Merge pull request #11040 from Security-Onion-Solutions/2.4/dev

2.4.10
Merge pull request #11044 from Security-Onion-Solutions/TOoSmOotH-patch-2
2025-12-07 01:32:47 +01:00 · 2023-08-15 07:14:03 -04:00 · 2023-08-14 16:52:53 -04:00 · 2023-08-14 16:51:24 -04:00 · 2023-08-14 16:46:21 -04:00 · 2023-08-14 16:44:13 -04:00
261 changed files with 8171 additions and 29979 deletions
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.4.3-20230711 ISO image built on 2023/07/11
+### 2.4.10-20230815 ISO image released on 2023/08/15
 ### Download and Verify
-2.4.3-20230711 ISO image:  
+2.4.10-20230815 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
-
+ 
-MD5: F481ED39E02A5AF05EB50D319D97A6C7  
+MD5: 97AEC929FB1FC22F106C0C93E3476FAB  
-SHA1: 20F9BAA8F73A44C21A8DFE81F36247BCF33CEDA6  
+SHA1: 78AF37FD19FDC34BA324C1A661632D19D1F2284A  
-SHA256: D805522E02CD4941641385F6FF86FAAC240DA6C5FD98F78460348632C7C631B0 
+SHA256: D04BA45D1664FC3CF7EA2188CB7E570642F6390C3959B4AFBB8222A853859394  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.3-20230711.iso.sig securityonion-2.4.3-20230711.iso
+gpg --verify securityonion-2.4.10-20230815.iso.sig securityonion-2.4.10-20230815.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 11 Jul 2023 06:23:37 PM EDT using RSA key ID FE507013
+gpg: Signature made Sun 13 Aug 2023 05:30:29 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-## Security Onion 2.4 Beta 4
+## Security Onion 2.4
-Security Onion 2.4 Beta 4 is here!
+Security Onion 2.4 is here!
 ## Screenshots
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.3
+2.4.10
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -3,14 +3,14 @@ import subprocess
 def check():
-  os = __grains__['os']
+  osfam = __grains__['os_family']
  retval = 'False'
-  if os == 'Ubuntu':
+  if osfam == 'Debian':
    if path.exists('/var/run/reboot-required'):
      retval = 'True'
-  elif os == 'Rocky':
+  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -1,13 +1,11 @@
 {%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
 {%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
-  "bip": "{{ DOCKERBIND }}",
+  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
-      "base": "{{ DOCKERRANGE }}",
+      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -195,7 +195,7 @@ soversionfile:
 {% endif %}
 {% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
-  {% if GLOBALS.os == 'Rocky' %}     
+  {% if GLOBALS.os == 'OEL' %}     
 # Install Raid tools
 raidpkgs:
  pkg.installed:
@@ -217,8 +217,7 @@ so-raid-status:
    - month: '*'
    - dayweek: '*'
-{% endif %}
+  {% endif %}
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,6 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
@@ -14,16 +14,25 @@ commonpkgs:
      - software-properties-common
      - apt-transport-https
      - openssl
-      - netcat
+      - netcat-openbsd
      - sqlite3
      - libssl-dev
      - procps
      - python3-dateutil
      - python3-docker
      - python3-packaging
      - python3-watchdog
      - python3-lxml
      - git
      - rsync
      - vim
      - tar
      - unzip
      {% if grains.oscodename != 'focal' %}
      - python3-rich
      {% endif %}
 {%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
  pkg.installed
@@ -34,34 +43,46 @@ python-rich:
    - target: /usr/local/lib/python3.8/dist-packages/
    - require:
      - pkg: python3-pip
-  
+{%     endif %}
 {% endif %}
-{% elif GLOBALS.os == 'Rocky' %}     
+{% if GLOBALS.os_family == 'RedHat' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - wget
      - jq
      - tcpdump
      - httpd-tools
      - net-tools
      - curl
      - sqlite
      - mariadb-devel
      - python3-dnf-plugin-versionlock
      - nmap-ncat
      - yum-utils
      - device-mapper-persistent-data
-      - lvm2
+      - fuse
-      - openssl
+      - fuse-libs
      - fuse-overlayfs
      - fuse-common
      - fuse3
      - fuse3-libs
      - git
      - httpd-tools
      - jq
      - lvm2
      {% if GLOBALS.os == 'CentOS Stream' %}
      - MariaDB-devel
      {% else %}
      - mariadb-devel
      {% endif %}
      - net-tools
      - nmap-ncat
      - openssl
      - procps-ng
      - python3-dnf-plugin-versionlock
      - python3-docker
      - python3-m2crypto
      - rsync
      - python3-rich
      - python3-pyyaml
      - python3-watchdog
      - python3-packaging
      - python3-pyyaml
      - python3-rich
      - python3-watchdog
      - rsync
      - sqlite
      - tcpdump
      - unzip
      - wget
      - yum-utils
 {% endif %}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -5,7 +5,16 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
+# Elastic agent is not managed by salt. Because of this we must store this base information in a 
 # script that accompanies the soup system. Since so-common is one of those special soup files, 
 # and since this same logic is required during installation, it's included in this file.
 ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
 ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
 ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
 ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
 ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
 ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
@@ -161,6 +170,34 @@ disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 download_and_verify() {
 	source_url=$1
 	source_md5_url=$2
 	dest_file=$3
 	md5_file=$4
 	expand_dir=$5
 	if [[ -n "$expand_dir" ]]; then
 		mkdir -p "$expand_dir"
 	fi
 	if ! verify_md5_checksum "$dest_file" "$md5_file"; then
 		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" ""
 		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'"  "" ""
 		if verify_md5_checksum "$dest_file" "$md5_file"; then
 		  echo "Source file and checksum are good."
 		else
 		  echo "Unable to download and verify the source file and checksum."
 		  return 1
 		fi
 	fi
 	if [[ -n "$expand_dir" ]]; then
 		tar -xf "$dest_file" -C "$expand_dir"
 	fi
 }
 elastic_license() {
 read -r -d '' message <<- EOM
@@ -199,19 +236,20 @@ get_random_value() {
 }
 gpg_rpm_import() {
-	if [[ "$OS" == "rocky" ]]; then
+	if [[ $is_oracle ]]; then
 	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	        local RPMKEYSLOC="../salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
 	    else
-	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-	
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
-	    RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
 	    for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
 	elif [[ $is_rpm ]]; then
 		echo "Importing the security onion GPG key"
 		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 }
@@ -224,12 +262,15 @@ init_monitor() {
 	if [[ $MONITORNIC == "bond0" ]]; then 
 	  BIFACES=$(lookup_bond_interfaces)
 	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
 	    ethtool -K "$MONITORNIC" "$i" off;
  	  done
 	else
 	  BIFACES=$MONITORNIC
 	fi
 	for DEVICE_IFACE in $BIFACES; do
-	  for i in rx tx sg tso ufo gso gro lro; do
+	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
 	    ethtool -K "$DEVICE_IFACE" "$i" off;
  	  done
 	  ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
@@ -395,19 +436,22 @@ salt_minion_count() {
 }
 set_cron_service_name() {
 	if [[ "$OS" == "rocky" ]]; then
 		cron_service_name="crond"
 	else
 		cron_service_name="cron"
 	fi
 }
 set_os() {
 	if [ -f /etc/redhat-release ]; then
-		OS=rocky
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
 			OS=rocky
 			OSVER=9
 			is_rocky=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
 		fi
 		cron_service_name="crond"
 	else
 		OS=ubuntu
 		is_ubuntu=true
 		cron_service_name="cron"
 	fi
 }
@@ -416,7 +460,7 @@ set_minionid() {
 }
 set_palette() {
-	if [ "$OS" == ubuntu ]; then
+	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
@@ -463,6 +507,11 @@ has_uppercase() {
 		|| return 1
 }
 update_elastic_agent() {
 	echo "Checking if Elastic Agent update is necessary..."
 	download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR"
 }
 valid_cidr() {
 	# Verify there is a backslash in the string
 	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
@@ -616,6 +665,23 @@ valid_username() {
 	echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1
 }
 verify_md5_checksum() {
 	data_file=$1
 	md5_file=${2:-${data_file}.md5}
 	if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then
 		return 2
 	fi
 	SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }')
 	HASH=$(cat "$md5_file")
 	if [[ "$HASH" == "$SOURCEHASH" ]]; then
 		return 0
 	fi
 	return 1
 }
 wait_for_web_response() {
 	url=$1
 	expected=$2
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -103,7 +103,7 @@ def output(options, console, code, data):
 def check_container_status(options, console):
  code = 0
  cli = "docker"
-  proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8")
+  proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8")
  if proc.returncode != 0:
    fail("Container system error; unable to obtain container process statuses")
--- a/salt/common/tools/sbin_jinja/so-desktop-install
+++ b/salt/common/tools/sbin_jinja/so-desktop-install
@@ -5,15 +5,15 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 source /usr/sbin/so-common
 doc_desktop_url="$DOC_BASE_URL/desktop.html"
-{# we only want the script to install the desktop if it is Rocky -#}
+{# we only want the script to install the desktop if it is OEL -#}
-{% if grains.os == 'Rocky' -%}
+{% if grains.os == 'OEL' -%}
 {#   if this is a manager -#}
 {%   if grains.master == grains.id.split('_')|first -%}
-source /usr/sbin/so-common
+pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls"
 doc_desktop_url="$DOC_BASE_URL/desktop.html"
 pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
 if [ -f "$pillar_file" ]; then
  if ! grep -q "^desktop:$" "$pillar_file"; then
@@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then
    fi
  else # desktop is already added
    echo "The desktop pillar already exists in $pillar_file."
-    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file."
+    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced."
    echo "Additional documentation can be found at $doc_desktop_url."
  fi
 else # if the pillar file doesn't exist
@@ -75,17 +75,22 @@ fi
 {#-  if this is not a manager #}
 {%   else -%}
-echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url."
+echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:"
 echo "desktop:"
 echo "  gui:"
 echo "    enabled: true"
 echo ""
 echo "Please view the documentation at $doc_desktop_url."
 {#- endif if this is a manager #}
 {%   endif -%}
-{#- if not Rocky #}
+{#- if not OEL #}
 {%- else %}
-echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url."
+echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url."
-{#- endif grains.os == Rocky #}
+{#- endif grains.os == OEL #}
 {% endif -%}
 exit 0
--- a/salt/common/tools/sbin_jinja/so-import-evtx
+++ b/salt/common/tools/sbin_jinja/so-import-evtx
@@ -27,6 +27,8 @@ Imports one or more evtx files into Security Onion. The evtx files will be analy
 Options:
  --json      Outputs summary in JSON format. Implies --quiet.
  --quiet     Silences progress information to stdout.
  --shift     Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly.
              Ex. sudo so-import-evtx --shift "2023-08-01 01:01:01" example.evtx 
 EOF
 }
@@ -44,6 +46,10 @@ while [[ $# -gt 0 ]]; do
    --quiet)
      quiet=1
      ;;
    --shift)
      SHIFTDATE=$1
      shift
      ;;
    -*) 
      echo "Encountered unexpected parameter: $param"
      usage
@@ -68,8 +74,10 @@ function status {
 function evtx2es() {
  EVTX=$1
  HASH=$2
  SHIFTDATE=$3
  docker run --rm \
    -e "SHIFTTS=$SHIFTDATE" \
    -v "$EVTX:/tmp/data.evtx" \
    -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
    -v "/nsm/import/evtx-end_newest:/tmp/newest" \
@@ -113,7 +121,9 @@ echo $END_NEWEST > /nsm/import/evtx-end_newest
 for EVTX in $INPUT_FILES; do
  EVTX=$(/usr/bin/realpath "$EVTX")
  status "Processing Import: ${EVTX}"
-
+  if ! [ -z "$SHIFTDATE" ]; then
    status "- timeshifting logs to end date of $SHIFTDATE"
  fi
  # generate a unique hash to assist with dedupe checks
  HASH=$(md5sum "${EVTX}" | awk '{ print $1 }')
  HASH_DIR=/nsm/import/${HASH}
@@ -136,7 +146,7 @@ for EVTX in $INPUT_FILES; do
    # import evtx and write them to import ingest pipeline
    status "- importing logs to Elasticsearch..."
