action/logs-import-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-strelka-so-close.yml
+++ b/salt/curator/files/action/logs-strelka-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Strelka indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-strelka-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-strelka-so-delete.yml
+++ b/salt/curator/files/action/logs-strelka-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-strelka-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-suricata-so-close.yml
+++ b/salt/curator/files/action/logs-suricata-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Suricata indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-suricata-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-suricata-so-delete.yml
+++ b/salt/curator/files/action/logs-suricata-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Suricata indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-suricata-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-syslog-so-close.yml
+++ b/salt/curator/files/action/logs-syslog-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-syslog-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-syslog-so-delete.yml
+++ b/salt/curator/files/action/logs-syslog-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-syslog-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-application-default-close.yaml
+++ b/salt/curator/files/action/logs-system-application-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system application indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.application-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-application-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-application-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.application-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-auth-default-close.yaml
+++ b/salt/curator/files/action/logs-system-auth-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system auth indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.auth-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-auth-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.auth-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-security-default-close.yaml
+++ b/salt/curator/files/action/logs-system-security-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system security indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.security-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-security-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-security-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.security-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-syslog-default-close.yaml
+++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.syslog-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.syslog-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-system-default-close.yaml
+++ b/salt/curator/files/action/logs-system-system-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system system indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.system-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-system-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-system-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.system-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-windows-powershell-default-close.yaml
+++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-windows.powershell-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-windows.powershell-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-zeek-so-close.yml
+++ b/salt/curator/files/action/logs-zeek-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Zeek indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-zeek-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-zeek-so-delete.yml
+++ b/salt/curator/files/action/logs-zeek-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Zeek indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-zeek-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-beats-close.yml
+++ b/salt/curator/files/action/so-beats-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-beats'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Beats indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-beats.*|so-beats.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-beats-delete.yml
+++ b/salt/curator/files/action/so-beats-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-beats'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete beats indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-beats.*|so-beats.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-elasticsearch-close.yml
+++ b/salt/curator/files/action/so-elasticsearch-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-elasticsearch'].close %}
 actions:
  1:
    action: close
    description: >-
      Close elasticsearch indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-elasticsearch-delete.yml
+++ b/salt/curator/files/action/so-elasticsearch-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-elasticsearch'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete elasticsearch indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-firewall-close.yml
+++ b/salt/curator/files/action/so-firewall-close.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-firewall'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Firewall indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-firewall-delete.yml
+++ b/salt/curator/files/action/so-firewall-delete.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-firewall'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete firewall indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-ids-close.yml
+++ b/salt/curator/files/action/so-ids-close.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-ids'].close %}
 actions:
  1:
    action: close
    description: >-
      Close IDS indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-ids.*|so-ids.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-ids-delete.yml
+++ b/salt/curator/files/action/so-ids-delete.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-ids'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete IDS indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-ids.*|so-ids.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-import-close.yml
+++ b/salt/curator/files/action/so-import-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-import'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Import indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-import.*|so-import.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-import-delete.yml
+++ b/salt/curator/files/action/so-import-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-import'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-import.*|so-import.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-kibana-close.yml
+++ b/salt/curator/files/action/so-kibana-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-kibana'].close %}
 actions:
  1:
    action: close
    description: >-
      Close kibana indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-kibana.*|so-kibana.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-kibana-delete.yml
+++ b/salt/curator/files/action/so-kibana-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-kibana'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete kibana indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kibana.*|so-kibana.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-kratos-close.yml
+++ b/salt/curator/files/action/so-kratos-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-kratos'].close %}
 actions:
  1:
    action: close
    description: >-
      Close kratos indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kratos.*|so-kratos.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-kratos-delete.yml
+++ b/salt/curator/files/action/so-kratos-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-kratos'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete kratos indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kratos.*|so-kratos.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-logstash-close.yml
+++ b/salt/curator/files/action/so-logstash-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-logstash'].close %}
 actions:
  1:
    action: close
    description: >-
      Close logstash indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-logstash.*|so-logstash.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-logstash-delete.yml
+++ b/salt/curator/files/action/so-logstash-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-logstash'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete logstash indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-logstash.*|so-logstash.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-netflow-close.yml
+++ b/salt/curator/files/action/so-netflow-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-netflow'].close %}
 actions:
  1:
    action: close
    description: >-
      Close netflow indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-netflow.*|so-netflow.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-netflow-delete.yml
+++ b/salt/curator/files/action/so-netflow-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-netflow'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete netflow indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-netflow.*|so-netflow.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-osquery-close.yml
+++ b/salt/curator/files/action/so-osquery-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-osquery'].close %}
 actions:
  1:
    action: close
    description: >-
      Close osquery indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-osquery.*|so-osquery.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-osquery-delete.yml
+++ b/salt/curator/files/action/so-osquery-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-osquery'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-osquery.*|so-osquery.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-ossec-close.yml
+++ b/salt/curator/files/action/so-ossec-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-ossec'].close %}
 actions:
  1:
    action: close
    description: >-
      Close ossec indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-ossec.*|so-ossec.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-ossec-delete.yml
+++ b/salt/curator/files/action/so-ossec-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-ossec'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete ossec indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-ossec.*|so-ossec.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-redis-close.yml
+++ b/salt/curator/files/action/so-redis-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-redis'].close %}
 actions:
  1:
    action: close
    description: >-
      Close redis indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-redis.*|so-redis.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-redis-delete.yml
+++ b/salt/curator/files/action/so-redis-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-redis'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete redis indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-redis.*|so-redis.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-strelka-close.yml
+++ b/salt/curator/files/action/so-strelka-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-strelka'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Strelka indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-strelka.*|so-strelka.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-strelka-delete.yml
+++ b/salt/curator/files/action/so-strelka-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-strelka'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-strelka.*|so-strelka.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`# users pillar goes in /opt/so/saltstack/local/pillar/users/init.sls`
							`# the users directory may need to be created under /opt/so/saltstack/local/pillar`