Merge pull request #11918 from Security-Onion-Solutions/hotfix/2.4.30

Hotfix/2.4.30
Merge pull request #11951 from Security-Onion-Solutions/2.4.30hf3
2026-01-12 03:03:09 +01:00 · 2023-12-06 13:31:33 -05:00 · 2023-12-06 08:36:13 -05:00 · 2023-12-06 08:34:46 -05:00 · 2023-12-05 11:26:42 -05:00 · 2023-12-05 11:25:25 -05:00
400 changed files with 21529 additions and 49394 deletions
--- a/.github/workflows/pythontest.yml
+++ b/.github/workflows/pythontest.yml
@@ -4,9 +4,11 @@ on:
  push:
    paths: 
      - "salt/sensoroni/files/analyzers/**"
+      - "salt/manager/tools/sbin"
  pull_request:
    paths:
      - "salt/sensoroni/files/analyzers/**"
+      - "salt/manager/tools/sbin"

 jobs:
  build:
@@ -16,7 +18,7 @@ jobs:
      fail-fast: false
      matrix:
        python-version: ["3.10"]
-        python-code-path: ["salt/sensoroni/files/analyzers"]
+        python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]

    steps:
    - uses: actions/checkout@v3
@@ -34,4 +36,4 @@ jobs:
        flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12  --doctests --max-line-length=200 --statistics
    - name: Test with pytest
      run: |
-        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=${{ matrix.python-code-path }}/pytest.ini
+        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=pytest.ini
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.4.3-20230711 ISO image built on 2023/07/11
+### 2.4.30-20231204 ISO image released on 2023/12/06



 ### Download and Verify

-2.4.3-20230711 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
-
-MD5: F481ED39E02A5AF05EB50D319D97A6C7  
-SHA1: 20F9BAA8F73A44C21A8DFE81F36247BCF33CEDA6  
-SHA256: D805522E02CD4941641385F6FF86FAAC240DA6C5FD98F78460348632C7C631B0 
+2.4.30-20231204 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231204.iso
+ 
+MD5: 596A164241D0C62AEBBE23D7883F505E  
+SHA1: 139FE16DC3B13B1F1A748EE57BC2C5FEBADAEB07  
+SHA256: D5730F9952F5AC6DF06D4E02A9EF5C43B16AC85D8072C6D60AEFF03281122C71  

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231204.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231204.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231204.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.3-20230711.iso.sig securityonion-2.4.3-20230711.iso
+gpg --verify securityonion-2.4.30-20231204.iso.sig securityonion-2.4.30-20231204.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 11 Jul 2023 06:23:37 PM EDT using RSA key ID FE507013
+gpg: Signature made Tue 05 Dec 2023 11:46:42 AM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-
+20231204
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-## Security Onion 2.4 Beta 4
+## Security Onion 2.4

-Security Onion 2.4 Beta 4 is here!
+Security Onion 2.4 is here!

 ## Screenshots

--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.3
+2.4.30
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -12,7 +12,6 @@ role:
  eval:
  fleet:
  heavynode:
-  helixsensor:
  idh:
  import:
  manager:
--- a/pillar/logstash/nodes.sls
+++ b/pillar/logstash/nodes.sls
@@ -7,19 +7,23 @@
    tgt_type='compound') | dictsort()
 %}

-{%   set hostname = cached_grains[minionid]['host'] %}
-{%   set node_type = minionid.split('_')[1] %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: ip[0]}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: ip[0]}) %}
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     set hostname = cached_grains[minionid]['host'] %}
+{%     set node_type = minionid.split('_')[1] %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: ip[0]}}) %}
 {%     else %}
-{%       do node_types[node_type][hostname].update(ip[0]) %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: ip[0]}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update(ip[0]) %}
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}

+
 logstash:
  nodes:
 {% for node_type, values in node_types.items() %}
--- a/pillar/node_data/ips.sls
+++ b/pillar/node_data/ips.sls
@@ -4,18 +4,22 @@
 {%   set hostname = minionid.split('_')[0] %}
 {%   set node_type = minionid.split('_')[1] %}
 {%   set is_alive = False %}
-{%   if minionid in manage_alived.keys() %}
-{%     if ip[0] == manage_alived[minionid] %}
-{%       set is_alive = True %}
+
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     if minionid in manage_alived.keys() %}
+{%       if ip[0] == manage_alived[minionid] %}
+{%         set is_alive = True %}
+{%       endif %}
 {%     endif %}
-{%   endif %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
 {%     else %}
-{%       do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}
--- a/pillar/thresholding/pillar.example
+++ b/pillar/thresholding/pillar.example
@@ -1,44 +0,0 @@
-thresholding:
-  sids:
-    8675309:
-      - threshold:
-          gen_id: 1
-          type: threshold
-          track: by_src
-          count: 10
-          seconds: 10
-      - threshold:
-          gen_id: 1
-          type: limit
-          track: by_dst
-          count: 100
-          seconds: 30
-      - rate_filter:
-          gen_id: 1
-          track: by_rule
-          count: 50
-          seconds: 30
-          new_action: alert
-          timeout: 30
-      - suppress:
-          gen_id: 1
-          track: by_either
-          ip: 10.10.3.7
-    11223344:
-      - threshold:
-          gen_id: 1
-          type: limit
-          track: by_dst
-          count: 10
-          seconds: 10
-      - rate_filter:
-          gen_id: 1
-          track: by_src
-          count: 50
-          seconds: 20
-          new_action: pass
-          timeout: 60
-      - suppress:
-          gen_id: 1
-          track: by_src
-          ip: 10.10.3.0/24
--- a/pillar/thresholding/pillar.usage
+++ b/pillar/thresholding/pillar.usage
@@ -1,20 +0,0 @@
-thresholding:
-  sids:
-    <signature id>:
-      - threshold:
-          gen_id: <generator id>
-          type: <threshold | limit | both>
-          track: <by_src | by_dst>
-          count: <count>
-          seconds: <seconds>
-      - rate_filter:
-          gen_id: <generator id>
-          track: <by_src | by_dst | by_rule | by_both>
-          count: <count>
-          seconds: <seconds>
-          new_action: <alert | pass>
-          timeout: <seconds>
-      - suppress:
-          gen_id: <generator id>
-          track: <by_src | by_dst | by_either>
-          ip: <ip | subnet>
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -4,14 +4,9 @@ base:
    - global.adv_global
    - docker.soc_docker
    - docker.adv_docker
-    - firewall.soc_firewall
-    - firewall.adv_firewall
    - influxdb.token
    - logrotate.soc_logrotate
    - logrotate.adv_logrotate
-    - nginx.soc_nginx
-    - nginx.adv_nginx
-    - node_data.ips
    - ntp.soc_ntp
    - ntp.adv_ntp
    - patch.needs_restarting
@@ -22,6 +17,13 @@ base:
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf

+  '* and not *_desktop':
+    - firewall.soc_firewall
+    - firewall.adv_firewall
+    - nginx.soc_nginx
+    - nginx.adv_nginx
+    - node_data.ips
+
  '*_manager or *_managersearch':
    - match: compound
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
--- a/pyci.sh
+++ b/pyci.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+if [[ $# -ne 1 ]]; then
+    echo "Usage: $0 <python_script_dir>"
+    echo "Runs tests on all *_test.py files in the given directory."
+    exit 1
+fi
+
+HOME_DIR=$(dirname "$0")
+TARGET_DIR=${1:-.}
+
+PATH=$PATH:/usr/local/bin
+
+if ! which pytest &> /dev/null || ! which flake8 &> /dev/null ; then
+    echo "Missing dependencies. Consider running the following command:"
+    echo "  python -m pip install flake8 pytest pytest-cov"
+    exit 1
+fi
+
+pip install pytest pytest-cov
+flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini"
+python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100  "$TARGET_DIR" 
--- a/salt/sensoroni/files/analyzers/pytest.ini
+++ b/salt/sensoroni/files/analyzers/pytest.ini
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -3,14 +3,14 @@ import subprocess

 def check():

-  os = __grains__['os']
+  osfam = __grains__['os_family']
  retval = 'False'

-  if os == 'Ubuntu':
+  if osfam == 'Debian':
    if path.exists('/var/run/reboot-required'):
      retval = 'True'

-  elif os == 'Rocky':
+  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    
    try:
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -188,6 +188,9 @@
          'docker_clean'
          ],
      'so-desktop': [
+          'ssl',
+          'docker_clean',
+          'telegraf'
          ],
  }, grain='role') %}

--- a/salt/bpf/macros.jinja
+++ b/salt/bpf/macros.jinja
@@ -0,0 +1,10 @@
+{% macro remove_comments(bpfmerged, app) %}
+
+{# remove comments from the bpf #}
+{% for bpf in bpfmerged[app] %}
+{%   if bpf.strip().startswith('#') %}
+{%     do bpfmerged[app].pop(loop.index0) %}
+{%   endif %}
+{% endfor %}
+
+{% endmacro %}
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}

 {% set PCAPBPF = BPFMERGED.pcap %}
--- a/salt/bpf/suricata.map.jinja
+++ b/salt/bpf/suricata.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'suricata') }}

 {% set SURICATABPF = BPFMERGED.suricata %}
--- a/salt/bpf/zeek.map.jinja
+++ b/salt/bpf/zeek.map.jinja
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'zeek') }}