-    evtx2es "${EVTX}" $HASH
+    evtx2es "${EVTX}" $HASH "$SHIFTDATE"
    if [[ $? -ne 0 ]]; then
      INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1))
      status "- WARNING: This evtx file may not have fully imported successfully"
@@ -222,4 +232,4 @@ if [[ $json -eq 1 ]]; then
    }'''
 fi
-exit $RESULT
+exit $RESULT
--- a/salt/common/tools/sbin_jinja/so-raid-status
+++ b/salt/common/tools/sbin_jinja/so-raid-status
@@ -1,7 +1,7 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
@@ -9,25 +9,26 @@
 . /usr/sbin/so-common
-appliance_check() {
+{%- if salt['grains.get']('sosmodel', '') %}
-  {%- if salt['grains.get']('sosmodel', '') %}
+{%- set model = salt['grains.get']('sosmodel') %}
-  APPLIANCE=1
+model={{ model }}
-  {%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %}
+# Don't need cloud images to use this
-  exit 0
+if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then
-  {%- endif %}
+    exit 0
-  DUDEYOUGOTADELL=$(dmidecode |grep Dell)
+fi
-  if [[ -n $DUDEYOUGOTADELL ]]; then
+{%- else %}
-  APPTYPE=dell
+echo "This is not an appliance"
-  else
+exit 0
-  APPTYPE=sm
+{%- endif %}
-  fi
+if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then
-  mkdir -p /opt/so/log/raid
+	is_bossraid=true
-
+fi
-  {%- else %}
+if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then
-  echo "This is not an appliance"
+	is_swraid=true
-  exit 0
+fi
-  {%- endif %}
+if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then
-}
+	is_hwraid=true
 fi
 check_nsm_raid() {
  PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
@@ -49,61 +50,44 @@ check_nsm_raid() {
 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
-  if [[ -n $DUDEYOUGOTADELL ]]; then
+  if [[ -n $MVCLI ]]; then
-    if [[ -n $MVCLI ]]; then
+    BOSSRAID=0
-      BOSSRAID=0
+  else
-    else
+    BOSSRAID=1
      BOSSRAID=1
    fi
  fi
 }
 check_software_raid() {
-  if [[ -n $DUDEYOUGOTADELL ]]; then
+  SWRC=$(grep "_" /proc/mdstat)
-    SWRC=$(grep "_" /proc/mdstat)
+  if [[ -n $SWRC ]]; then
-
+      # RAID is failed in some way
-    if [[ -n $SWRC ]]; then
+      SWRAID=1
-        # RAID is failed in some way
+  else
-        SWRAID=1
+      SWRAID=0
    else
        SWRAID=0
    fi
  fi
 }
-# This script checks raid status if you use SO appliances
+# Set everything to 0
 SWRAID=0
 BOSSRAID=0
 HWRAID=0
-# See if this is an appliance
+if [[ $is_hwraid ]]; then
-
+	check_nsm_raid
-appliance_check
+fi
-check_nsm_raid
+if [[ $is_bossraid ]]; then
-check_boss_raid
+	check_boss_raid
-{%- if salt['grains.get']('sosmodel', '') %}
+fi
-{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
+if [[ $is_swraid ]]; then
-check_software_raid
+	check_software_raid
 {%- endif %}
 {%- endif %}
 if [[ -n $SWRAID ]]; then
  if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then
    RAIDSTATUS=0
  else
    RAIDSTATUS=1
  fi
 elif [[ -n $DUDEYOUGOTADELL ]]; then
  if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then
    RAIDSTATUS=0
  else
    RAIDSTATUS=1
  fi
 elif [[ "$APPTYPE" == 'sm' ]]; then
  if [[ -n "$HWRAID" ]]; then
    RAIDSTATUS=0
  else
    RAIDSTATUS=1
  fi
 fi
-echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
+sum=$(($SWRAID + $BOSSRAID + $HWRAID))
 if [[ $sum == "0" ]]; then
  RAIDSTATUS=0
 else
  RAIDSTATUS=1
 fi
 echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
--- a/salt/desktop/files/00-background
+++ b/salt/desktop/files/00-background
@@ -0,0 +1,8 @@
 # Specify the dconf path
 [org/gnome/desktop/background]
 # Specify the path to the desktop background image file
 picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg'
 # Specify one of the rendering options for the background image:
 picture-options='zoom'
--- a/salt/desktop/files/session.jinja
+++ b/salt/desktop/files/session.jinja
@@ -0,0 +1,7 @@
 # This file is managed by Salt in the desktop.xwindows state
 # It will not be overwritten if it already exists
 [User]
 Session=gnome-classic
 Icon=/home/{{USERNAME}}/.face
 SystemAccount=false
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -1,170 +1,280 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 desktop_packages:
  pkg.installed:
    - pkgs:
      - ModemManager
      - ModemManager-glib
      - NetworkManager
      - NetworkManager-adsl
      - NetworkManager-bluetooth
-      - NetworkManager-l2tp-gnome
+      - NetworkManager-config-server
-      - NetworkManager-libreswan-gnome
+      - NetworkManager-libnm
      - NetworkManager-openconnect-gnome
      - NetworkManager-openvpn-gnome
      - NetworkManager-ppp
      - NetworkManager-pptp-gnome
      - NetworkManager-team
      - NetworkManager-tui
      - NetworkManager-wifi
      - NetworkManager-wwan
      - PackageKit
      - PackageKit-command-not-found
      - PackageKit-glib
      - PackageKit-gstreamer-plugin
-      - aajohan-comfortaa-fonts
+      - PackageKit-gtk3-module
      - abattis-cantarell-fonts
      - acl
      - alsa-ucm
      - alsa-utils
      - anaconda
      - anaconda-install-env-deps
      - anaconda-live
      - at
      - attr
      - audit
      - audit-libs
      - authselect
      - authselect-libs
      - avahi
      - avahi-glib
      - avahi-libs
      - baobab
      - basesystem
      - bash
      - bash-completion
      - bc
-      - blktrace
+      - bcache-tools
      - bluez
      - bluez-libs
      - bluez-obexd
      - bolt
      - bpftool
      - bzip2
      - bzip2-libs
      - c-ares
      - ca-certificates
      - cairo
      - cairo-gobject
      - cairomm
      - checkpolicy
      - chkconfig
      - chrome-gnome-shell
      - chromium
-      - chrony
+      - clutter
-      - cinnamon
+      - clutter-gst3
-      - cinnamon-control-center
+      - clutter-gtk
-      - cinnamon-screensaver
+      - cogl
-      - cockpit
+      - color-filesystem
-      - coreutils
+      - colord
-      - cpio
+      - colord-gtk
-      - cronie
+      - colord-libs
-      - crontabs
+      - conmon
-      - crypto-policies
+      - cups
-      - crypto-policies-scripts
+      - cups-client
-      - cryptsetup
+      - cups-filesystem
-      - curl
+      - cups-filters
-      - cyrus-sasl-plain
+      - cups-filters-libs
-      - dbus
+      - cups-ipptool
      - cups-libs
      - cups-pk-helper
      - dconf
      - dejavu-sans-fonts
      - dejavu-sans-mono-fonts
      - dejavu-serif-fonts
-      - dnf
+      - desktop-file-utils
      - dnf-plugins-core
      - dos2unix
      - dosfstools
      - dracut-config-rescue
      - dracut-live
      - dsniff
      - e2fsprogs
      - ed
      - efi-filesystem
      - efibootmgr
      - efivar-libs
      - eom
      - ethtool
-      - f36-backgrounds-extras-gnome
+      - evolution-data-server
-      - f36-backgrounds-gnome
+      - evolution-data-server-langpacks
      - f37-backgrounds-extras-gnome
      - f37-backgrounds-gnome
      - file
-      - filesystem
+      - flac-libs
-      - firewall-config
+      - flashrom
-      - firewalld
+      - flatpak
-      - fprintd-pam
+      - flatpak-libs
-      - git
+      - flatpak-selinux
-      - glibc
+      - flatpak-session-helper
-      - glibc-all-langpacks
+      - fontconfig
      - fonts-filesystem
      - foomatic
      - foomatic-db
      - foomatic-db-filesystem
      - foomatic-db-ppds
      - freetype
      - fuse
      - fuse-common
      - fuse-libs
      - fuse-overlayfs
      - fuse3
      - fuse3-libs
      - fwupd
      - fwupd-plugin-flashrom
      - gcr
      - gcr-base
      - gd
      - gdbm-libs
      - gdisk
      - gdk-pixbuf2
      - gdk-pixbuf2-modules
      - gdm
      - gedit
      - geoclue2
      - geoclue2-libs
      - geocode-glib
      - gettext
      - gettext-libs
      - ghostscript
      - ghostscript-tools-fonts
      - ghostscript-tools-printing
      - giflib
      - glx-utils
      - gmp
      - gnome-autoar
      - gnome-bluetooth
      - gnome-bluetooth-libs
      - gnome-calculator
      - gnome-characters
      - gnome-classic-session
      - gnome-color-manager
      - gnome-control-center
      - gnome-control-center-filesystem
      - gnome-desktop3
      - gnome-disk-utility
      - gnome-font-viewer
      - gnome-initial-setup
      - gnome-keyring
      - gnome-keyring-pam
      - gnome-logs
      - gnome-menus
      - gnome-online-accounts
      - gnome-remote-desktop
      - gnome-screenshot
      - gnome-session
      - gnome-session-wayland-session
      - gnome-session-xsession
      - gnome-settings-daemon
      - gnome-shell
      - gnome-shell-extension-apps-menu
      - gnome-shell-extension-background-logo
      - gnome-shell-extension-common
      - gnome-shell-extension-desktop-icons
      - gnome-shell-extension-launch-new-instance
      - gnome-shell-extension-places-menu
      - gnome-shell-extension-window-list
      - gnome-software
      - gnome-system-monitor
      - gnome-terminal
-      - gnupg2
+      - gnome-terminal-nautilus
      - gnome-tour
      - gnome-user-docs
      - gnome-video-effects
      - gobject-introspection
      - gom
      - google-droid-sans-fonts
      - google-noto-cjk-fonts-common
      - google-noto-emoji-color-fonts
      - google-noto-fonts-common
      - google-noto-sans-cjk-ttc-fonts
      - google-noto-sans-gurmukhi-fonts
      - google-noto-sans-sinhala-vf-fonts
      - google-noto-serif-cjk-ttc-fonts
-      - grub2-common
+      - gpgme
-      - grub2-pc-modules
+      - gpm-libs
-      - grub2-tools
+      - graphene
-      - grub2-tools-efi
+      - graphite2
-      - grub2-tools-extra
+      - gsettings-desktop-schemas
-      - grub2-tools-minimal
+      - gsm
-      - grubby
+      - gsound
      - gspell
      - gstreamer1
      - gstreamer1-plugins-bad-free
      - gstreamer1-plugins-base
      - gstreamer1-plugins-good
      - gstreamer1-plugins-good-gtk
      - gstreamer1-plugins-ugly-free
      - gtk-update-icon-cache
      - gtk2
      - gtk3
      - gtk4
      - gtkmm30
      - gtksourceview4
      - gutenprint
      - gutenprint-cups
      - gutenprint-doc
      - gutenprint-libs
      - gvfs
      - gvfs-client
      - gvfs-fuse
      - gvfs-goa
      - gvfs-gphoto2
      - gvfs-mtp
      - gvfs-smb
-      - hostname
+      - gzip
-      - hyperv-daemons
+      - harfbuzz
-      - ibus-anthy
+      - harfbuzz-icu
-      - ibus-hangul
+      - hdparm
-      - ibus-libpinyin
+      - hicolor-icon-theme
-      - ibus-libzhuyin
+      - highcontrast-icon-theme
-      - ibus-m17n
+      - hplip-common
-      - ibus-typing-booster
+      - hplip-libs
-      - imsettings-systemd
+      - hunspell
-      - initial-setup-gui
+      - hunspell-en
-      - initscripts
+      - hunspell-en-GB
      - hunspell-en-US
      - hunspell-filesystem
      - hyphen
      - ibus
      - ibus-gtk3
      - ibus-libs
      - ibus-setup
      - iio-sensor-proxy
      - ima-evm-utils
      - inih
      - initscripts-rename-device
-      - iproute
+      - initscripts-service
-      - iproute-tc
+      - iso-codes
-      - iprutils
+      - jansson
-      - iputils
+      - jbig2dec-libs
-      - irqbalance
+      - jbigkit-libs
      - iwl100-firmware
      - iwl1000-firmware
      - iwl105-firmware
      - iwl135-firmware
      - iwl2000-firmware
      - iwl2030-firmware
      - iwl3160-firmware
      - iwl5000-firmware
      - iwl5150-firmware
      - iwl6000g2a-firmware
      - iwl6000g2b-firmware
      - iwl6050-firmware
      - iwl7260-firmware
      - jomolhari-fonts
      - jose
      - jq
      - json-c
      - json-glib
      - julietaula-montserrat-fonts
      - kbd
-      - kernel
+      - kbd-misc
      - kernel-modules
      - kernel-modules-extra
      - kernel-tools
      - kexec-tools
      - khmer-os-system-fonts
-      - kmod-kvdo
+      - langpacks-core-en
-      - kpatch
+      - langpacks-core-font-en
-      - kpatch-dnf
+      - langpacks-en
-      - ledmon
+      - lcms2
-      - less
+      - libICE
      - libSM
      - libX11
      - libX11-common
      - libX11-xcb
      - libXau
      - libXcomposite
      - libXcursor
      - libXdamage
      - libXdmcp
      - libXext
      - libXfixes
      - libXfont2
      - libXft
      - libXi
      - libXinerama
      - libXmu
      - libXpm
      - libXrandr
      - libXrender
      - libXres
      - libXt
      - libXtst
      - libXv
      - libXxf86dga
      - libXxf86vm
      - libappstream-glib
      - liberation-fonts-common
      - liberation-mono-fonts
      - liberation-sans-fonts
      - liberation-serif-fonts
      - libertas-sd8787-firmware
-      - libstoragemgmt
+      - libglvnd-gles
-      - libsysfs
+      - libglvnd-glx
-      - lightdm
+      - libglvnd-opengl
-      - linux-firmware
+      - libgnomekbd
-      - logrotate
+      - libgomp
      - libgphoto2
      - lockdev
      - lohit-assamese-fonts
      - lohit-bengali-fonts
      - lohit-devanagari-fonts
@@ -175,136 +285,160 @@ desktop_packages:
      - lohit-telugu-fonts
      - lshw
      - lsof
-      - lsscsi
+      - mesa-dri-drivers
-      - lvm2
+      - mesa-filesystem
-      - mailcap
+      - mesa-libEGL
-      - man-db
+      - mesa-libGL
-      - man-pages
+      - mesa-libgbm
-      - mcelog
+      - mesa-libglapi
-      - mdadm
+      - mesa-libxatracker
-      - memtest86+
+      - mesa-vulkan-drivers
      - metacity
      - microcode_ctl
-      - mlocate
+      - mobile-broadband-provider-info
      - mono-devel
      - mpfr
      - mpg123-libs
      - mtdev
      - mtr
-      - nano
+      - nautilus
-      - ncurses
+      - nautilus-extensions
      - nemo-fileroller
      - nemo-image-converter
      - nemo-preview
      - net-tools
      - netronome-firmware
      - ngrep
      - nm-connection-editor
      - nmap-ncat
      - nvme-cli
      - open-vm-tools-desktop
-      - openssh-clients
+      - oracle-backgrounds
-      - openssh-server
+      - oracle-indexhtml
-      - p11-kit
+      - oracle-logos
-      - paktype-naskh-basic-fonts
+      - pcaudiolib
      - parole
      - parted
      - passwd
      - pciutils
      - pinentry
      - pinentry-gnome3
      - pinfo
      - pipewire
      - pipewire-alsa
      - pipewire-gstreamer
      - pipewire-jack-audio-connection-kit
      - pipewire-libs
      - pipewire-pulseaudio
      - pipewire-utils
      - pixman
      - plymouth
      - plymouth-core-libs
      - plymouth-graphics-libs
      - plymouth-plugin-label
      - plymouth-plugin-two-step
      - plymouth-scripts
      - plymouth-system-theme
      - plymouth-theme-spinner
      - policycoreutils
-      - powerline
+      - policycoreutils-python-utils
      - ppp
      - prefixdevname
      - procps-ng
      - psacct
      - pt-sans-fonts
-      - python3-libselinux
+      - pulseaudio-libs
-      - python3-scapy
+      - pulseaudio-libs-glib2
-      - qemu-guest-agent
+      - pulseaudio-utils
-      - quota
+      - sane-airscan
-      - realmd
+      - sane-backends
-      - redshift-gtk
+      - sane-backends-drivers-cameras
      - rocky-backgrounds
      - rocky-release
      - rootfiles
      - rpm
      - rpm-plugin-audit
      - rsync
      - rsyslog
      - rsyslog-gnutls
      - rsyslog-gssapi
      - rsyslog-relp
      - salt-minion
      - sane-backends-drivers-scanners
-      - selinux-policy-targeted
+      - sane-backends-libs
      - setroubleshoot
      - setup
      - sg3_utils
      - sg3_utils-libs
      - shadow-utils
      - sil-abyssinica-fonts
      - sil-nuosu-fonts
      - sil-padauk-fonts
      - slick-greeter
      - slick-greeter-cinnamon
      - smartmontools
      - smc-meera-fonts
-      - sos
+      - snappy
      - sound-theme-freedesktop
      - soundtouch
      - securityonion-networkminer
      - speech-dispatcher
      - speech-dispatcher-espeak-ng
      - speex
      - spice-vdagent
-      - ssldump
+      - switcheroo-control
      - sssd
      - sssd-common
      - sssd-kcm
      - stix-fonts
      - strace
      - sudo
      - symlinks
-      - syslinux
+      - system-config-printer-libs
-      - systemd
+      - system-config-printer-udev
-      - systemd-udev
+      - taglib
      - tar
      - tcpdump
      - tcpflow
-      - teamd
+      - thai-scalable-fonts-common
      - thai-scalable-waree-fonts
-      - time
+      - totem
-      - tmux
+      - totem-pl-parser
-      - tmux-powerline
+      - totem-video-thumbnailer
-      - transmission
+      - tpm2-tools
      - tpm2-tss
      - tracer-common
      - tracker
      - tracker-miners
      - tree
      - tuned
      - twolame-libs
      - tzdata
      - udisks2
      - udisks2-iscsi
      - udisks2-lvm2
      - unzip
      - upower
      - urw-base35-bookman-fonts
      - urw-base35-c059-fonts
      - urw-base35-d050000l-fonts
      - urw-base35-fonts
      - urw-base35-fonts-common
      - urw-base35-gothic-fonts
      - urw-base35-nimbus-mono-ps-fonts
      - urw-base35-nimbus-roman-fonts
      - urw-base35-nimbus-sans-fonts
      - urw-base35-p052-fonts
      - urw-base35-standard-symbols-ps-fonts
      - urw-base35-z003-fonts
      - usb_modeswitch
      - usb_modeswitch-data
      - usbutils
-      - util-linux
+      - usermode
-      - util-linux-user
+      - userspace-rcu
      - vdo
-      - vim-enhanced
+      - vulkan-loader
-      - vim-minimal
+      - wavpack
-      - vim-powerline
+      - webkit2gtk3
-      - virt-what
+      - webkit2gtk3-jsc
-      - wget
+      - webrtc-audio-processing
      - whois
-      - which
+      - wireless-regdb
      - wireplumber
      - wireplumber-libs
      - wireshark
      - woff2
      - words
      - wpa_supplicant
      - wpebackend-fdo
      - xdg-dbus-proxy
      - xdg-desktop-portal
      - xdg-desktop-portal-gnome
      - xdg-desktop-portal-gtk
      - xdg-user-dirs
      - xdg-user-dirs-gtk
-      - xed
+      - xdg-utils
-      - xfsdump
+      - xkeyboard-config
-      - xfsprogs
+      - xorg-x11-drv-evdev
-      - xreader
+      - xorg-x11-drv-fbdev
-      - yum
+      - xorg-x11-drv-libinput
      - xorg-x11-drv-vmware
      - xorg-x11-drv-wacom
      - xorg-x11-drv-wacom-serial-support
      - xorg-x11-server-Xorg
      - xorg-x11-server-Xwayland
      - xorg-x11-server-common
      - xorg-x11-server-utils
      - xorg-x11-utils
      - xorg-x11-xauth
      - xorg-x11-xinit
      - xorg-x11-xinit-session
      - zip
 {% else %}
 desktop_packages_os_fail:
  test.fail_without_changes:
-    - comment: 'SO desktop can only be installed on Rocky'
+    - comment: 'SO desktop can only be installed on Oracle Linux'
 {% endif %}
--- a/salt/desktop/remove_gui.sls
+++ b/salt/desktop/remove_gui.sls
@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 remove_graphical_target:
  file.symlink:
@@ -12,6 +12,6 @@ remove_graphical_target:
 {% else %}
 desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on Rocky'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 {% endif %}
--- a/salt/desktop/scripts/convert-gnome-classic.sh
+++ b/salt/desktop/scripts/convert-gnome-classic.sh
@@ -0,0 +1,4 @@
 #!/bin/bash
 echo "Setting default session to gnome-classic"
 cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/
 sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard
--- a/salt/desktop/trusted-ca.sls
+++ b/salt/desktop/trusted-ca.sls
@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
  {% set global_ca_text = [] %}
  {% set global_ca_server = [] %}
@@ -31,6 +31,6 @@ update_ca_certs:
 desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 {% endif %}
--- a/salt/desktop/xwindows.sls
+++ b/salt/desktop/xwindows.sls
@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 include:
  - desktop.packages
@@ -14,10 +14,48 @@ graphical_target:
    - require:
      - desktop_packages
 convert_gnome_classic:
  cmd.script:
    - name: salt://desktop/scripts/convert-gnome-classic.sh
 {%   for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
 {%     set username = username.split('/')[2] %}
 {%     if username != 'zeek' %}
 {%       if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %}
 {{username}}_session:
  file.managed:
    - name: /var/lib/AccountsService/users/{{username}}
    - source: salt://desktop/files/session.jinja
    - template: jinja
    - defaults:
        USERNAME: {{username}}
 {%       endif %}
 {%     endif %}
 {%   endfor %}
 desktop_wallpaper:
  file.managed:
    - name: /usr/local/share/backgrounds/so-wallpaper.jpg
    - source: salt://desktop/files/so-wallpaper.jpg
    - makedirs: True
 set_wallpaper:
  file.managed:
    - name: /etc/dconf/db/local.d/00-background
    - source: salt://desktop/files/00-background
 run_dconf_update:
  cmd.run:
    - name: 'dconf update'
    - onchanges:
      - file: set_wallpaper
 {% else %}
 desktop_xwindows_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on Rocky'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 {% endif %}
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,8 +1,6 @@
 docker:
-  bip: '172.17.0.1'
+  range: '172.17.1.0/24'
-  range: '172.17.0.0/24'
+  gateway: '172.17.1.1'
  sorange: '172.17.1.0/24'
  sobip: '172.17.1.1'
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -202,4 +200,4 @@ docker:
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
-      extra_env: []
+      extra_env: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sorange.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 {% for container, vals in DOCKER.containers.items() %}
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -12,7 +12,28 @@ dockergroup:
    - name: docker
    - gid: 920
-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
 {%    if grains.oscodename == 'bookworm' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.6.21-1
      - docker-ce: 5:24.0.3-1~debian.12~bookworm
      - docker-ce-cli: 5:24.0.3-1~debian.12~bookworm
      - docker-ce-rootless-extras: 5:24.0.3-1~debian.12~bookworm
    - hold: True
    - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.6.21-1
      - docker-ce: 5:24.0.2-1~ubuntu.22.04~jammy
      - docker-ce-cli: 5:24.0.2-1~ubuntu.22.04~jammy
      - docker-ce-rootless-extras: 5:24.0.2-1~ubuntu.22.04~jammy
    - hold: True
    - update_holds: True
 {%    else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -22,14 +43,15 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
    - hold: True
    - update_holds: True
 {% endif %}
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.6.21-3.1.el9
-      - docker-ce: 24.0.2-1.el9
+      - docker-ce: 24.0.4-1.el9
-      - docker-ce-cli: 24.0.2-1.el9
+      - docker-ce-cli: 24.0.4-1.el9
-      - docker-ce-rootless-extras: 24.0.2-1.el9
+      - docker-ce-rootless-extras: 24.0.4-1.el9
    - hold: True
    - update_holds: True
 {% endif %}
@@ -80,8 +102,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
+    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.sobip }}
+    - gateway: {{ DOCKER.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -1,20 +1,12 @@
 docker:
-  bip:
+  gateway:
-    description: Bind IP for the default docker interface.