 {% set ZEEKBPF = BPFMERGED.zeek %}
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -37,7 +37,7 @@ x509_signing_policies:
    - ST: Utah
    - L: Salt Lake City
    - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -50,6 +50,12 @@ pki_public_ca_crt:
        attempts: 5
        interval: 30

+mine_update_ca_crt:
+  module.run:
+    - mine.update: []
+    - onchanges:
+      - x509: pki_public_ca_crt
+
 cakeyperms:
  file.managed:
    - replace: False
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -1,13 +1,11 @@
-{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
-{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
-  "bip": "{{ DOCKERBIND }}",
+  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
-      "base": "{{ DOCKERRANGE }}",
+      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -8,6 +8,7 @@ include:
  - common.packages
 {% if GLOBALS.role in GLOBALS.manager_roles %}
  - manager.elasticsearch # needed for elastic_curl_config state
+  - manager.kibana
 {% endif %}

 net.core.wmem_default:
@@ -195,7 +196,7 @@ soversionfile:
 {% endif %}

 {% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
-  {% if GLOBALS.os == 'Rocky' %}     
+  {% if GLOBALS.os == 'OEL' %}     
 # Install Raid tools
 raidpkgs:
  pkg.installed:
@@ -217,8 +218,7 @@ so-raid-status:
    - month: '*'
    - dayweek: '*'

-{% endif %}
-
+  {% endif %}
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,6 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}

-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
@@ -14,16 +14,24 @@ commonpkgs:
      - software-properties-common
      - apt-transport-https
      - openssl
-      - netcat
+      - netcat-openbsd
      - sqlite3
      - libssl-dev
+      - procps
      - python3-dateutil
+      - python3-docker
      - python3-packaging
-      - python3-watchdog
      - python3-lxml
      - git
+      - rsync
      - vim
+      - tar
+      - unzip
+      {% if grains.oscodename != 'focal' %}
+      - python3-rich
+      {% endif %}

+{%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
  pkg.installed
@@ -34,34 +42,45 @@ python-rich:
    - target: /usr/local/lib/python3.8/dist-packages/
    - require:
      - pkg: python3-pip
-  
+{%     endif %}
+{% endif %}
+
+{% if GLOBALS.os_family == 'RedHat' %}
+
+remove_mariadb:
+  pkg.removed:
+    - name: mariadb-devel

-{% elif GLOBALS.os == 'Rocky' %}     
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
-      - wget
-      - jq
-      - tcpdump
-      - httpd-tools
-      - net-tools
-      - curl
-      - sqlite
-      - mariadb-devel
      - python3-dnf-plugin-versionlock
-      - nmap-ncat
-      - yum-utils
+      - curl
      - device-mapper-persistent-data
-      - lvm2
-      - openssl
+      - fuse
+      - fuse-libs
+      - fuse-overlayfs
+      - fuse-common
+      - fuse3
+      - fuse3-libs
      - git
+      - httpd-tools
+      - jq
+      - lvm2
+      - net-tools
+      - nmap-ncat
+      - procps-ng
      - python3-docker
      - python3-m2crypto
-      - rsync
-      - python3-rich
-      - python3-pyyaml
-      - python3-watchdog
      - python3-packaging
+      - python3-pyyaml
+      - python3-rich
+      - rsync
+      - sqlite
+      - tcpdump
      - unzip
+      - wget
+      - yum-utils
+
 {% endif %}
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -19,4 +19,5 @@ soup_manager_scripts:
    - source: salt://manager/tools/sbin
    - include_pat:
        - so-firewall
-        - soup
+        - so-repo-sync
+        - soup
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -5,7 +5,16 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
+# Elastic agent is not managed by salt. Because of this we must store this base information in a 
+# script that accompanies the soup system. Since so-common is one of those special soup files, 
+# and since this same logic is required during installation, it's included in this file.
+ELASTIC_AGENT_TARBALL_VERSION="8.10.4"
+ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent
+
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"

@@ -124,34 +133,47 @@ check_elastic_license() {
 }

 check_salt_master_status() {
-	local timeout=$1
-	echo "Checking if we can talk to the salt master"
-	salt-call state.show_top concurrent=true
-
-	return
+	local count=0
+    local attempts="${1:- 10}"
+	current_time="$(date '+%b %d %H:%M:%S')"
+	echo "Checking if we can access the salt master and that it is ready at: ${current_time}"
+    while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do
+        current_time="$(date '+%b %d %H:%M:%S')"
+        echo "Can't access salt master or it is not ready at: ${current_time}"
+        ((count+=1))
+        if [[ $count -eq $attempts ]]; then
+			# 10 attempts takes about 5.5 minutes
+            echo "Gave up trying to access salt-master"
+            return 1
+        fi
+    done
+	current_time="$(date '+%b %d %H:%M:%S')"
+	echo "Successfully accessed and salt master ready at: ${current_time}"
+    return 0
 }

+# this is only intended to be used to check the status of the minion from a salt master
 check_salt_minion_status() {
-	local timeout=$1
-	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
-	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	echo "Checking if the salt minion: $minion will respond to jobs" >> "$logfile" 2>&1
+	salt "$minion" test.ping -t $timeout > /dev/null 2>&1
 	local status=$?
 	if [ $status -gt 0 ]; then
-		echo "  Minion did not respond" >> "$setup_log" 2>&1
+		echo "  Minion did not respond" >> "$logfile" 2>&1
 	else
-		echo "  Received job response from salt minion" >> "$setup_log" 2>&1
+		echo "  Received job response from salt minion" >> "$logfile" 2>&1
 	fi

 	return $status
 }

-
-
 copy_new_files() {
  # Copy new files over to the salt dir
  cd $UPDATE_DIR
-  rsync -a salt $DEFAULT_SALT_DIR/
-  rsync -a pillar $DEFAULT_SALT_DIR/
+  rsync -a salt $DEFAULT_SALT_DIR/ --delete
+  rsync -a pillar $DEFAULT_SALT_DIR/ --delete
  chown -R socore:socore $DEFAULT_SALT_DIR/
  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
  cd /tmp
@@ -161,6 +183,34 @@ disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }

+download_and_verify() {
+	source_url=$1
+	source_md5_url=$2
+	dest_file=$3
+	md5_file=$4
+	expand_dir=$5
+
+	if [[ -n "$expand_dir" ]]; then
+		mkdir -p "$expand_dir"
+	fi
+
+	if ! verify_md5_checksum "$dest_file" "$md5_file"; then
+		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" ""
+		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'"  "" ""
+
+		if verify_md5_checksum "$dest_file" "$md5_file"; then
+		  echo "Source file and checksum are good."
+		else
+		  echo "Unable to download and verify the source file and checksum."
+		  return 1
+		fi
+	fi
+
+	if [[ -n "$expand_dir" ]]; then
+		tar -xf "$dest_file" -C "$expand_dir"
+	fi
+}
+
 elastic_license() {

 read -r -d '' message <<- EOM
@@ -199,19 +249,20 @@ get_random_value() {
 }

 gpg_rpm_import() {
-	if [[ "$OS" == "rocky" ]]; then
+	if [[ $is_oracle ]]; then
 	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	        local RPMKEYSLOC="../salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
 	    else
-	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-	
-	    RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-
-	    for RPMKEY in "${RPMKEYS[@]}"; do
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
+	elif [[ $is_rpm ]]; then
+		echo "Importing the security onion GPG key"
+		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 }

@@ -224,12 +275,15 @@ init_monitor() {
 	
 	if [[ $MONITORNIC == "bond0" ]]; then 
 	  BIFACES=$(lookup_bond_interfaces)
+	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
+	    ethtool -K "$MONITORNIC" "$i" off;
+  	  done
 	else
 	  BIFACES=$MONITORNIC
 	fi

 	for DEVICE_IFACE in $BIFACES; do
-	  for i in rx tx sg tso ufo gso gro lro; do
+	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
 	    ethtool -K "$DEVICE_IFACE" "$i" off;
  	  done
 	  ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
@@ -343,6 +397,10 @@ retry() {
 								echo "<Start of output>"
 								echo "$output"
 								echo "<End of output>"
+								if [[ $exitcode -eq 0 ]]; then
+									echo "Forcing exit code to 1"
+									exitcode=1
+								fi
                        fi
                elif [ -n "$failedOutput" ]; then
                        if [[ "$output" =~ "$failedOutput" ]]; then
@@ -351,7 +409,7 @@ retry() {
 								echo "$output"
 								echo "<End of output>"
 								if [[ $exitcode -eq 0 ]]; then
-									echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output."
+									echo "Forcing exit code to 1"
 									exitcode=1
 								fi
                        else
@@ -389,25 +447,82 @@ run_check_net_err() {
 	fi
 }

+wait_for_salt_minion() {
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
+	local attempt=0
+	# each attempts would take about 15 seconds
+	local maxAttempts=20
+	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
+		attempt=$((attempt+1))
+		if [[ $attempt -eq $maxAttempts ]]; then
+			return 1
+		fi
+		sleep 10
+	done
+	return 0
+}
+
 salt_minion_count() {
 	local MINIONDIR="/opt/so/saltstack/local/pillar/minions"
 	MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l)