+    description: Gateway for the default docker interface.
    helpLink: docker.html
    advanced: True
  range:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
  sobip:
    description: Bind IP for the SO docker interface.
    helpLink: docker.html
    advanced: True
  sorange:
    description: IP range for the SO docker containers.
    helpLink: docker.html
    advanced: True
  containers:
    so-curator: &dockerOptions
      final_octet:
@@ -68,4 +60,4 @@ docker:
    so-strelka-filestream: *dockerOptions
    so-strelka-frontend: *dockerOptions
    so-strelka-gatekeeper: *dockerOptions
-    so-strelka-manager: *dockerOptions
+    so-strelka-manager: *dockerOptions
--- a/salt/elasticagent/config.sls
+++ b/salt/elasticagent/config.sls
@@ -28,6 +28,22 @@ elasticagentconfdir:
    - group: 939
    - makedirs: True
 elasticagentlogdir:
   file.directory:
     - name: /opt/so/log/elasticagent
     - user: 949
     - group: 939
     - makedirs: True
 elasticagent_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticagent/tools/sbin_jinja
    - user: 949
    - group: 939
    - file_mode: 755
    - template: jinja
 # Create config
 create-elastic-agent-config:
  file.managed:
@@ -37,7 +53,6 @@ create-elastic-agent-config:
    - group: 939
    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -33,19 +33,27 @@ so-elastic-agent:
        {% endif %}
    - binds:
      - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
      - /opt/so/log:/opt/so/log:ro
     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
-      {% endif %}      
+      {% endif %}
      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-
+    - require:
      - file: create-elastic-agent-config
    - watch:
      - file: create-elastic-agent-config
 delete_so-elastic-agent_so-status.disabled:
  file.uncomment:
--- a/salt/elasticagent/files/elastic-agent.yml.jinja
+++ b/salt/elasticagent/files/elastic-agent.yml.jinja
@@ -3,7 +3,7 @@
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 id: aea1ba80-1065-11ee-a369-97538913b6a9
-revision: 2
+revision: 1
 outputs:
  default:
    type: elasticsearch
@@ -11,7 +11,7 @@ outputs:
      - 'https://{{ GLOBALS.hostname }}:9200'
    username: '{{ ES_USER }}'
    password: '{{ ES_PASS }}'
-    ssl.verification_mode: none
+    ssl.verification_mode: full
 output_permissions: {}
 agent:
  download:
@@ -22,56 +22,369 @@ agent:
    metrics: false
  features: {}
 inputs:
-  - id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85
+  - id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62
-    name: suricata-logs
+    name: import-evtx-logs
-    revision: 1
+    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
-        version: 
+        version:
    data_stream:
      namespace: so
-    package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85
+    package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62
    streams:
-      - id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85
+      - id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62
        data_stream:
          dataset: import
        paths:
          - /nsm/import/*/evtx/*.json
        processors:
          - dissect:
              field: log.file.path
              tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}'
              target_prefix: ''
          - decode_json_fields:
              fields:
                - message
              target: ''
          - drop_fields:
              ignore_missing: true
              fields:
                - host
          - add_fields:
              fields:
                dataset: system.security
                type: logs
                namespace: default
              target: data_stream
          - add_fields:
              fields:
                dataset: system.security
                module: system
                imported: true
              target: event
          - then:
              - add_fields:
                  fields:
                    dataset: windows.sysmon_operational
                  target: data_stream
              - add_fields:
                  fields:
                    dataset: windows.sysmon_operational
                    module: windows
                    imported: true
                  target: event
            if:
              equals:
                winlog.channel: Microsoft-Windows-Sysmon/Operational
          - then:
              - add_fields:
                  fields:
                    dataset: system.application
                  target: data_stream
              - add_fields:
                  fields:
                    dataset: system.application
                  target: event
            if:
              equals:
                winlog.channel: Application
          - then:
              - add_fields:
                  fields:
                    dataset: system.system
                  target: data_stream
              - add_fields:
                  fields:
                    dataset: system.system
                  target: event
            if:
              equals:
                winlog.channel: System
          - then:
              - add_fields:
                  fields:
                    dataset: windows.powershell_operational
                  target: data_stream
              - add_fields:
                  fields:
                    dataset: windows.powershell_operational
                    module: windows
                  target: event
            if:
              equals:
                winlog.channel: Microsoft-Windows-PowerShell/Operational
        tags:
          - import
  - id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0
    name: redis-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: redis
        version:
    data_stream:
      namespace: default
    package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0
    streams:
      - id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0
        data_stream:
          dataset: redis.log
          type: logs
        exclude_files:
          - .gz$
        paths:
          - /opt/so/log/redis/redis.log
        tags:
          - redis-log
        exclude_lines:
          - '^\s+[\-`(''.|_]'
  - id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8
    name: import-suricata-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version:
    data_stream:
      namespace: so
    package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8
    streams:
      - id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8
        data_stream:
          dataset: import
        pipeline: suricata.common
        paths:
          - /nsm/import/*/suricata/eve*.json
        processors:
          - add_fields:
              fields:
                module: suricata
                imported: true
                category: network
              target: event
          - dissect:
              field: log.file.path
              tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}'
              target_prefix: ''
  - id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
    name: soc-server-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version:
    data_stream:
      namespace: so
    package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d
    streams:
      - id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
        data_stream:
          dataset: soc
        pipeline: common
        paths:
          - /opt/so/log/soc/sensoroni-server.log
        processors:
          - decode_json_fields:
              add_error_key: true
              process_array: true
              max_depth: 2
              fields:
                - message
              target: soc
          - add_fields:
              fields:
                module: soc
                dataset_temp: server
                category: host
              target: event
          - rename:
              ignore_missing: true
              fields:
                - from: soc.fields.sourceIp
                  to: source.ip
                - from: soc.fields.status
                  to: http.response.status_code
                - from: soc.fields.method
                  to: http.request.method
                - from: soc.fields.path
                  to: url.path
                - from: soc.message
                  to: event.action
                - from: soc.level
                  to: log.level
        tags:
          - so-soc
  - id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
    name: soc-sensoroni-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version:
    data_stream:
      namespace: so
    package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
    streams:
      - id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
        data_stream:
          dataset: soc
        pipeline: common
        paths:
          - /opt/so/log/sensoroni/sensoroni.log
        processors:
          - decode_json_fields:
              add_error_key: true
              process_array: true
              max_depth: 2
              fields:
                - message
              target: sensoroni
          - add_fields:
              fields:
                module: soc
                dataset_temp: sensoroni
                category: host
              target: event
          - rename:
              ignore_missing: true
              fields:
                - from: sensoroni.fields.sourceIp
                  to: source.ip
                - from: sensoroni.fields.status
                  to: http.response.status_code
                - from: sensoroni.fields.method
                  to: http.request.method
                - from: sensoroni.fields.path
                  to: url.path
                - from: sensoroni.message
                  to: event.action
                - from: sensoroni.level
                  to: log.level
  - id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515
    name: soc-salt-relay-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version:
    data_stream:
      namespace: so
    package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515
    streams:
      - id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515
        data_stream:
          dataset: soc
        pipeline: common
        paths:
          - /opt/so/log/soc/salt-relay.log
        processors:
          - dissect:
              field: message
              tokenizer: '%{soc.ts} | %{event.action}'
              target_prefix: ''
          - add_fields:
              fields:
                module: soc
                dataset_temp: salt_relay
                category: host
              target: event
        tags:
          - so-soc
  - id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0
    name: soc-auth-sync-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version:
    data_stream:
      namespace: so
    package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0
    streams:
      - id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0
        data_stream:
          dataset: soc
        pipeline: common
        paths:
          - /opt/so/log/soc/sync.log
        processors:
          - dissect:
              field: message
              tokenizer: '%{event.action}'
              target_prefix: ''
          - add_fields:
              fields:
                module: soc
                dataset_temp: auth_sync
                category: host
              target: event
        tags:
          - so-soc
  - id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253
    name: suricata-logs
    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version:
    data_stream:
      namespace: so
    package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253
    streams:
      - id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253
        data_stream:
          dataset: suricata
        pipeline: suricata.common
        paths:
          - /nsm/suricata/eve*.json
        processors:
          - add_fields:
              target: event
              fields:
                category: network
                module: suricata
-        pipeline: suricata.common
+                category: network
-  - id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc
+              target: event
  - id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327
    name: strelka-logs
-    revision: 1
+    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
-        version: 
+        version:
    data_stream:
      namespace: so
-    package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc
+    package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327
    streams:
-      - id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc
+      - id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327
        data_stream:
          dataset: strelka
        pipeline: strelka.file
        paths:
          - /nsm/strelka/log/strelka.log
        processors:
          - add_fields:
              target: event
              fields:
                category: file
                module: strelka
-        pipeline: strelka.file
+                category: file
              target: event
  - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d
    name: zeek-logs
    revision: 1
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect
@@ -0,0 +1,16 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
 {% else %}
 /bin/elastic-agent inspect
 {% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-stop elastic-agent $1
 /usr/sbin/so-start elasticagent $1
 {% else %}
 service elastic-agent restart
 {% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start
@@ -5,6 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
-/usr/sbin/so-restart elastic-agent $1
+{% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-start elasticagent $1
 {% else %}
 service elastic-agent start
 {% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
 {% else %}
 /bin/elastic-agent status
 {% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop
@@ -9,4 +9,9 @@
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-stop elastic-agent $1
 {% else %}
 service elastic-agent stop
 {% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
 {% else %}
 /bin/elastic-agent version
 {% endif %}
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -45,6 +45,13 @@ eaconfdir:
    - group: 939
    - makedirs: True
 ealogdir:
  file.directory:
    - name: /opt/so/log/elasticfleet
    - user: 947
    - group: 939
    - makedirs: True
 eastatedir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/state
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -2,7 +2,7 @@ elasticfleet:
  enabled: False
  config:
    server:
-      custom_fqdn: ''
+      custom_fqdn: []
      enable_auto_configuration: True
      endpoints_enrollment: ''
      es_token: ''
@@ -28,7 +28,17 @@ elasticfleet:
    - aws
    - azure
    - cloudflare
    - elasticsearch
    - endpoint
    - fleet_server
    - fim
    - github
    - google_workspace
    - log
    - osquery_manager
    - redis
    - system
    - tcp
    - udp
    - windows
    - 1password
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -15,15 +15,30 @@
 include:
  - elasticfleet.config
  - elasticfleet.sostatus
  - ssl
-{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval'] %}
+# If enabled, automatically update Fleet Logstash Outputs
 {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
 so-elastic-fleet-auto-configure-logstash-outputs:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-outputs-update
    - retry: True
 {% endif %}
-#so-elastic-fleet-auto-configure-server-urls:
+# If enabled, automatically update Fleet Server URLs & ES Connection
-#  cmd.run:
+{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-fleet'] %}
-#    - name: /usr/sbin/so-elastic-fleet-urls-update
+so-elastic-fleet-auto-configure-server-urls:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-urls-update
    - retry: True
 {% endif %}
 # Automatically update Fleet Server Elasticsearch URLs
 {% if grains.role not in ['so-fleet'] %}
 so-elastic-fleet-auto-configure-elasticsearch-urls:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-es-url-update
    - retry: True
 {% endif %}
 {%   if SERVICETOKEN != '' %}
@@ -50,8 +65,15 @@ so-elastic-fleet:
      - {{ BINDING }}
      {% endfor %}
    - binds:
-      - /etc/pki:/etc/pki:ro
+      - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
-      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
+      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      {% if GLOBALS.os_family == 'Debian' %}
      - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
      - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
      - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
      {% endif %}
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
@@ -59,25 +81,39 @@ so-elastic-fleet:
      {% endif %}      
    - environment:
      - FLEET_SERVER_ENABLE=true
-      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
+      - FLEET_URL=https://{{ GLOBALS.hostname }}:8220
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
      {% if GLOBALS.os_family == 'Debian' %}
      - FLEET_CA=/etc/ssl/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
      {% else %}
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      {% endif %}
      - LOGS_PATH=logs
      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - watch:
      - x509: etc_elasticfleet_key
      - x509: etc_elasticfleet_crt
 {%   endif %}
 {%  if GLOBALS.role != "so-fleet" %}
 so-elastic-fleet-integrations:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-integration-policy-load
 so-elastic-agent-grid-upgrade:
  cmd.run:
    - name: /usr/sbin/so-elastic-agent-grid-upgrade
    - retry: True
 {%  endif %}
 delete_so-elastic-fleet_so-status.disabled:
--- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
+++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
@@ -13,7 +13,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
+++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
@@ -14,7 +14,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
+++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
@@ -5,17 +5,16 @@
 	"package": {
 		"name": "endpoint",
 		"title": "Elastic Defend",
-		"version": ""
+		"version": "8.8.0"
 	},
 	"enabled": true,
 	"policy_id": "endpoints-initial",
 	"vars": {},
 	"inputs": [{
-		"type": "endpoint",
+		"type": "ENDPOINT_INTEGRATION_CONFIG",
 		"enabled": true,
 		"streams": [],
 		"config": {
-			"integration_config": {
+			"_config": {
 				"value": {
 					"type": "endpoint",
 					"endpointConfig": {
@@ -25,4 +24,4 @@
 			}
 		}
 	}]
-}
+}
--- a/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
+++ b/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
@@ -13,9 +13,14 @@
        "system.auth": {
          "enabled": true,
          "vars": {
            "ignore_older": "72h",
            "paths": [
              "/var/log/auth.log*",
              "/var/log/secure*"
            ],
            "preserve_original_event": false,
            "tags": [
              "system-auth"
            ]
          }
        },
@@ -24,34 +29,49 @@
          "vars": {
            "paths": [
              "/var/log/messages*",
-              "/var/log/syslog*"
+              "/var/log/syslog*",
-            ]
+              "/var/log/system*"
            ],
            "tags": [],
            "ignore_older": "72h"
          }
        }
      }
    },
    "system-winlog": {
      "enabled": true,
      "vars": {
        "preserve_original_event": false
      },
      "streams": {
        "system.application": {
          "enabled": true,
          "vars": {
            "preserve_original_event": false,
            "ignore_older": "72h",
            "language": 0,
            "tags": []
          }
        },
        "system.security": {
          "enabled": true,
          "vars": {
            "preserve_original_event": false,
            "ignore_older": "72h",
            "language": 0,
            "tags": []
          }
        },
        "system.system": {
          "enabled": true,
          "vars": {
            "preserve_original_event": false,
            "ignore_older": "72h",
            "language": 0,
            "tags": []
          }
        }
-        }
+      }
-      },
+    },
-      "system-system/metrics": {
+    "system-system/metrics": {
-        "enabled": false
+      "enabled": false
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
@@ -12,7 +12,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json
@@ -1,106 +0,0 @@
 {
  "package": {
    "name": "elasticsearch",
    "version": ""
  },
  "name": "elasticsearch-logs",
  "namespace": "default",
  "description": "Elasticsearch Logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "elasticsearch-logfile": {
      "enabled": true,
      "streams": {
        "elasticsearch.audit": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/*_audit.json"
            ]
          }
        },
        "elasticsearch.deprecation": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/*_deprecation.json"
            ]
          }
        },
        "elasticsearch.gc": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/gc.log.[0-9]*",
              "/var/log/elasticsearch/gc.log"
            ]
          }
        },
        "elasticsearch.server": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/elasticsearch/*.log"
            ]
          }
        },
        "elasticsearch.slowlog": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/*_index_search_slowlog.json",
              "/var/log/elasticsearch/*_index_indexing_slowlog.json"
            ]
          }
        }
      }
    },
    "elasticsearch-elasticsearch/metrics": {
      "enabled": false,
      "vars": {
        "hosts": [
          "http://localhost:9200"
        ],
        "scope": "node"
      },
      "streams": {
        "elasticsearch.stack_monitoring.ccr": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.cluster_stats": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.enrich": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.index": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.index_recovery": {
          "enabled": false,
          "vars": {
            "active.only": true
          }
        },
        "elasticsearch.stack_monitoring.index_summary": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.ml_job": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.node": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.node_stats": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.pending_tasks": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.shard": {
          "enabled": false
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json
@@ -1,29 +0,0 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "kratos-logs",
  "namespace": "so",
  "description": "Kratos logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/kratos/kratos.log"
            ],
            "data_stream.dataset": "kratos",
            "tags": ["so-kratos"],
            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos",
            "custom": "pipeline: kratos"
          }
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json
@@ -3,7 +3,7 @@
    "name": "osquery_manager",
    "version": ""
  },
-  "name": "osquery-grid-nodes",
+  "name": "osquery-grid-nodes_heavy",
  "namespace": "default",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json
@@ -1,76 +0,0 @@
 {
  "package": {
    "name": "redis",
    "version": ""
  },
  "name": "redis-logs",
  "namespace": "default",
  "description": "Redis logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "redis-logfile": {
      "enabled": true,
      "streams": {
        "redis.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/redis/redis.log"
            ],
            "tags": [
              "redis-log"
            ],
            "preserve_original_event": false
          }
        }
      }
    },
    "redis-redis": {
      "enabled": false,
      "streams": {
        "redis.slowlog": {
          "enabled": false,
          "vars": {
            "hosts": [
              "127.0.0.1:6379"
            ],
            "password": ""
          }
        }
      }
    },
    "redis-redis/metrics": {
      "enabled": false,
      "vars": {
        "hosts": [
          "127.0.0.1:6379"
        ],
        "idle_timeout": "20s",
        "maxconn": 10,
        "network": "tcp",
        "password": ""
      },
      "streams": {
        "redis.info": {
          "enabled": false,
          "vars": {
            "period": "10s"
          }
        },
        "redis.key": {
          "enabled": false,
          "vars": {
            "key.patterns": "- limit: 20\n  pattern: *\n",
            "period": "10s"
          }
        },
        "redis.keyspace": {
          "enabled": false,
          "vars": {
            "period": "10s"
          }
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json
@@ -1,29 +0,0 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "soc-auth-sync-logs",
  "namespace": "so",
  "description": "Security Onion - Elastic Auth Sync - Logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/soc/sync.log"
            ],
            "data_stream.dataset": "soc",
            "tags": ["so-soc"],
            "processors": "- dissect:\n    tokenizer: \"%{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: auth_sync",
            "custom": "pipeline: common"
          }
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json
@@ -1,29 +0,0 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "soc-salt-relay-logs",
  "namespace": "so",
  "description": "Security Onion - Salt Relay - Logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/soc/salt-relay.log"
            ],
            "data_stream.dataset": "soc",
            "tags": ["so-soc"],
            "processors": "- dissect:\n    tokenizer: \"%{soc.ts} | %{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: salt_relay",
            "custom": "pipeline: common"
          }
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json
@@ -1,29 +0,0 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "soc-sensoroni-logs",
  "namespace": "so",
  "description": "Security Onion - Sensoroni - Logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/sensoroni/sensoroni.log"
            ],
            "data_stream.dataset": "soc",
            "tags": [],
            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"sensoroni\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: sensoroni\n- rename:\n    fields:\n      - from: \"sensoroni.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"sensoroni.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"sensoroni.fields.method\"\n        to: \"http.request.method\"\n      - from: \"sensoroni.fields.path\"\n        to: \"url.path\"\n      - from: \"sensoroni.message\"\n        to: \"event.action\"\n      - from: \"sensoroni.level\"\n        to: \"log.level\"\n    ignore_missing: true",
            "custom": "pipeline: common"
          }
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json
@@ -1,29 +0,0 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "soc-server-logs",
  "namespace": "so",
  "description": "Security Onion Console Logs",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/soc/sensoroni-server.log"
            ],
            "data_stream.dataset": "soc",
            "tags": ["so-soc"],
            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: server\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
            "custom": "pipeline: common"
          }
        }
      }
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json
@@ -4,7 +4,7 @@
    "name": "system",
    "version": ""
  },
-  "name": "system-grid-nodes",
+  "name": "system-grid-nodes_heavy",
  "namespace": "default",
  "inputs": {
    "system-logfile": {
--- a/salt/elasticfleet/install_agent_grid.sls
+++ b/salt/elasticfleet/install_agent_grid.sls
@@ -14,12 +14,14 @@ run_installer:
    - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
    - cwd: /opt/so
    - args: -token={{ GRIDNODETOKENGENERAL }}
    - retry: True
 {% else %} 
 run_installer:
  cmd.script:
    - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
    - cwd: /opt/so
    - args: -token={{ GRIDNODETOKENHEAVY }}
    - retry: True
 {% endif %}  
 {% endif %}
--- a/salt/elasticfleet/soc_elasticfleet.yaml
+++ b/salt/elasticfleet/soc_elasticfleet.yaml
@@ -12,10 +12,11 @@ elasticfleet:
  config:
    server:
      custom_fqdn:
-        description: Custom FQDN for Agents to connect to.
+        description: Custom FQDN for Agents to connect to. One per line.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: "[]string"
      enable_auto_configuration:
        description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
        global: True
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
@@ -56,6 +56,11 @@ elastic_fleet_package_version_check() {
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
 }
 elastic_fleet_package_latest_version_check() {
    PACKAGE=$1
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion'
 }
 elastic_fleet_package_install() {
    PKGKEY=$1
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -9,16 +9,17 @@
 RETURN_CODE=0
 if [ ! -f /opt/so/state/eaintegrations.txt ]; then
  # First, check for any package upgrades
  /usr/sbin/so-elastic-fleet-package-upgrade
  # Initial Endpoints
  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
  do
    printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
    elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
    if [ -n "$INTEGRATION_ID" ]; then
-      if [ "$NAME" != "elastic-defend-endpoints" ]; then
+      printf "\n\nIntegration $NAME exists - Updating integration\n"
-        printf "\n\nIntegration $NAME exists - Updating integration\n"
+      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
      fi
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      elastic_fleet_integration_create "@$INTEGRATION"
@@ -35,9 +36,7 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
-      if [ "$NAME" != "elasticsearch-logs" ]; then
+      elastic_fleet_integration_create "@$INTEGRATION"
        elastic_fleet_integration_create "@$INTEGRATION"
      fi
    fi
  done
  if [[ "$RETURN_CODE" != "1" ]]; then
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list
@@ -0,0 +1,15 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 # Let's snag a cookie from Kibana
 SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 # List configured package policies
 curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq
 echo
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -11,6 +11,12 @@
 . /usr/sbin/so-common
 . /usr/sbin/so-elastic-fleet-common
 LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log"
 # Check to see if we are already running
 NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
 [ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0
 for i in {1..30}
 do
   ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
@@ -0,0 +1,38 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 . /usr/sbin/so-common
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
    exit 0
 fi
 # Get current list of Grid Node Agents that need to be upgraded
 RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
 if [ "$CHECKSUM" -ne 1 ]; then
 printf "Failed to query for current Grid Agents...\n"
 exit 1
 fi
 # Generate list of Node Agents that need updates
 OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)'  <<<  "$RAW_JSON")
 if [ "$OUTDATED_LIST" != '[]' ]; then
   AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON")
   printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n"
   # Generate updated JSON payload
   JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }')
   # Update Node Agents
   curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 else
    printf "No Agents need updates... Exiting\n\n"
    exit 0
 fi
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect
@@ -0,0 +1,16 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
 {% else %}
 /bin/elastic-agent inspect
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart
@@ -0,0 +1,16 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent service elastic-agent restart
 {% else %}
 service elastic-agent restart
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent service elastic-agent start
 {% else %}
 service elastic-agent start
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
 {% else %}
 /bin/elastic-agent status
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent service elastic-agent stop
 {% else %}
 service elastic-agent stop
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-elastic-fleet-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
 {% else %}
 /bin/elastic-agent version
 {% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
@@ -0,0 +1,64 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 . /usr/sbin/so-common
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
    exit 0
 fi
 function update_es_urls() {
    # Generate updated JSON payload
 {% if grains.role not in ['so-import', 'so-eval'] %}
    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}')
 {%- else %}
    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
 {%- endif %}
    # Update Fleet Elasticsearch URLs
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 # Get current list of Fleet Elasticsearch URLs
 RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch')
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
 if [ "$CHECKSUM" != "so-manager_elasticsearch" ]; then
 printf "Failed to query for current Fleet Server Elasticsearch URLs..."