 }

-set_cron_service_name() {
-	if [[ "$OS" == "rocky" ]]; then
-		cron_service_name="crond"
-	else
-		cron_service_name="cron"
-	fi
-}
-
 set_os() {
 	if [ -f /etc/redhat-release ]; then
-		OS=rocky
-	else
-		OS=ubuntu
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
+		fi
+		cron_service_name="crond"
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
+		cron_service_name="cron"
 	fi
 }

@@ -416,7 +531,7 @@ set_minionid() {
 }

 set_palette() {
-	if [ "$OS" == ubuntu ]; then
+	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
@@ -440,6 +555,10 @@ set_version() {
 	fi
 }

+status () {
+    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
+}
+
 systemctl_func() {
 	local action=$1
 	local echo_action=$1
@@ -463,6 +582,11 @@ has_uppercase() {
 		|| return 1
 }

+update_elastic_agent() {
+	echo "Checking if Elastic Agent update is necessary..."
+	download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR"
+}
+
 valid_cidr() {
 	# Verify there is a backslash in the string
 	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
@@ -616,6 +740,23 @@ valid_username() {
 	echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1
 }

+verify_md5_checksum() {
+	data_file=$1
+	md5_file=${2:-${data_file}.md5}
+
+	if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then
+		return 2
+	fi
+
+	SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }')
+	HASH=$(cat "$md5_file")
+
+	if [[ "$HASH" == "$SOURCEHASH" ]]; then
+		return 0
+	fi
+	return 1
+}
+
 wait_for_web_response() {
 	url=$1
 	expected=$2
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -137,7 +137,7 @@ update_docker_containers() {
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
    if [ -z "$PROGRESS_CALLBACK" ]; then
-      echo "Downloading $i" >> "$LOG_FILE" 2>&1 
+      echo "Downloading $i" >> "$LOG_FILE" 2>&1
    else
      $PROGRESS_CALLBACK $i
    fi
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -0,0 +1,243 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+RECENT_LOG_LINES=200
+EXCLUDE_STARTUP_ERRORS=N
+EXCLUDE_FALSE_POSITIVE_ERRORS=N
+EXCLUDE_KNOWN_ERRORS=N
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --exclude-connection-errors)
+            EXCLUDE_STARTUP_ERRORS=Y
+            ;;
+        --exclude-false-positives)
+            EXCLUDE_FALSE_POSITIVE_ERRORS=Y
+            ;;
+        --exclude-known-errors)
+            EXCLUDE_KNOWN_ERRORS=Y
+            ;;
+        --unknown)
+            EXCLUDE_STARTUP_ERRORS=Y
+            EXCLUDE_FALSE_POSITIVE_ERRORS=Y
+            EXCLUDE_KNOWN_ERRORS=Y
+            ;;
+        --recent-log-lines)
+            shift
+            RECENT_LOG_LINES=$1
+            ;;
+        *)
+            echo "Usage: $0 [options]"
+            echo ""
+            echo "where options are:"
+            echo "  --recent-log-lines N            looks at the most recent N log lines per file or container; defaults to 200"
+            echo "  --exclude-connection-errors     exclude errors caused by a recent server or container restart"
+            echo "  --exclude-false-positives       exclude logs that are known false positives"
+            echo "  --exclude-known-errors          exclude errors that are known and non-critical issues"
+            echo "  --unknown                       exclude everything mentioned above; only show unknown errors"
+            echo ""
+            echo "A non-zero return value indicates errors were found"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+echo "Security Onion Log Check - $(date)"
+echo "-------------------------------------------"
+echo ""
+echo "- RECENT_LOG_LINES:                $RECENT_LOG_LINES"
+echo "- EXCLUDE_STARTUP_ERRORS:          $EXCLUDE_STARTUP_ERRORS"
+echo "- EXCLUDE_FALSE_POSITIVE_ERRORS:   $EXCLUDE_FALSE_POSITIVE_ERRORS"
+echo "- EXCLUDE_KNOWN_ERRORS:            $EXCLUDE_KNOWN_ERRORS"
+echo ""
+
+function status() {
+    header "$1"
+}
+
+function exclude_container() {
+    name=$1
+
+    exclude_id=$(docker ps | grep "$name" | awk '{print $1}')
+    if [[ -n "$exclude_id" ]]; then
+        CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g")
+        return $?
+    fi
+    return $?
+}
+
+function exclude_log() {
+    name=$1
+
+    cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new
+    mv /tmp/log_check_files.new /tmp/log_check_files
+}
+
+function check_for_errors() {
+    if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then
+        RESULT=1
+    fi
+}
+
+EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__"
+
+if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked"           # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset"                   # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable"                  # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process"             # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates"   # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction"                 # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host"             # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py"                   # server not yet ready (python stack output)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror"                    # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail"                     # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect"                      # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards"               # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics"       # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe"                  # server not yet ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502"                  # server not yet ready (nginx waiting on upstream)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non"    # server not yet ready (salt waiting on minions)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term"                 # server not yet ready (influxdb not yet setup)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|search_phase_execution_exception" # server not yet ready (elastalert running searches before ES is ready)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving docker"    # Telegraf unable to reach Docker engine, rare
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
+fi
+
+if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error"      # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error"             # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'"                   # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index"                 # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror"                      # false positive
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror"             # false positive (elastic command line)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template"    # false positive (elastic security)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template"        # false positive (elastic security)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors"                    # false positive (suricata stats)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template"               # false positive (elastic templates)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated"                   # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows"                      # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors"           # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml"                   # false positive (playbook)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h"                    # false positive (zeek test data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules"           # false positive (error in rulename)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input"          # false positive (Invalid user input in hunt query)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example"                      # false positive (example test data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200"                   # false positive (request successful, contained error string in content)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error"              # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal"  # false positive (Open Canary logging out blank IP addresses)
+fi
+
+if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise"                        # redis/python generic stack line, rely on other lines for actual error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)"              # redis/python generic stack line, rely on other lines for actual error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror"                     # idstools connection timeout
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror"                 # idstools connection timeout
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden"                    # playbook
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml"                          # Elastic ML errors 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled"             # elastic agent during shutdown
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128"         # soctopus errors during forced restart by highstate
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update"       # airgap can't update GeoIP DB
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror"            # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord"                 # playbook expected error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats"  # Elastic transform temporary error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip"        # known issue in GH
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail"                     # zeek
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
+fi
+
+RESULT=0
+
+# Check Security Onion container stdout/stderr logs
+CONTAINER_IDS=$(docker ps -q)
+exclude_container so-kibana   # kibana error logs are too verbose with large varieties of errors most of which are temporary
+exclude_container so-idstools # ignore due to known issues and noisy logging
+exclude_container so-playbook # ignore due to several playbook known issues
+
+for container_id in $CONTAINER_IDS; do
+    container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
+    status "Checking container $container_name"
+    docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1
+    check_for_errors
+done
+
+# Check Security Onion related log files
+find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files
+if [[ -f /var/log/cron ]]; then
+    echo "/var/log/cron" >> /tmp/log_check_files
+fi
+exclude_log "kibana.log"   # kibana error logs are too verbose with large varieties of errors most of which are temporary
+exclude_log "spool"        # disregard zeek analyze logs as this is data specific
+exclude_log "import"       # disregard imported test data the contains error strings
+exclude_log "update.log"   # ignore playbook updates due to several known issues
+exclude_log "playbook.log" # ignore due to several playbook known issues
+
+for log_file in $(cat /tmp/log_check_files); do
+    status "Checking log file $log_file"
+    tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check
+    check_for_errors
+done
+
+# Cleanup temp files
+rm -f /tmp/log_check_files
+rm -f /tmp/log_check
+
+if [[ $RESULT -eq 0 ]]; then
+    echo -e "\nResult: No errors found"
+else
+    echo -e "\nResult: One or more errors found"
+fi
+
+exit $RESULT
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -103,7 +103,7 @@ def output(options, console, code, data):
 def check_container_status(options, console):
  code = 0
  cli = "docker"
-  proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8")
+  proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8")
  if proc.returncode != 0:
    fail("Container system error; unable to obtain container process statuses")