 exit 1
 fi
 # Get the current list of Fleet Server Elasticsearch & hash them
 CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
 CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
 # Create array & add initial elements
 NEW_LIST=("https://{{ GLOBALS.hostname }}:9200")
 # Sort & hash the new list of Fleet Elasticsearch URLs
 NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
 NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
 # Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
 if [ "$1" = "--force" ]; then
    printf "\nUpdating List, since --force was specified.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
    update_es_urls
    exit 0
 fi
 if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
    printf "\nHashes match - no update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
    exit 0
 else
    printf "\nHashes don't match - update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
    update_es_urls
 fi
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
@@ -2,7 +2,15 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 . /usr/sbin/so-common
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
    exit 0
 fi
 function update_logstash_outputs() {
 	# Generate updated JSON payload
@@ -27,15 +35,20 @@ CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
 CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
 # Create array & add initial elements
-if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
+if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
    NEW_LIST=("{{ GLOBALS.url_base }}:5055")
 else
-    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.manager_ip }}:5055")
+    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
 fi
-{% if CUSTOMFQDN != "" %}
+# Query for FQDN entries & add them to the list
-# Add Custom Hostname to list
+{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
-NEW_LIST+=("{{ CUSTOMFQDN }}:5055")
+CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}')
 readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST")
 for CUSTOMNAME in "${CUSTOMFQDN[@]}"
 do
 NEW_LIST+=("$CUSTOMNAME:5055")
 done
 {% endif %}
 # Query for the current Grid Nodes that are running Logstash
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
 {%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
 . /usr/sbin/so-elastic-fleet-common
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Upgrading {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
 elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
 echo
 {%- endfor %}
 echo
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -6,6 +6,12 @@
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if GLOBALS.os_family == 'Debian' %}
 INTCA=/etc/ssl/certs/intca.crt
 {% else %}
 INTCA=/etc/pki/tls/certs/intca.crt
 {% endif %}
 . /usr/sbin/so-elastic-fleet-common
 printf "\n### Create ES Token ###\n"
@@ -13,7 +19,7 @@ ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5
 ### Create Outputs & Fleet URLs ###
 printf "\nAdd Manager Elasticsearch Output...\n"
-ESCACRT=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
+ESCACRT=$(openssl x509 -in  $INTCA)
 JSON_STRING=$( jq -n \
                  --arg ESCACRT "$ESCACRT" \
                  '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
@@ -22,9 +28,9 @@ printf "\n\n"
 printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n"
 {% if grains.role not in ['so-import', 'so-eval'] %}
-LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-agent.crt)
+LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
-LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-agent.key)
+LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-logstash.key)
-LOGSTASHCA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
+LOGSTASHCA=$(openssl x509 -in  $INTCA)
 JSON_STRING=$( jq -n \
                  --arg LOGSTASHCRT "$LOGSTASHCRT" \
                  --arg LOGSTASHKEY "$LOGSTASHKEY" \
@@ -35,12 +41,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl
 printf "\n\n"
 {%- endif %}
-# Add Manager IP & URL Base to Fleet Host URLs
+# Add Manager Hostname & URL Base to Fleet Host URLs
 printf "\nAdd SO-Manager Fleet URL\n"
-if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
+if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
    JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}')
 else
-    JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}')
+    JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.hostname }}:8220"]}')
 fi
 ## This array replaces whatever URLs are currently configured
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update
@@ -0,0 +1,80 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 . /usr/sbin/so-common
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
    exit 0
 fi
 function update_fleet_urls() {
 	# Generate updated JSON payload
    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-default","is_default":true,"host_urls": $UPDATEDLIST}')
    # Update Fleet Server URLs
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/grid-default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 # Get current list of Fleet Server URLs
 RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default')
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
 if [ "$CHECKSUM" != "grid-default" ]; then
 printf "Failed to query for current Fleet Server URLs..."
 exit 1
 fi
 # Get the current list of Fleet Server URLs & hash them
 CURRENT_LIST=$(jq -c -r '.item.host_urls' <<<  "$RAW_JSON")
 CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
 # Create array & add initial elements
 if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
    NEW_LIST=("https://{{ GLOBALS.url_base }}:8220")
 else
    NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220")
 fi
 # Query for FQDN entries & add them to the list
 {% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
 CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}')
 readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST")
 for CUSTOMNAME in "${CUSTOMFQDN[@]}"
 do
 NEW_LIST+=("https://$CUSTOMNAME:8220")
 done
 {% endif %}
 # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
 LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local')
 # Query for Fleet Nodes & add them to the list (Hostname)
 if grep -q "fleet" <<< $LOGSTASHNODES; then
   readarray -t FLEETNODES < <(jq -r ' .fleet | keys_unsorted[]'  <<< $LOGSTASHNODES)
   for NODE in "${FLEETNODES[@]}"
   do
    NEW_LIST+=("https://$NODE:8220")
   done
 fi
 # Sort & hash the new list of Fleet Server URLs
 NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
 NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
 # Compare the current & new list of URLs - if different, update the Fleet Server URLs & regenerate the agent installer
 if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
    printf "\nHashes match - no update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
    exit 0
 else
    printf "\nHashes don't match - update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
    update_fleet_urls
    /sbin/so-elastic-agent-gen-installers >> /opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log &
 fi
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -81,6 +81,8 @@ elasticsearch:
              managed: true
        composed_of:
          - "so-data-streams-mappings"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
          - "so-logs-mappings"
          - "so-logs-settings"
        priority: 225
@@ -111,7 +113,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true  
-    so-logs-system.auth:
+    so-logs-system_x_auth:
      index_sorting: False
      index_template:
        index_patterns:
@@ -130,7 +132,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-system.syslog:
+    so-logs-system_x_syslog:
      index_sorting: False
      index_template:
        index_patterns:
@@ -149,7 +151,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-system.system:
+    so-logs-system_x_system:
      index_sorting: False
      index_template:
        index_patterns:
@@ -168,7 +170,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-system.application:
+    so-logs-system_x_application:
      index_sorting: False
      index_template:
        index_patterns:
@@ -187,7 +189,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-system.security:
+    so-logs-system_x_security:
      index_sorting: False
      index_template:
        index_patterns:
@@ -206,7 +208,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-windows.forwarded:
+    so-logs-windows_x_forwarded:
      index_sorting: False
      index_template:
        index_patterns:
@@ -224,7 +226,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-windows.powershell:
+    so-logs-windows_x_powershell:
      index_sorting: False
      index_template:
        index_patterns:
@@ -242,7 +244,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-windows.powershell_operational:
+    so-logs-windows_x_powershell_operational:
      index_sorting: False
      index_template:
        index_patterns:
@@ -260,7 +262,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-windows.sysmon_operational:
+    so-logs-windows_x_sysmon_operational:
      index_sorting: False
      index_template:
        index_patterns:
@@ -278,7 +280,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.cloudtrail:
+    so-logs-aws_x_cloudtrail:
      index_sorting: False
      index_template:
        index_patterns:
@@ -296,7 +298,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.cloudwatch_logs:
+    so-logs-aws_x_cloudwatch_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -314,7 +316,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.ec2_logs:
+    so-logs-aws_x_ec2_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -332,7 +334,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.elb_logs:
+    so-logs-aws_x_elb_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -350,7 +352,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.firewall_logs:
+    so-logs-aws_x_firewall_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -368,7 +370,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.route53_public_logs:
+    so-logs-aws_x_route53_public_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -386,7 +388,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.route53_resolver_logs:
+    so-logs-aws_x_route53_resolver_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -404,7 +406,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.s3access:
+    so-logs-aws_x_s3access:
      index_sorting: False
      index_template:
        index_patterns:
@@ -422,7 +424,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.vpcflow:
+    so-logs-aws_x_vpcflow:
      index_sorting: False
      index_template:
        index_patterns:
@@ -440,7 +442,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-aws.waf:
+    so-logs-aws_x_waf:
      index_sorting: False
      index_template:
        index_patterns:
@@ -458,7 +460,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.activitylogs:
+    so-logs-azure_x_activitylogs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -476,7 +478,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.application_gateway:
+    so-logs-azure_x_application_gateway:
      index_sorting: False
      index_template:
        index_patterns:
@@ -494,7 +496,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.auditlogs:
+    so-logs-azure_x_auditlogs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -512,7 +514,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.eventhub:
+    so-logs-azure_x_eventhub:
      index_sorting: False
      index_template:
        index_patterns:
@@ -530,7 +532,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.firewall_logs:
+    so-logs-azure_x_firewall_logs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -548,7 +550,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.identity_protection:
+    so-logs-azure_x_identity_protection:
      index_sorting: False
      index_template:
        index_patterns:
@@ -566,7 +568,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.platformlogs:
+    so-logs-azure_x_platformlogs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -584,7 +586,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.provisioning:
+    so-logs-azure_x_provisioning:
      index_sorting: False
      index_template:
        index_patterns:
@@ -602,7 +604,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.signinlogs:
+    so-logs-azure_x_signinlogs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -620,7 +622,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-azure.springcloudlogs:
+    so-logs-azure_x_springcloudlogs:
      index_sorting: False
      index_template:
        index_patterns:
@@ -638,7 +640,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-cloudflare.audit:
+    so-logs-cloudflare_x_audit:
      index_sorting: False
      index_template:
        index_patterns:
@@ -656,7 +658,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-cloudflare.logpull:
+    so-logs-cloudflare_x_logpull:
      index_sorting: False
      index_template:
        index_patterns:
@@ -674,7 +676,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-fim.event:
+    so-logs-fim_x_event:
      index_sorting: False
      index_template:
        index_patterns:
@@ -692,7 +694,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-github.audit:
+    so-logs-github_x_audit:
      index_sorting: False
      index_template:
        index_patterns:
@@ -710,7 +712,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-github.code_scanning:
+    so-logs-github_x_code_scanning:
      index_sorting: False
      index_template:
        index_patterns:
@@ -728,7 +730,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-github.dependabot:
+    so-logs-github_x_dependabot:
      index_sorting: False
      index_template:
        index_patterns:
@@ -746,7 +748,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-github.issues:
+    so-logs-github_x_issues:
      index_sorting: False
      index_template:
        index_patterns:
@@ -764,7 +766,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-github.secret_scanning:
+    so-logs-github_x_secret_scanning:
      index_sorting: False
      index_template:
        index_patterns:
@@ -782,7 +784,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.access_transparency:
+    so-logs-google_workspace_x_access_transparency:
      index_sorting: False
      index_template:
        index_patterns:
@@ -800,7 +802,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.admin:
+    so-logs-google_workspace_x_admin:
      index_sorting: False
      index_template:
        index_patterns:
@@ -818,7 +820,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.alert:
+    so-logs-google_workspace_x_alert:
      index_sorting: False
      index_template:
        index_patterns:
@@ -836,7 +838,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.context_aware_access:
+    so-logs-google_workspace_x_context_aware_access:
      index_sorting: False
      index_template:
        index_patterns:
@@ -854,7 +856,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.device:
+    so-logs-google_workspace_x_device:
      index_sorting: False
      index_template:
        index_patterns:
@@ -872,7 +874,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.drive:
+    so-logs-google_workspace_x_drive:
      index_sorting: False
      index_template:
        index_patterns:
@@ -890,7 +892,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.gcp:
+    so-logs-google_workspace_x_gcp:
      index_sorting: False
      index_template:
        index_patterns:
@@ -908,7 +910,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.group_enterprise:
+    so-logs-google_workspace_x_group_enterprise:
      index_sorting: False
      index_template:
        index_patterns:
@@ -926,7 +928,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.groups:
+    so-logs-google_workspace_x_groups:
      index_sorting: False
      index_template:
        index_patterns:
@@ -944,7 +946,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.login:
+    so-logs-google_workspace_x_login:
      index_sorting: False
      index_template:
        index_patterns:
@@ -962,7 +964,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.rules:
+    so-logs-google_workspace_x_rules:
      index_sorting: False
      index_template:
        index_patterns:
@@ -980,7 +982,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.saml:
+    so-logs-google_workspace_x_saml:
      index_sorting: False
      index_template:
        index_patterns:
@@ -998,7 +1000,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.token:
+    so-logs-google_workspace_x_token:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1016,7 +1018,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-google_workspace.user_accounts:
+    so-logs-google_workspace_x_user_accounts:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1034,7 +1036,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-1password.item_usages:
+    so-logs-1password_x_item_usages:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1052,7 +1054,7 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-1password.signin_attempts:
+    so-logs-1password_x_signin_attempts:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1087,7 +1089,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-osquery-manager-action.responses:
+    so-logs-osquery-manager-action_x_responses:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1104,7 +1106,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.apm_server:
+    so-logs-elastic_agent_x_apm_server:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1158,7 +1160,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.auditbeat:
+    so-logs-elastic_agent_x_auditbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1212,7 +1214,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.cloudbeat:
+    so-logs-elastic_agent_x_cloudbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1263,7 +1265,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.endpoint_security:
+    so-logs-elastic_agent_x_endpoint_security:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1312,7 +1314,399 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.filebeat:
+    so-logs-endpoint_x_alerts:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.alerts-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.alerts@custom"
          - "logs-endpoint.alerts@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_api:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.api-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.api@custom"
          - "logs-endpoint.events.api@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_file:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.file-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.file@custom"
          - "logs-endpoint.events.file@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_library:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.library-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.library@custom"
          - "logs-endpoint.events.library@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_network:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.network-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.network@custom"
          - "logs-endpoint.events.network@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_process:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.process-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.process@custom"
          - "logs-endpoint.events.process@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_registry:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.registry-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.registry@custom"
          - "logs-endpoint.events.registry@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-endpoint_x_events_x_security:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-endpoint.events.security-*"
        template:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
        composed_of:
          - "event-mappings"
          - "logs-endpoint.events.security@custom"
          - "logs-endpoint.events.security@package"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
      policy:
        phases:
          hot:
            min_age: 0ms
            actions:
              set_priority:
                priority: 100
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
          cold:
            min_age: 30d
            actions:
              set_priority:
                priority: 0
          delete:
            min_age: 365d
            actions:
              delete: {}
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-elastic_agent_x_filebeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1361,7 +1755,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.fleet_server:
+    so-logs-elastic_agent_x_fleet_server:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1407,7 +1801,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.heartbeat:
+    so-logs-elastic_agent_x_heartbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1513,7 +1907,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.metricbeat:
+    so-logs-elastic_agent_x_metricbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1562,7 +1956,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.osquerybeat:
+    so-logs-elastic_agent_x_osquerybeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -1611,7 +2005,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    so-logs-elastic_agent.packetbeat:
+    so-logs-elastic_agent_x_packetbeat:
      index_sorting: False
      index_template:
        index_patterns:
--- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
+++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
@@ -72,8 +72,13 @@
    { "set":        { "ignore_failure": true,  "field": "event.module", "value": "elastic_agent" } },
    { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp"  } },
    { "set":        { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
-    { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
+    { "gsub":       { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
-    { "append":        { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
+    { "append":     { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}"  } },
    { "set":        { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
    { "set":        { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
    { "set":        { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
    { "set":        { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
    {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
    { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
  ],
  "on_failure": [
--- a/salt/elasticsearch/files/ingest/filterlog
+++ b/salt/elasticsearch/files/ingest/filterlog
@@ -49,11 +49,10 @@
                "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
        }
     },
     { "set":         { "field": "_index",        "value": "so-firewall", "override": true           } },
     { "set":         { "if": "ctx.network?.transport_id == '0'", "field": "network.transport",        "value": "icmp", "override": true           } },
     { "community_id": {} },
-     { "set":         { "field": "module",	"value": "pfsense",	"override": true	} },
+     { "set":         { "field": "event.module",	"value": "pfsense",	"override": true	} },
-     { "set":         { "field": "dataset",	"value": "firewall",	"override": true	} },
+     { "set":         { "field": "event.dataset",	"value": "firewall",	"override": true	} },
     { "set":         { "field": "category",	"value": "network",	"override": true	} },
     { "remove":      { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"],     "ignore_failure": true  } }
  ]
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -63,7 +63,8 @@
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69",   "field": "event.severity", "value": 2, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
-    { "set":         { "if": "ctx.scan?.entropy?.entropy == 0",   "field": "scan.entropy.entropy", "value": 0.0, "override": true }  },
+    { "set":         { "if": "ctx.scan?.entropy?.entropy == 0",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
    { "set":         { "if": "ctx.scan?.pe?.image_version == 0",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -46,28 +46,26 @@ elasticsearch:
            description: Max number of boolean clauses per query.
            global: True
            helpLink: elasticsearch.html
-  index_settings: 
+  index_settings:
-    so-elasticsearch: &indexSettings
+    so-logs: &indexSettings
      warm: 
        description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
        global: True
        helpLink: elasticsearch.html
      close: 
        description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index.
        global: True
        helpLink: elasticsearch.html
      delete: 
        description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable.
        global: True
        helpLink: elasticsearch.html
      index_sorting: 
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
        global: True
        helpLink: elasticsearch.html
      index_template:
        index_patterns:
          description: Patterns for matching multiple indices or tables.
          forceType: "[]string"
          multiline: True
          global: True
          helpLink: elasticsearch.html
        template:
          settings:
            index:
              number_of_replicas: 
                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
                global: True
                helpLink: elasticsearch.html
              mapping:
                total_fields:
                  limit:
@@ -75,17 +73,59 @@ elasticsearch:
                    global: True
                    helpLink: elasticsearch.html
              refresh_interval: 
-                  description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
+                description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
-                  global: True
+                global: True
-                  helpLink: elasticsearch.html
+                helpLink: elasticsearch.html
              number_of_shards: 
-                  description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
+                description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                global: True
                helpLink: elasticsearch.html
              sort:
                field:
                  description: The field to sort by. Must set index_sorting to True.
                  global: True
                  helpLink: elasticsearch.html
-              number_of_replicas: 
+                order:
-                  description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
+                  description: The order to sort by. Must set index_sorting to True.
                  global: True
                  helpLink: elasticsearch.html
          mappings:
            _meta:
              package:
                name:
                  description: Meta settings for the mapping.
                  global: True
                  helpLink: elasticsearch.html
              managed_by:
                  description: Meta settings for the mapping.
                  global: True
                  helpLink: elasticsearch.html
              managed:
                  description: Meta settings for the mapping.
                  forcedType: bool
                  global: True
                  helpLink: elasticsearch.html
        composed_of:
          description: The index template is composed of these component templates.
          forcedType: "[]string"
          global: True
          helpLink: elasticsearch.html
        priority:
          description: The priority of the index template.
          forcedType: int
          global: True
          helpLink: elasticsearch.html
        data_stream:
          hidden:
            description: Hide the data stream.
            forcedType: bool
            global: True
            helpLink: elasticsearch.html
          allow_custom_routing:
            description: Allow custom routing for the data stream.
            forcedType: bool
            global: True
            helpLink: elasticsearch.html
      policy:
        phases:
          hot:
@@ -97,6 +137,7 @@ elasticsearch:
              set_priority:
                priority:
                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  helpLink: elasticsearch.html
              rollover:
@@ -117,19 +158,111 @@ elasticsearch:
              set_priority:
                priority:
                  description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  helpLink: elasticsearch.html
          delete:
            min_age:
              description: Minimum age of index. This determines when the index should be deleted.
              global: True
-              helpLink: elastic
+              helpLink: elasticsearch.html
        _meta:
          package:
            name:
              description: Meta settings for the mapping.
              global: True
              helpLink: elasticsearch.html
          managed_by:
            description: Meta settings for the mapping.
            global: True
            helpLink: elasticsearch.html
          managed:
            description: Meta settings for the mapping.