--- a/salt/common/tools/sbin/so-test
+++ b/salt/common/tools/sbin/so-test
@@ -5,4 +5,14 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+. /usr/sbin/so-common
+
+set -e
+
+# Playback live sample data onto monitor interface
 so-tcpreplay /opt/samples/* 2> /dev/null
+
+# Ingest sample pfsense log entry
+if is_sensor_node; then
+    echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1
+fi
--- a/salt/common/tools/sbin/so-zeek-logs
+++ b/salt/common/tools/sbin/so-zeek-logs
@@ -1,67 +0,0 @@
-#!/bin/bash
-local_salt_dir=/opt/so/saltstack/local
-
-zeek_logs_enabled() {
-  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
-  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
-  for BLOG in "${BLOGS[@]}"; do
-    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
-  done
-}
-
-whiptail_manager_adv_service_zeeklogs() {
-  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
-  "conn" "Connection Logging" ON \
-  "dce_rpc" "RPC Logs" ON \
-  "dhcp" "DHCP Logs" ON \
-  "dnp3" "DNP3 Logs" ON \
-  "dns" "DNS Logs" ON \
-  "dpd" "DPD Logs" ON \
-  "files" "Files Logs" ON \
-  "ftp" "FTP Logs" ON \
-  "http" "HTTP Logs" ON \
-  "intel" "Intel Hits Logs" ON \
-  "irc" "IRC Chat Logs" ON \
-  "kerberos" "Kerberos Logs" ON \
-  "modbus" "MODBUS Logs" ON \
-  "notice" "Zeek Notice Logs" ON \
-  "ntlm" "NTLM Logs" ON \
-  "pe" "PE Logs" ON \
-  "radius" "Radius Logs" ON \
-  "rfb" "RFB Logs" ON \
-  "rdp" "RDP Logs" ON \
-  "sip" "SIP Logs" ON \
-  "smb_files" "SMB Files Logs" ON \
-  "smb_mapping" "SMB Mapping Logs" ON \
-  "smtp" "SMTP Logs" ON \
-  "snmp" "SNMP Logs" ON \
-  "ssh" "SSH Logs" ON \
-  "ssl" "SSL Logs" ON \
-  "syslog" "Syslog Logs" ON \
-  "tunnel" "Tunnel Logs" ON \
-  "weird" "Zeek Weird Logs" ON \
-  "mysql" "MySQL Logs" ON \
-  "socks" "SOCKS Logs" ON \
-  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
-  
-  local exitstatus=$?
-
-  IFS=' ' read -ra BLOGS <<< "$BLOGS"
-
-  return $exitstatus
-}
-
-whiptail_manager_adv_service_zeeklogs
-return_code=$?
-case $return_code in
-  1)
-    whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75
-    ;;
-  255)
-    whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75
-    ;;
-  *)
-    zeek_logs_enabled
-    ;;
-esac
-
--- a/salt/common/tools/sbin_jinja/so-desktop-install
+++ b/salt/common/tools/sbin_jinja/so-desktop-install
@@ -5,15 +5,15 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+source /usr/sbin/so-common
+doc_desktop_url="$DOC_BASE_URL/desktop.html"

-{# we only want the script to install the desktop if it is Rocky -#}
-{% if grains.os == 'Rocky' -%}
+{# we only want the script to install the desktop if it is OEL -#}
+{% if grains.os == 'OEL' -%}
 {#   if this is a manager -#}
 {%   if grains.master == grains.id.split('_')|first -%}

-source /usr/sbin/so-common
-doc_desktop_url="$DOC_BASE_URL/desktop.html"
-pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
+pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls"

 if [ -f "$pillar_file" ]; then
  if ! grep -q "^desktop:$" "$pillar_file"; then
@@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then
    fi
  else # desktop is already added
    echo "The desktop pillar already exists in $pillar_file."
-    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file."
+    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced."
    echo "Additional documentation can be found at $doc_desktop_url."
  fi
 else # if the pillar file doesn't exist
@@ -75,17 +75,22 @@ fi
 {#-  if this is not a manager #}
 {%   else -%}

-echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url."
+echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:"
+echo "desktop:"
+echo "  gui:"
+echo "    enabled: true"
+echo ""
+echo "Please view the documentation at $doc_desktop_url."

 {#- endif if this is a manager #}
 {%   endif -%}

-{#- if not Rocky #}
+{#- if not OEL #}
 {%- else %}

-echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url."
+echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url."

-{#- endif grains.os == Rocky #}
+{#- endif grains.os == OEL #}
 {% endif -%}

 exit 0
--- a/salt/common/tools/sbin_jinja/so-import-evtx
+++ b/salt/common/tools/sbin_jinja/so-import-evtx
@@ -27,6 +27,8 @@ Imports one or more evtx files into Security Onion. The evtx files will be analy
 Options:
  --json      Outputs summary in JSON format. Implies --quiet.
  --quiet     Silences progress information to stdout.
+  --shift     Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly.
+              Ex. sudo so-import-evtx --shift "2023-08-01 01:01:01" example.evtx 
 EOF
 }

@@ -44,6 +46,10 @@ while [[ $# -gt 0 ]]; do
    --quiet)
      quiet=1
      ;;
+    --shift)
+      SHIFTDATE=$1
+      shift
+      ;;
    -*) 
      echo "Encountered unexpected parameter: $param"
      usage
@@ -68,12 +74,14 @@ function status {
 function evtx2es() {
  EVTX=$1
  HASH=$2
+  SHIFTDATE=$3
  
  docker run --rm \
+    -e "SHIFTTS=$SHIFTDATE" \
    -v "$EVTX:/tmp/data.evtx" \
    -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-    -v "/nsm/import/evtx-end_newest:/tmp/newest" \
-    -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \
+    -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
+    -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
    --entrypoint "/evtx_calc_timestamps.sh" \
    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
 }
@@ -103,17 +111,13 @@ INVALID_EVTXS_COUNT=0
 VALID_EVTXS_COUNT=0
 SKIPPED_EVTXS_COUNT=0

-touch /nsm/import/evtx-start_oldest
-touch /nsm/import/evtx-end_newest
-
-echo $START_OLDEST > /nsm/import/evtx-start_oldest
-echo $END_NEWEST > /nsm/import/evtx-end_newest
-
 # paths must be quoted in case they include spaces
 for EVTX in $INPUT_FILES; do
  EVTX=$(/usr/bin/realpath "$EVTX")
  status "Processing Import: ${EVTX}"
-
+  if ! [ -z "$SHIFTDATE" ]; then
+    status "- timeshifting logs to end date of $SHIFTDATE"
+  fi
  # generate a unique hash to assist with dedupe checks
  HASH=$(md5sum "${EVTX}" | awk '{ print $1 }')
  HASH_DIR=/nsm/import/${HASH}
@@ -131,12 +135,19 @@ for EVTX in $INPUT_FILES; do
    status "- this EVTX has already been imported; skipping"
    SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
  else
+    # create EVTX directory
    EVTX_DIR=$HASH_DIR/evtx
    mkdir -p $EVTX_DIR
+    # create import timestamp files
+    for i in evtx-start_oldest evtx-end_newest; do
+      if ! [ -f "$i" ]; then
+        touch /nsm/import/$HASH/$i
+      fi
+    done

    # import evtx and write them to import ingest pipeline
    status "- importing logs to Elasticsearch..."
-    evtx2es "${EVTX}" $HASH
+    evtx2es "${EVTX}" $HASH "$SHIFTDATE"
    if [[ $? -ne 0 ]]; then
      INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1))
      status "- WARNING: This evtx file may not have fully imported successfully"
@@ -144,28 +155,37 @@ for EVTX in $INPUT_FILES; do
      VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
    fi

-    # compare $START to $START_OLDEST
-    START=$(cat /nsm/import/evtx-start_oldest)
-    START_COMPARE=$(date -d $START +%s)
-    START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
-    if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
-      START_OLDEST=$START
-    fi  
-
-    # compare $ENDNEXT to $END_NEWEST
-    END=$(cat /nsm/import/evtx-end_newest)
-    ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
-    ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
-    END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
-    if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
-      END_NEWEST=$ENDNEXT
-    fi  
-
    cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
    chmod 644 "${EVTX_DIR}"/data.evtx

  fi # end of valid evtx

+  # determine start and end and make sure they aren't reversed
+  START=$(cat /nsm/import/$HASH/evtx-start_oldest)
+  END=$(cat /nsm/import/$HASH/evtx-end_newest)
+  START_EPOCH=`date -d "$START" +"%s"`
+  END_EPOCH=`date -d "$END" +"%s"`
+  if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then
+    TEMP=$START
+    START=$END
+    END=$TEMP
+  fi
+
+  # compare $START to $START_OLDEST
+  START_COMPARE=$(date -d $START +%s)
+  START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
+  if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
+    START_OLDEST=$START
+  fi
+
+  # compare $ENDNEXT to $END_NEWEST
+  ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
+  ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
+  END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
+  if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
+    END_NEWEST=$ENDNEXT
+  fi
+
  status

 done # end of for-loop processing evtx files
@@ -222,4 +242,4 @@ if [[ $json -eq 1 ]]; then
    }'''
 fi

-exit $RESULT
+exit $RESULT
--- a/salt/common/tools/sbin_jinja/so-raid-status
+++ b/salt/common/tools/sbin_jinja/so-raid-status
@@ -1,7 +1,7 @@
 #!/bin/bash

 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

@@ -9,25 +9,26 @@

 . /usr/sbin/so-common

-appliance_check() {
-  {%- if salt['grains.get']('sosmodel', '') %}
-  APPLIANCE=1
-  {%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %}
-  exit 0
-  {%- endif %}
-  DUDEYOUGOTADELL=$(dmidecode |grep Dell)
-  if [[ -n $DUDEYOUGOTADELL ]]; then
-  APPTYPE=dell
-  else
-  APPTYPE=sm
-  fi
-  mkdir -p /opt/so/log/raid
-
-  {%- else %}
-  echo "This is not an appliance"
-  exit 0
-  {%- endif %}
-}
+{%- if salt['grains.get']('sosmodel', '') %}
+{%- set model = salt['grains.get']('sosmodel') %}
+model={{ model }}
+# Don't need cloud images to use this
+if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then
+    exit 0
+fi
+{%- else %}
+echo "This is not an appliance"
+exit 0
+{%- endif %}
+if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then
+	is_bossraid=true
+fi
+if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then
+	is_swraid=true
+fi
+if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then
+	is_hwraid=true
+fi

 check_nsm_raid() {
  PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
@@ -49,61 +50,44 @@ check_nsm_raid() {
 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)

-  if [[ -n $DUDEYOUGOTADELL ]]; then
-    if [[ -n $MVCLI ]]; then
-      BOSSRAID=0
-    else
-      BOSSRAID=1
-    fi
+  if [[ -n $MVCLI ]]; then
+    BOSSRAID=0
+  else
+    BOSSRAID=1
  fi
 }

 check_software_raid() {
-  if [[ -n $DUDEYOUGOTADELL ]]; then
-    SWRC=$(grep "_" /proc/mdstat)
-
-    if [[ -n $SWRC ]]; then
-        # RAID is failed in some way
-        SWRAID=1
-    else
-        SWRAID=0
-    fi
+  SWRC=$(grep "_" /proc/mdstat)
+  if [[ -n $SWRC ]]; then
+      # RAID is failed in some way
+      SWRAID=1
+  else
+      SWRAID=0
  fi
 }

-# This script checks raid status if you use SO appliances
+# Set everything to 0
+SWRAID=0
+BOSSRAID=0
+HWRAID=0

-# See if this is an appliance
-
-appliance_check
-check_nsm_raid
-check_boss_raid
-{%- if salt['grains.get']('sosmodel', '') %}
-{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
-check_software_raid
-{%- endif %}
-{%- endif %}
-
-if [[ -n $SWRAID ]]; then
-  if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then
-    RAIDSTATUS=0
-  else
-    RAIDSTATUS=1
-  fi
-elif [[ -n $DUDEYOUGOTADELL ]]; then
-  if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then
-    RAIDSTATUS=0
-  else
-    RAIDSTATUS=1
-  fi
-elif [[ "$APPTYPE" == 'sm' ]]; then
-  if [[ -n "$HWRAID" ]]; then
-    RAIDSTATUS=0
-  else
-    RAIDSTATUS=1
-  fi
+if [[ $is_hwraid ]]; then
+	check_nsm_raid
+fi
+if [[ $is_bossraid ]]; then
+	check_boss_raid
+fi
+if [[ $is_swraid ]]; then
+	check_software_raid
 fi

-echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
+sum=$(($SWRAID + $BOSSRAID + $HWRAID))

+if [[ $sum == "0" ]]; then
+  RAIDSTATUS=0
+else
+  RAIDSTATUS=1
+fi

+echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
--- a/salt/common/tools/sbin_jinja/so-salt-minion-check
+++ b/salt/common/tools/sbin_jinja/so-salt-minion-check
--- a/salt/desktop/files/00-background
+++ b/salt/desktop/files/00-background
@@ -0,0 +1,8 @@
+# Specify the dconf path
+[org/gnome/desktop/background]
+
+# Specify the path to the desktop background image file
+picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg'
+
+# Specify one of the rendering options for the background image:
+picture-options='zoom'
--- a/salt/desktop/files/session.jinja
+++ b/salt/desktop/files/session.jinja
@@ -0,0 +1,7 @@
+# This file is managed by Salt in the desktop.xwindows state
+# It will not be overwritten if it already exists
+
+[User]
+Session=gnome-classic
+Icon=/home/{{USERNAME}}/.face
+SystemAccount=false
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -1,170 +1,278 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
-
+{% if grains.os == 'OEL' %}