            forcedType: bool
            global: True
            helpLink: elasticsearch.html
    so-logs-system_x_auth: *indexSettings
    so-logs-system_x_syslog: *indexSettings
    so-logs-system_x_system: *indexSettings
    so-logs-system_x_application: *indexSettings
    so-logs-system_x_security: *indexSettings
    so-logs-windows_x_forwarded: *indexSettings
    so-logs-windows_x_powershell: *indexSettings
    so-logs-windows_x_powershell_operational: *indexSettings
    so-logs-windows_x_sysmon_operational: *indexSettings
    so-logs-aws_x_cloudtrail: *indexSettings
    so-logs-aws_x_cloudwatch_logs: *indexSettings
    so-logs-aws_x_ec2_logs: *indexSettings
    so-logs-aws_x_elb_logs: *indexSettings
    so-logs-aws_x_firewall_logs: *indexSettings
    so-logs-aws_x_route53_public_logs: *indexSettings
    so-logs-aws_x_route53_resolver_logs: *indexSettings
    so-logs-aws_x_s3access: *indexSettings
    so-logs-aws_x_vpcflow: *indexSettings
    so-logs-aws_x_waf: *indexSettings
    so-logs-azure_x_activitylogs: *indexSettings
    so-logs-azure_x_application_gateway: *indexSettings
    so-logs-azure_x_auditlogs: *indexSettings
    so-logs-azure_x_eventhub: *indexSettings
    so-logs-azure_x_firewall_logs: *indexSettings
    so-logs-azure_x_identity_protection: *indexSettings
    so-logs-azure_x_platformlogs: *indexSettings
    so-logs-azure_x_provisioning: *indexSettings
    so-logs-azure_x_signinlogs: *indexSettings
    so-logs-azure_x_springcloudlogs: *indexSettings
    so-logs-cloudflare_x_audit: *indexSettings
    so-logs-cloudflare_x_logpull: *indexSettings
    so-logs-fim_x_event: *indexSettings
    so-logs-github_x_audit: *indexSettings
    so-logs-github_x_code_scanning: *indexSettings
    so-logs-github_x_dependabot: *indexSettings
    so-logs-github_x_issues: *indexSettings
    so-logs-github_x_secret_scanning: *indexSettings
    so-logs-google_workspace_x_access_transparency: *indexSettings
    so-logs-google_workspace_x_admin: *indexSettings
    so-logs-google_workspace_x_alert: *indexSettings
    so-logs-google_workspace_x_context_aware_access: *indexSettings
    so-logs-google_workspace_x_device: *indexSettings
    so-logs-google_workspace_x_drive: *indexSettings
    so-logs-google_workspace_x_gcp: *indexSettings
    so-logs-google_workspace_x_group_enterprise: *indexSettings
    so-logs-google_workspace_x_groups: *indexSettings
    so-logs-google_workspace_x_login: *indexSettings
    so-logs-google_workspace_x_rules: *indexSettings
    so-logs-google_workspace_x_saml: *indexSettings
    so-logs-google_workspace_x_token: *indexSettings
    so-logs-google_workspace_x_user_accounts: *indexSettings
    so-logs-1password_x_item_usages: *indexSettings
    so-logs-1password_x_signin_attempts: *indexSettings
    so-logs-osquery-manager-actions: *indexSettings
    so-logs-osquery-manager-action_x_responses: *indexSettings
    so-logs-elastic_agent_x_apm_server: *indexSettings
    so-logs-elastic_agent_x_auditbeat: *indexSettings
    so-logs-elastic_agent_x_cloudbeat: *indexSettings
    so-logs-elastic_agent_x_endpoint_security: *indexSettings
    so-logs-endpoint_x_alerts: *indexSettings
    so-logs-endpoint_x_events_x_api: *indexSettings
    so-logs-endpoint_x_events_x_file: *indexSettings
    so-logs-endpoint_x_events_x_library: *indexSettings
    so-logs-endpoint_x_events_x_network: *indexSettings
    so-logs-endpoint_x_events_x_process: *indexSettings
    so-logs-endpoint_x_events_x_registry: *indexSettings
    so-logs-endpoint_x_events_x_security: *indexSettings
    so-logs-elastic_agent_x_filebeat: *indexSettings
    so-logs-elastic_agent_x_fleet_server: *indexSettings
    so-logs-elastic_agent_x_heartbeat: *indexSettings
    so-logs-elastic_agent: *indexSettings
    so-logs-elastic_agent_x_metricbeat: *indexSettings
    so-logs-elastic_agent_x_osquerybeat: *indexSettings
    so-logs-elastic_agent_x_packetbeat: *indexSettings
    so-case: *indexSettings
    so-common: *indexSettings
    so-endgame: *indexSettings
-    so-firewall: *indexSettings
+    so-idh: *indexSettings
    so-suricata: *indexSettings
    so-import: *indexSettings
-    so-kibana: *indexSettings
+    so-kratos: *indexSettings
    so-logstash: *indexSettings
    so-osquery: *indexSettings
    so-redis: *indexSettings
    so-strelka: *indexSettings
    so-syslog: *indexSettings
--- a/salt/elasticsearch/template.map.jinja
+++ b/salt/elasticsearch/template.map.jinja
@@ -1,9 +1,11 @@
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
+{%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
-{% for index, settings in ES_INDEX_SETTINGS.items() %}
+{% set ES_INDEX_SETTINGS = {} %}
 {% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %}
  {% if settings.index_template is defined %}
    {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
      {% do settings.index_template.template.settings.index.pop('sort') %}
    {% endif %}
  {% endif %}
  {% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %}
 {% endfor %}
--- a/salt/elasticsearch/templates/component/ecs/agent.json
+++ b/salt/elasticsearch/templates/component/ecs/agent.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "agent": {
@@ -52,69 +12,33 @@
              "properties": {
                "original": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
            "ephemeral_id": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "id": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "type": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "version": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/aws.json
+++ b/salt/elasticsearch/templates/component/ecs/aws.json
--- a/salt/elasticsearch/templates/component/ecs/azure.json
+++ b/salt/elasticsearch/templates/component/ecs/azure.json
--- a/salt/elasticsearch/templates/component/ecs/base.json
+++ b/salt/elasticsearch/templates/component/ecs/base.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "@timestamp": {
@@ -57,15 +17,9 @@
        },
        "tags": {
          "ignore_above": 1024,
-          "type": "keyword",
+          "type": "keyword"
          "fields": {
            "security": {
              "type": "text",
              "analyzer": "es_security_analyzer"
            }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/cef.json
+++ b/salt/elasticsearch/templates/component/ecs/cef.json
--- a/salt/elasticsearch/templates/component/ecs/checkpoint.json
+++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json
--- a/salt/elasticsearch/templates/component/ecs/cisco.json
+++ b/salt/elasticsearch/templates/component/ecs/cisco.json
--- a/salt/elasticsearch/templates/component/ecs/client.json
+++ b/salt/elasticsearch/templates/component/ecs/client.json
@@ -4,59 +4,13 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "client": {
          "properties": {
            "address": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "as": {
              "properties": {
@@ -66,12 +20,6 @@
                "organization": {
                  "properties": {
                    "name": {
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      },
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
@@ -84,118 +32,52 @@
            },
            "domain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "continent_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "continent_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "country_iso_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "country_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "postal_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "region_iso_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "region_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "timezone": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
@@ -204,13 +86,7 @@
            },
            "mac": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "nat": {
              "properties": {
@@ -230,63 +106,27 @@
            },
            "registered_domain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "subdomain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "top_level_domain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "email": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "full_name": {
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
@@ -294,75 +134,33 @@
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "name": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            }
@@ -371,4 +169,4 @@
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/cloud.json
+++ b/salt/elasticsearch/templates/component/ecs/cloud.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "cloud": {
@@ -52,57 +12,27 @@
              "properties": {
                "id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
            "availability_zone": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "instance": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
@@ -110,13 +40,7 @@
              "properties": {
                "type": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
@@ -124,57 +48,27 @@
              "properties": {
                "id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "service": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            }
@@ -183,4 +77,4 @@
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/container.json
+++ b/salt/elasticsearch/templates/component/ecs/container.json
@@ -4,81 +4,23 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "container": {
          "properties": {
            "id": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "tag": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
@@ -87,27 +29,15 @@
            },
            "name": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "runtime": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/cyberark.json
+++ b/salt/elasticsearch/templates/component/ecs/cyberark.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "cyberarkpas": {
@@ -52,565 +12,241 @@
              "properties": {
                "action": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "ca_properties": {
                  "properties": {
                    "address": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "cpm_disabled": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "cpm_error_details": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "cpm_status": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "creation_method": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "customer": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "database": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "device_type": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "dual_account_status": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "group_name": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "in_process": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "index": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "last_fail_date": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "last_success_change": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "last_success_reconciliation": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "last_success_verification": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "last_task": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "logon_domain": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "other": {
                      "type": "flattened"
                    },
                    "policy_id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "port": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "privcloud": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "reset_immediately": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "retries_count": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "sequence_id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "tags": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "user_dn": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "user_name": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "virtual_username": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    }
                  }
                },
                "category": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "desc": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "extra_details": {
                  "properties": {
                    "ad_process_id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "ad_process_name": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "application_type": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "command": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "connection_component_id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "dst_host": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "logon_account": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "managed_account": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "other": {
                      "type": "flattened"
                    },
                    "process_id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "process_name": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "protocol": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "psmid": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "session_duration": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "session_id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "src_host": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "username": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    }
                  }
                },
                "file": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "gateway_station": {
                  "type": "ip"
                },
                "hostname": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "iso_timestamp": {
                  "type": "date"
                },
                "issuer": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "location": {
                  "doc_values": false,
                  "ignore_above": 4096,
                  "index": false,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "message": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "message_id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "product": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "pvwa_details": {
                  "type": "flattened"
@@ -619,99 +255,45 @@
                  "doc_values": false,
                  "ignore_above": 4096,
                  "index": false,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "reason": {
                  "norms": false,
-                  "type": "text",
+                  "type": "text"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "rfc5424": {
                  "type": "boolean"
                },
                "safe": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "severity": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "source_user": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "station": {
                  "type": "ip"
                },
                "target_user": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "timestamp": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "vendor": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "version": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            }
@@ -720,4 +302,4 @@
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/data_stream.json
+++ b/salt/elasticsearch/templates/component/ecs/data_stream.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "data_stream": {
@@ -62,4 +22,4 @@
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/destination.json
+++ b/salt/elasticsearch/templates/component/ecs/destination.json
@@ -4,59 +4,13 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "destination": {
          "properties": {
            "address": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "as": {
              "properties": {
@@ -66,12 +20,6 @@
                "organization": {
                  "properties": {
                    "name": {
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      },
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
@@ -84,118 +32,52 @@
            },
            "domain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "continent_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "continent_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "country_iso_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "country_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "postal_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "region_iso_code": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "region_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "timezone": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
@@ -204,13 +86,7 @@
            },
            "mac": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "nat": {
              "properties": {
@@ -230,63 +106,27 @@
            },
            "registered_domain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "subdomain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "top_level_domain": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "email": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "full_name": {
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
@@ -294,75 +134,33 @@
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "id": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    },
                    "name": {
                      "ignore_above": 1024,
-                      "type": "keyword",
+                      "type": "keyword"
                      "fields": {
                        "security": {
                          "type": "text",
                          "analyzer": "es_security_analyzer"
                        }
                      }
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            }
@@ -371,4 +169,4 @@
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/dll.json
+++ b/salt/elasticsearch/templates/component/ecs/dll.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "dll": {
@@ -52,56 +12,26 @@
              "properties": {
                "digest_algorithm": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "exists": {
                  "type": "boolean"
                },
                "signing_id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "status": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "subject_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "team_id": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "timestamp": {
                  "type": "date"
@@ -118,147 +48,63 @@
              "properties": {
                "md5": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "sha1": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "sha256": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "sha512": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "ssdeep": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "path": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "pe": {
              "properties": {
                "architecture": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "company": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "description": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "file_version": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "imphash": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "original_file_name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "product": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            }
@@ -267,4 +113,4 @@
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/dns.json
+++ b/salt/elasticsearch/templates/component/ecs/dns.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "dns": {
@@ -52,141 +12,63 @@
              "properties": {
                "class": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "data": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "ttl": {
                  "type": "long"
                },
                "type": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              },
              "type": "object"
            },
            "header_flags": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "id": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "op_code": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "question": {
              "properties": {
                "class": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "name": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "registered_domain": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "subdomain": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "top_level_domain": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                },
                "type": {
                  "ignore_above": 1024,
-                  "type": "keyword",
+                  "type": "keyword"
                  "fields": {
                    "security": {
                      "type": "text",
                      "analyzer": "es_security_analyzer"
                    }
                  }
                }
              }
            },
@@ -195,27 +77,15 @@
            },
            "response_code": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "type": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/ecs.json
+++ b/salt/elasticsearch/templates/component/ecs/ecs.json
@@ -4,63 +4,17 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/elasticsearch.json
+++ b/salt/elasticsearch/templates/component/ecs/elasticsearch.json
@@ -4,46 +4,6 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "@timestamp": {
@@ -57,15 +17,9 @@
        },
        "tags": {
          "ignore_above": 1024,
-          "type": "keyword",
+          "type": "keyword"
          "fields": {
            "security": {
              "type": "text",
              "analyzer": "es_security_analyzer"
            }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/templates/component/ecs/error.json
+++ b/salt/elasticsearch/templates/component/ecs/error.json
@@ -4,79 +4,23 @@
    "ecs_version": "1.12.2"
  },
  "template": {
    "settings": {
      "analysis": {
        "analyzer": {
          "es_security_analyzer": {
            "type": "custom",
            "char_filter": [
              "whitespace_no_way"
            ],
            "filter": [
              "lowercase",
              "trim"
            ],
            "tokenizer": "keyword"
          }
        },
        "char_filter": {
          "whitespace_no_way": {
            "type": "pattern_replace",
            "pattern": "(\\s)+",
            "replacement": "$1"
          }
        },
        "filter": {
          "path_hierarchy_pattern_filter": {
            "type": "pattern_capture",
            "preserve_original": true,
            "patterns": [
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
          "path_tokenizer": {
            "type": "path_hierarchy",
            "delimiter": "\\"
          }
        }
      }
    },
    "mappings": {
      "properties": {
        "error": {
          "properties": {
            "code": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "id": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            },
            "message": {
              "type": "match_only_text"
            },
            "stack_trace": {
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                },
                "text": {
                  "type": "match_only_text"
                }
@@ -85,17 +29,11 @@
            },
            "type": {
              "ignore_above": 1024,
-              "type": "keyword",
+              "type": "keyword"
              "fields": {
                "security": {
                  "type": "text",
                  "analyzer": "es_security_analyzer"
                }
              }
            }
          }
        }
      }
    }
  }
-}
+}
--- a/Show More
+++ b/Show More