 desktop_packages:
  pkg.installed:
    - pkgs:
+      - ModemManager
+      - ModemManager-glib
      - NetworkManager
      - NetworkManager-adsl
      - NetworkManager-bluetooth
-      - NetworkManager-l2tp-gnome
-      - NetworkManager-libreswan-gnome
-      - NetworkManager-openconnect-gnome
-      - NetworkManager-openvpn-gnome
-      - NetworkManager-ppp
-      - NetworkManager-pptp-gnome
+      - NetworkManager-config-server
+      - NetworkManager-libnm
      - NetworkManager-team
      - NetworkManager-tui
      - NetworkManager-wifi
      - NetworkManager-wwan
+      - PackageKit
+      - PackageKit-command-not-found
+      - PackageKit-glib
      - PackageKit-gstreamer-plugin
-      - aajohan-comfortaa-fonts
-      - abattis-cantarell-fonts
-      - acl
-      - alsa-ucm
-      - alsa-utils
-      - anaconda
-      - anaconda-install-env-deps
-      - anaconda-live
-      - at
-      - attr
+      - PackageKit-gtk3-module
      - audit
+      - audit-libs
      - authselect
+      - authselect-libs
+      - avahi
+      - avahi-glib
+      - avahi-libs
+      - baobab
      - basesystem
-      - bash
-      - bash-completion
      - bc
-      - blktrace
+      - bcache-tools
      - bluez
+      - bluez-libs
+      - bluez-obexd
      - bolt
-      - bpftool
      - bzip2
+      - bzip2-libs
+      - c-ares
+      - ca-certificates
+      - cairo
+      - cairo-gobject
+      - cairomm
+      - checkpolicy
      - chkconfig
+      - chrome-gnome-shell
      - chromium
-      - chrony
-      - cinnamon
-      - cinnamon-control-center
-      - cinnamon-screensaver
-      - cockpit
-      - coreutils
-      - cpio
-      - cronie
-      - crontabs
-      - crypto-policies
-      - crypto-policies-scripts
-      - cryptsetup
-      - curl
-      - cyrus-sasl-plain
-      - dbus
+      - clutter
+      - clutter-gst3
+      - clutter-gtk
+      - cogl
+      - color-filesystem
+      - colord
+      - colord-gtk
+      - colord-libs
+      - conmon
+      - cups
+      - cups-client
+      - cups-filesystem
+      - cups-filters
+      - cups-filters-libs
+      - cups-ipptool
+      - cups-libs
+      - cups-pk-helper
+      - dconf
      - dejavu-sans-fonts
      - dejavu-sans-mono-fonts
      - dejavu-serif-fonts
-      - dnf
-      - dnf-plugins-core
-      - dos2unix
-      - dosfstools
-      - dracut-config-rescue
-      - dracut-live
+      - desktop-file-utils
      - dsniff
-      - e2fsprogs
-      - ed
-      - efi-filesystem
-      - efibootmgr
-      - efivar-libs
-      - eom
      - ethtool
-      - f36-backgrounds-extras-gnome
-      - f36-backgrounds-gnome
-      - f37-backgrounds-extras-gnome
-      - f37-backgrounds-gnome
+      - evolution-data-server
+      - evolution-data-server-langpacks
      - file
-      - filesystem
-      - firewall-config
-      - firewalld
-      - fprintd-pam
-      - git
-      - glibc
-      - glibc-all-langpacks
+      - flac-libs
+      - flashrom
+      - flatpak
+      - flatpak-libs
+      - flatpak-selinux
+      - flatpak-session-helper
+      - fontconfig
+      - fonts-filesystem
+      - foomatic
+      - foomatic-db
+      - foomatic-db-filesystem
+      - foomatic-db-ppds
+      - freetype
+      - fuse
+      - fuse-common
+      - fuse-libs
+      - fuse-overlayfs
+      - fuse3
+      - fuse3-libs
+      - fwupd
+      - fwupd-plugin-flashrom
+      - gcr
+      - gcr-base
+      - gd
+      - gdbm-libs
+      - gdisk
+      - gdk-pixbuf2
+      - gdk-pixbuf2-modules
+      - gdm
+      - gedit
+      - geoclue2
+      - geoclue2-libs
+      - geocode-glib
+      - gettext
+      - gettext-libs
+      - ghostscript
+      - ghostscript-tools-fonts
+      - ghostscript-tools-printing
+      - giflib
+      - glx-utils
+      - gmp
+      - gnome-autoar
+      - gnome-bluetooth
+      - gnome-bluetooth-libs
      - gnome-calculator
+      - gnome-characters
+      - gnome-classic-session
+      - gnome-color-manager
+      - gnome-control-center
+      - gnome-control-center-filesystem
+      - gnome-desktop3
      - gnome-disk-utility
+      - gnome-font-viewer
+      - gnome-initial-setup
+      - gnome-keyring
+      - gnome-keyring-pam
+      - gnome-logs
+      - gnome-menus
+      - gnome-online-accounts
+      - gnome-remote-desktop
      - gnome-screenshot
+      - gnome-session
+      - gnome-session-wayland-session
+      - gnome-session-xsession
+      - gnome-settings-daemon
+      - gnome-shell
+      - gnome-shell-extension-apps-menu
+      - gnome-shell-extension-background-logo
+      - gnome-shell-extension-common
+      - gnome-shell-extension-desktop-icons
+      - gnome-shell-extension-launch-new-instance
+      - gnome-shell-extension-places-menu
+      - gnome-shell-extension-window-list
+      - gnome-software
      - gnome-system-monitor
      - gnome-terminal
-      - gnupg2
+      - gnome-terminal-nautilus
+      - gnome-tour
+      - gnome-user-docs
+      - gnome-video-effects
+      - gobject-introspection
+      - gom
+      - google-droid-sans-fonts
+      - google-noto-cjk-fonts-common
      - google-noto-emoji-color-fonts
+      - google-noto-fonts-common
      - google-noto-sans-cjk-ttc-fonts
      - google-noto-sans-gurmukhi-fonts
      - google-noto-sans-sinhala-vf-fonts
      - google-noto-serif-cjk-ttc-fonts
-      - grub2-common
-      - grub2-pc-modules
-      - grub2-tools
-      - grub2-tools-efi
-      - grub2-tools-extra
-      - grub2-tools-minimal
-      - grubby
+      - gpgme
+      - gpm-libs
+      - graphene
+      - graphite2
+      - gsettings-desktop-schemas
+      - gsm
+      - gsound
+      - gspell
+      - gstreamer1
      - gstreamer1-plugins-bad-free
+      - gstreamer1-plugins-base
      - gstreamer1-plugins-good
+      - gstreamer1-plugins-good-gtk
      - gstreamer1-plugins-ugly-free
+      - gtk-update-icon-cache
+      - gtk2
+      - gtk3
+      - gtk4
+      - gtkmm30
+      - gtksourceview4
+      - gutenprint
+      - gutenprint-cups
+      - gutenprint-doc
+      - gutenprint-libs
+      - gvfs
+      - gvfs-client
+      - gvfs-fuse
+      - gvfs-goa
      - gvfs-gphoto2
      - gvfs-mtp
      - gvfs-smb
-      - hostname
-      - hyperv-daemons
-      - ibus-anthy
-      - ibus-hangul
-      - ibus-libpinyin
-      - ibus-libzhuyin
-      - ibus-m17n
-      - ibus-typing-booster
-      - imsettings-systemd
-      - initial-setup-gui
-      - initscripts
+      - gzip
+      - harfbuzz
+      - harfbuzz-icu
+      - hdparm
+      - hicolor-icon-theme
+      - highcontrast-icon-theme
+      - hplip-common
+      - hplip-libs
+      - hunspell
+      - hunspell-en
+      - hunspell-en-GB
+      - hunspell-en-US
+      - hunspell-filesystem
+      - hyphen
+      - ibus
+      - ibus-gtk3
+      - ibus-libs
+      - ibus-setup
+      - iio-sensor-proxy
+      - ima-evm-utils
+      - inih
      - initscripts-rename-device
-      - iproute
-      - iproute-tc
-      - iprutils
-      - iputils
-      - irqbalance
-      - iwl100-firmware
-      - iwl1000-firmware
-      - iwl105-firmware
-      - iwl135-firmware
-      - iwl2000-firmware
-      - iwl2030-firmware
-      - iwl3160-firmware
-      - iwl5000-firmware
-      - iwl5150-firmware
-      - iwl6000g2a-firmware
-      - iwl6000g2b-firmware
-      - iwl6050-firmware
-      - iwl7260-firmware
+      - initscripts-service
+      - iso-codes
+      - jansson
+      - jbig2dec-libs
+      - jbigkit-libs
      - jomolhari-fonts
+      - jose
+      - jq
+      - json-c
+      - json-glib
      - julietaula-montserrat-fonts
      - kbd
-      - kernel
-      - kernel-modules
-      - kernel-modules-extra
-      - kernel-tools
-      - kexec-tools
+      - kbd-misc
      - khmer-os-system-fonts
-      - kmod-kvdo
-      - kpatch
-      - kpatch-dnf
-      - ledmon
-      - less
+      - langpacks-core-en
+      - langpacks-core-font-en
+      - langpacks-en
+      - lcms2
+      - libICE
+      - libSM
+      - libX11
+      - libX11-common
+      - libX11-xcb
+      - libXau
+      - libXcomposite
+      - libXcursor
+      - libXdamage
+      - libXdmcp
+      - libXext
+      - libXfixes
+      - libXfont2
+      - libXft
+      - libXi
+      - libXinerama
+      - libXmu
+      - libXpm
+      - libXrandr
+      - libXrender
+      - libXres
+      - libXt
+      - libXtst
+      - libXv
+      - libXxf86dga
+      - libXxf86vm
+      - libappstream-glib
+      - liberation-fonts-common
      - liberation-mono-fonts
      - liberation-sans-fonts
      - liberation-serif-fonts
      - libertas-sd8787-firmware
-      - libstoragemgmt
-      - libsysfs
-      - lightdm
-      - linux-firmware
-      - logrotate
+      - libglvnd-gles
+      - libglvnd-glx
+      - libglvnd-opengl
+      - libgnomekbd
+      - libgomp
+      - libgphoto2
+      - lockdev
      - lohit-assamese-fonts
      - lohit-bengali-fonts
      - lohit-devanagari-fonts
@@ -175,136 +283,163 @@ desktop_packages:
      - lohit-telugu-fonts
      - lshw
      - lsof
-      - lsscsi
-      - lvm2
-      - mailcap
-      - man-db
-      - man-pages
-      - mcelog
-      - mdadm
-      - memtest86+
-      - metacity
+      - mesa-dri-drivers
+      - mesa-filesystem
+      - mesa-libEGL
+      - mesa-libGL
+      - mesa-libgbm
+      - mesa-libglapi
+      - mesa-libxatracker
+      - mesa-vulkan-drivers
      - microcode_ctl
-      - mlocate
+      - mobile-broadband-provider-info
+      - mono-devel
+      - mpfr
+      - mpg123-libs
+      - mtdev
      - mtr
-      - nano
-      - ncurses
-      - nemo-fileroller
-      - nemo-image-converter
-      - nemo-preview
+      - nautilus
+      - nautilus-extensions
      - net-tools
-      - netronome-firmware
-      - ngrep
-      - nm-connection-editor
-      - nmap-ncat
      - nvme-cli
      - open-vm-tools-desktop
-      - openssh-clients
-      - openssh-server
-      - p11-kit
-      - paktype-naskh-basic-fonts
-      - parole
-      - parted
-      - passwd
+      - oracle-backgrounds
+      - oracle-indexhtml
+      - oracle-logos
+      - pcaudiolib
      - pciutils
+      - pinentry
+      - pinentry-gnome3
      - pinfo
      - pipewire
      - pipewire-alsa
      - pipewire-gstreamer
      - pipewire-jack-audio-connection-kit
+      - pipewire-libs
      - pipewire-pulseaudio
      - pipewire-utils
+      - pixman
      - plymouth
+      - plymouth-core-libs
+      - plymouth-graphics-libs
+      - plymouth-plugin-label
+      - plymouth-plugin-two-step
+      - plymouth-scripts
+      - plymouth-system-theme
+      - plymouth-theme-spinner
      - policycoreutils
-      - powerline
-      - ppp
-      - prefixdevname
-      - procps-ng
-      - psacct
+      - policycoreutils-python-utils
      - pt-sans-fonts
-      - python3-libselinux
-      - python3-scapy
-      - qemu-guest-agent
-      - quota
-      - realmd
-      - redshift-gtk
-      - rocky-backgrounds
-      - rocky-release
-      - rootfiles
-      - rpm
-      - rpm-plugin-audit
-      - rsync
-      - rsyslog
-      - rsyslog-gnutls
-      - rsyslog-gssapi
-      - rsyslog-relp
-      - salt-minion
+      - pulseaudio-libs
+      - pulseaudio-libs-glib2
+      - pulseaudio-utils
+      - sane-airscan
+      - sane-backends
+      - sane-backends-drivers-cameras
      - sane-backends-drivers-scanners
-      - selinux-policy-targeted
-      - setroubleshoot
-      - setup
-      - sg3_utils
-      - sg3_utils-libs
-      - shadow-utils
+      - sane-backends-libs
      - sil-abyssinica-fonts
      - sil-nuosu-fonts
      - sil-padauk-fonts
-      - slick-greeter
-      - slick-greeter-cinnamon
      - smartmontools
      - smc-meera-fonts
-      - sos
+      - snappy
+      - sound-theme-freedesktop
+      - soundtouch
+      - speech-dispatcher
+      - speech-dispatcher-espeak-ng
+      - speex
      - spice-vdagent
-      - ssldump
-      - sssd
-      - sssd-common
-      - sssd-kcm
-      - stix-fonts
-      - strace
-      - sudo
+      - switcheroo-control
      - symlinks
-      - syslinux
-      - systemd
-      - systemd-udev
-      - tar
+      - system-config-printer-libs
+      - system-config-printer-udev
+      - taglib
      - tcpdump
      - tcpflow
-      - teamd
+      - thai-scalable-fonts-common
      - thai-scalable-waree-fonts
-      - time
-      - tmux
-      - tmux-powerline
-      - transmission
+      - totem
+      - totem-pl-parser
+      - totem-video-thumbnailer
+      - tpm2-tools
+      - tpm2-tss
+      - tracer-common
+      - tracker
+      - tracker-miners
      - tree
      - tuned
+      - twolame-libs
+      - tzdata
+      - udisks2
+      - udisks2-iscsi
+      - udisks2-lvm2
      - unzip
+      - upower
+      - urw-base35-bookman-fonts
+      - urw-base35-c059-fonts
+      - urw-base35-d050000l-fonts
+      - urw-base35-fonts
+      - urw-base35-fonts-common
+      - urw-base35-gothic-fonts
+      - urw-base35-nimbus-mono-ps-fonts
+      - urw-base35-nimbus-roman-fonts
+      - urw-base35-nimbus-sans-fonts
+      - urw-base35-p052-fonts
+      - urw-base35-standard-symbols-ps-fonts
+      - urw-base35-z003-fonts
      - usb_modeswitch
+      - usb_modeswitch-data
      - usbutils
-      - util-linux
-      - util-linux-user
+      - usermode
+      - userspace-rcu
      - vdo
-      - vim-enhanced
-      - vim-minimal
-      - vim-powerline
-      - virt-what
-      - wget
+      - vulkan-loader
+      - wavpack
+      - webkit2gtk3
+      - webkit2gtk3-jsc
+      - webrtc-audio-processing
      - whois
-      - which
+      - wireless-regdb
      - wireplumber
+      - wireplumber-libs
      - wireshark
+      - woff2
      - words
+      - wpa_supplicant
+      - wpebackend-fdo
+      - xdg-dbus-proxy
+      - xdg-desktop-portal
+      - xdg-desktop-portal-gnome
+      - xdg-desktop-portal-gtk
+      - xdg-user-dirs
      - xdg-user-dirs-gtk
-      - xed
-      - xfsdump
-      - xfsprogs
-      - xreader
-      - yum
+      - xdg-utils
+      - xkeyboard-config
+      - xorg-x11-drv-evdev
+      - xorg-x11-drv-fbdev
+      - xorg-x11-drv-libinput
+      - xorg-x11-drv-vmware
+      - xorg-x11-drv-wacom
+      - xorg-x11-drv-wacom-serial-support
+      - xorg-x11-server-Xorg
+      - xorg-x11-server-Xwayland
+      - xorg-x11-server-common
+      - xorg-x11-server-utils
+      - xorg-x11-utils
+      - xorg-x11-xauth
+      - xorg-x11-xinit
+      - xorg-x11-xinit-session
      - zip

+install_networkminer:
+  pkg.latest:
+    - name: securityonion-networkminer
+
 {% else %}

 desktop_packages_os_fail:
  test.fail_without_changes:
-    - comment: 'SO desktop can only be installed on Rocky'
+    - comment: 'SO desktop can only be installed on Oracle Linux'

 {% endif %}
--- a/salt/desktop/remove_gui.sls
+++ b/salt/desktop/remove_gui.sls
@@ -1,7 +1,5 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if grains.os == 'OEL' %}

 remove_graphical_target:
  file.symlink:
@@ -12,6 +10,6 @@ remove_graphical_target:
 {% else %}
 desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on Rocky'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'

 {% endif %}
--- a/salt/desktop/trusted-ca.sls
+++ b/salt/desktop/trusted-ca.sls
@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}

 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}

  {% set global_ca_text = [] %}
  {% set global_ca_server = [] %}
@@ -31,6 +31,6 @@ update_ca_certs:

 desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'

 {% endif %}
--- a/salt/desktop/xwindows.sls
+++ b/salt/desktop/xwindows.sls
@@ -1,7 +1,5 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if grains.os == 'OEL' %}

 include:
  - desktop.packages
@@ -14,10 +12,45 @@ graphical_target:
    - require:
      - desktop_packages

+{# set users to use gnome-classic #}
+{%   for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
+{%     set username = username.split('/')[2] %}
+{%     if username != 'zeek' %}
+{%       if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %}
+
+{{username}}_session:
+  file.managed:
+    - name: /var/lib/AccountsService/users/{{username}}
+    - source: salt://desktop/files/session.jinja
+    - template: jinja
+    - defaults:
+        USERNAME: {{username}}
+
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+
+desktop_wallpaper:
+  file.managed:
+    - name: /usr/local/share/backgrounds/so-wallpaper.jpg
+    - source: salt://desktop/files/so-wallpaper.jpg
+    - makedirs: True
+
+set_wallpaper:
+  file.managed:
+    - name: /etc/dconf/db/local.d/00-background
+    - source: salt://desktop/files/00-background
+
+run_dconf_update:
+  cmd.run:
+    - name: 'dconf update'
+    - onchanges:
+      - file: set_wallpaper
+
 {% else %}

 desktop_xwindows_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on Rocky'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'

 {% endif %}
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,8 +1,6 @@
 docker:
-  bip: '172.17.0.1'
-  range: '172.17.0.0/24'
-  sorange: '172.17.1.0/24'
-  sobip: '172.17.1.1'
+  range: '172.17.1.0/24'
+  gateway: '172.17.1.1'
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -180,6 +178,9 @@ docker:
      extra_env: []
    'so-elastic-agent':
      final_octet: 46
+      port_bindings:
+        - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:514:514/udp
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
@@ -202,4 +203,4 @@ docker:
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
-      extra_env: []
+      extra_env: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sorange.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}

 {% for container, vals in DOCKER.containers.items() %}
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -6,13 +6,37 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

+# include ssl since docker service requires the intca
+include:
+  - ssl

 dockergroup:
  group.present:
    - name: docker
    - gid: 920

-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
+{%    if grains.oscodename == 'bookworm' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.6.21-1
+      - docker-ce: 5:24.0.3-1~debian.12~bookworm
+      - docker-ce-cli: 5:24.0.3-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:24.0.3-1~debian.12~bookworm
+    - hold: True
+    - update_holds: True
+{%    elif grains.oscodename == 'jammy' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.6.21-1
+      - docker-ce: 5:24.0.2-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:24.0.2-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:24.0.2-1~ubuntu.22.04~jammy
+    - hold: True
+    - update_holds: True
+{%    else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -22,14 +46,15 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
    - hold: True
    - update_holds: True
+{% endif %}
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.6.21-3.1.el9
-      - docker-ce: 24.0.2-1.el9
-      - docker-ce-cli: 24.0.2-1.el9
-      - docker-ce-rootless-extras: 24.0.2-1.el9
+      - docker-ce: 24.0.4-1.el9
+      - docker-ce-cli: 24.0.4-1.el9
+      - docker-ce-rootless-extras: 24.0.4-1.el9
    - hold: True
    - update_holds: True
 {% endif %}
@@ -64,6 +89,11 @@ docker_running:
    - enable: True
    - watch:
      - file: docker_daemon
+      - x509: trusttheca
+    - require:
+      - file: docker_daemon
+      - x509: trusttheca
+

 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
 # 57314 = Strelka, 47760-47860 = Zeek
@@ -80,8 +110,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
-    - gateway: {{ DOCKER.sobip }}
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -1,22 +1,14 @@
 docker:
-  bip:
-    description: Bind IP for the default docker interface.
+  gateway:
+    description: Gateway for the default docker interface.
    helpLink: docker.html
    advanced: True
  range:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
-  sobip:
-    description: Bind IP for the SO docker interface.
-    helpLink: docker.html
-    advanced: True
-  sorange:
-    description: IP range for the SO docker containers.
-    helpLink: docker.html
-    advanced: True
  containers:
-    so-curator: &dockerOptions
+    so-dockerregistry: &dockerOptions
      final_octet:
        description: Last octet of the container IP address.
        helpLink: docker.html
@@ -28,6 +20,7 @@ docker:
        helpLink: docker.html
        advanced: True
        multiline: True
+        forcedType: "[]string"
      custom_bind_mounts:
        description: List of custom local volume bindings.
        advanced: True
@@ -46,12 +39,8 @@ docker:
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
-    so-dockerregistry: *dockerOptions
-    so-elastalert: *dockerOptions
-    so-elastic-fleet-package-registry: *dockerOptions
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
-    so-idh: *dockerOptions
    so-idstools: *dockerOptions
    so-influxdb: *dockerOptions
    so-kibana: *dockerOptions
@@ -61,11 +50,21 @@ docker:
    so-nginx: *dockerOptions
    so-playbook: *dockerOptions
    so-redis: *dockerOptions
+    so-sensoroni: *dockerOptions
    so-soc: *dockerOptions
    so-soctopus: *dockerOptions
    so-strelka-backend: *dockerOptions
-    so-strelka-coordinator: *dockerOptions
    so-strelka-filestream: *dockerOptions
    so-strelka-frontend: *dockerOptions
+    so-strelka-manager: *dockerOptions
    so-strelka-gatekeeper: *dockerOptions
-    so-strelka-manager: *dockerOptions
+    so-strelka-coordinator: *dockerOptions
+    so-elastalert: *dockerOptions
+    so-curator: *dockerOptions
+    so-elastic-fleet-package-registry: *dockerOptions
+    so-idh: *dockerOptions
+    so-elastic-agent: *dockerOptions
+    so-telegraf: *dockerOptions
+    so-steno: *dockerOptions
+    so-suricata: *dockerOptions
+    so-zeek: *dockerOptions
--- a/salt/docker_clean/init.sls
+++ b/salt/docker_clean/init.sls
@@ -9,6 +9,7 @@
 prune_images:
  cmd.run:
    - name: so-docker-prune
+    - order: last

 {% else %}

--- a/salt/elasticagent/config.sls
+++ b/salt/elasticagent/config.sls
@@ -28,6 +28,22 @@ elasticagentconfdir:
    - group: 939
    - makedirs: True

+elasticagentlogdir:
+   file.directory:
+     - name: /opt/so/log/elasticagent
+     - user: 949
+     - group: 939
+     - makedirs: True
+
+elasticagent_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticagent/tools/sbin_jinja
+    - user: 949
+    - group: 939
+    - file_mode: 755
+    - template: jinja
+
 # Create config
 create-elastic-agent-config:
  file.managed:
@@ -37,7 +53,6 @@ create-elastic-agent-config:
    - group: 939
    - template: jinja

-
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -31,21 +31,33 @@ so-elastic-agent:
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
    - binds:
      - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
+      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
+      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
+      - /opt/so/log:/opt/so/log:ro
     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
-      {% endif %}      
-      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
+      {% endif %}
    - environment:
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - LOGS_PATH=logs
+      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-
+    - require:
+      - file: create-elastic-agent-config
+    - watch:
+      - file: create-elastic-agent-config

 delete_so-elastic-agent_so-status.disabled:
  file.uncomment:
--- a/salt/elasticagent/files/elastic-agent.yml.jinja
+++ b/salt/elasticagent/files/elastic-agent.yml.jinja
@@ -3,7 +3,7 @@
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}

 id: aea1ba80-1065-11ee-a369-97538913b6a9
-revision: 2
+revision: 1
 outputs:
  default:
    type: elasticsearch
@@ -11,7 +11,7 @@ outputs:
      - 'https://{{ GLOBALS.hostname }}:9200'
    username: '{{ ES_USER }}'
    password: '{{ ES_PASS }}'
-    ssl.verification_mode: none
+    ssl.verification_mode: full
 output_permissions: {}
 agent:
  download:
@@ -22,56 +22,369 @@ agent:
    metrics: false
  features: {}
 inputs:
-  - id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85
-    name: suricata-logs
-    revision: 1
+  - id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62
+    name: import-evtx-logs
+    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
-        version: 
+        version:
    data_stream:
      namespace: so
-    package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85
+    package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62
    streams:
-      - id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85
+      - id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62
+        data_stream:
+          dataset: import
+        paths:
+          - /nsm/import/*/evtx/*.json
+        processors:
+          - dissect:
+              field: log.file.path
+              tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}'
+              target_prefix: ''
+          - decode_json_fields:
+              fields:
+                - message
+              target: ''
+          - drop_fields:
+              ignore_missing: true
+              fields:
+                - host
+          - add_fields:
+              fields:
+                dataset: system.security
+                type: logs
+                namespace: default
+              target: data_stream
+          - add_fields:
+              fields:
+                dataset: system.security
+                module: system
+                imported: true
+              target: event
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: windows.sysmon_operational
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: windows.sysmon_operational
+                    module: windows
+                    imported: true
+                  target: event
+            if:
+              equals:
+                winlog.channel: Microsoft-Windows-Sysmon/Operational
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: system.application
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: system.application
+                  target: event
+            if:
+              equals:
+                winlog.channel: Application
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: system.system
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: system.system
+                  target: event
+            if:
+              equals:
+                winlog.channel: System
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: windows.powershell_operational
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: windows.powershell_operational
+                    module: windows
+                  target: event
+            if:
+              equals:
+                winlog.channel: Microsoft-Windows-PowerShell/Operational
+        tags:
+          - import
+  - id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0
+    name: redis-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: redis
+        version:
+    data_stream:
+      namespace: default
+    package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0
+    streams:
+      - id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0
+        data_stream:
+          dataset: redis.log
+          type: logs
+        exclude_files:
+          - .gz$
+        paths:
+          - /opt/so/log/redis/redis.log
+        tags:
+          - redis-log
+        exclude_lines:
+          - '^\s+[\-`(''.|_]'
+  - id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8
+    name: import-suricata-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8
+    streams:
+      - id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8
+        data_stream:
+          dataset: import
+        pipeline: suricata.common
+        paths:
+          - /nsm/import/*/suricata/eve*.json
+        processors:
+          - add_fields:
+              fields:
+                module: suricata
+                imported: true
+                category: network
+              target: event
+          - dissect:
+              field: log.file.path
+              tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}'
+              target_prefix: ''
+  - id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
+    name: soc-server-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d
+    streams:
+      - id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/soc/sensoroni-server.log
+        processors:
+          - decode_json_fields:
+              add_error_key: true
+              process_array: true
+              max_depth: 2
+              fields:
+                - message
+              target: soc
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: server
+                category: host
+              target: event
+          - rename:
+              ignore_missing: true
+              fields:
+                - from: soc.fields.sourceIp
+                  to: source.ip
+                - from: soc.fields.status
+                  to: http.response.status_code
+                - from: soc.fields.method
+                  to: http.request.method
+                - from: soc.fields.path
+                  to: url.path
+                - from: soc.message
+                  to: event.action
+                - from: soc.level
+                  to: log.level
+        tags:
+          - so-soc
+  - id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
+    name: soc-sensoroni-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
+    streams:
+      - id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/sensoroni/sensoroni.log
+        processors:
+          - decode_json_fields:
+              add_error_key: true
+              process_array: true
+              max_depth: 2
+              fields:
+                - message
+              target: sensoroni
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: sensoroni
+                category: host
+              target: event
+          - rename:
+              ignore_missing: true
+              fields:
+                - from: sensoroni.fields.sourceIp
+                  to: source.ip
+                - from: sensoroni.fields.status
+                  to: http.response.status_code
+                - from: sensoroni.fields.method
+                  to: http.request.method
+                - from: sensoroni.fields.path
+                  to: url.path
+                - from: sensoroni.message
+                  to: event.action
+                - from: sensoroni.level
+                  to: log.level
+  - id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515
+    name: soc-salt-relay-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515
+    streams:
+      - id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/soc/salt-relay.log
+        processors:
+          - dissect:
+              field: message
+              tokenizer: '%{soc.ts} | %{event.action}'
+              target_prefix: ''
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: salt_relay
+                category: host
+              target: event
+        tags:
+          - so-soc
+  - id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0
+    name: soc-auth-sync-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0
+    streams:
+      - id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/soc/sync.log
+        processors:
+          - dissect:
+              field: message
+              tokenizer: '%{event.action}'
+              target_prefix: ''
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: auth_sync
+                category: host
+              target: event
+        tags:
+          - so-soc
+  - id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253
+    name: suricata-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253
+    streams:
+      - id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253
        data_stream:
          dataset: suricata
+        pipeline: suricata.common
        paths:
          - /nsm/suricata/eve*.json
        processors:
          - add_fields:
-              target: event
              fields:
-                category: network
                module: suricata
-        pipeline: suricata.common
-  - id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc
+                category: network
+              target: event
+  - id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327
    name: strelka-logs
-    revision: 1
+    revision: 2
    type: logfile
    use_output: default
    meta:
      package:
        name: log
-        version: 
+        version:
    data_stream:
      namespace: so
-    package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc
+    package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327
    streams:
-      - id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc
+      - id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327
        data_stream:
          dataset: strelka
+        pipeline: strelka.file
        paths:
          - /nsm/strelka/log/strelka.log
        processors:
          - add_fields:
-              target: event
              fields:
-                category: file
                module: strelka
-        pipeline: strelka.file
+                category: file
+              target: event
  - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d
    name: zeek-logs
    revision: 1
@@ -117,3 +430,54 @@ inputs:
        exclude_files:
          - >-
            broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
+  - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
+    name: syslog-udp-514
+    revision: 3
+    type: udp
+    use_output: default
+    meta:
+      package:
+        name: udp
+        version: 1.10.0
+    data_stream:
+      namespace: so
+    package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
+    streams:
+      - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
+        data_stream:
+          dataset: syslog
+        pipeline: syslog
+        host: '0.0.0.0:514'
+        max_message_size: 10KiB
+        processors:
+          - add_fields:
+              fields:
+                module: syslog
+              target: event
+        tags:
+          - syslog
+  - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+    name: syslog-tcp-514
+    revision: 3
+    type: tcp
+    use_output: default
+    meta:
+      package:
+        name: tcp
+        version: 1.10.0
+    data_stream:
+      namespace: so
+    package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+    streams:
+      - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+        data_stream:
+          dataset: syslog
+        pipeline: syslog
+        host: '0.0.0.0:514'
+        processors:
+          - add_fields:
+              fields:
+                module: syslog
+              target: event
+        tags:
+          - syslog
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
+{% else %}
+/bin/elastic-agent inspect
+{% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart
@@ -5,6 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+
+
 . /usr/sbin/so-common

-/usr/sbin/so-restart elastic-agent $1
+{% if grains.role == 'so-heavynode' %}
+/usr/sbin/so-stop elastic-agent $1
+/usr/sbin/so-start elasticagent $1
+{% else %}
+service elastic-agent restart
+{% endif %}
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start
@@ -9,7 +9,9 @@

 . /usr/sbin/so-common

-echo ""
-echo "Hosts/Networks that have access to login to the Security Onion Console:"
+{% if grains.role == 'so-heavynode' %}
+/usr/sbin/so-start elasticagent $1
+{% else %}
+service elastic-agent start
+{% endif %}

-so-firewall includedhosts analyst
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
+{% else %}
+/bin/elastic-agent status
+{% endif %}
+
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop
@@ -9,4 +9,9 @@

 . /usr/sbin/so-common

+{% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-stop elastic-agent $1
+{% else %}
+service elastic-agent stop
+{% endif %}
+
--- a/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version
+++ b/salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
+{% else %}
+/bin/elastic-agent version
+{% endif %}
+
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -6,6 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if sls.split('.')[0] in allowed_states %}
+{% set node_data = salt['pillar.get']('node_data') %}

 # Add EA Group
 elasticfleetgroup:
@@ -37,6 +38,8 @@ elasticfleet_sbin_jinja:
    - group: 939 
    - file_mode: 755
    - template: jinja
+    - exclude_pat:
+      - so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes

 eaconfdir:
  file.directory:
@@ -45,6 +48,13 @@ eaconfdir:
    - group: 939
    - makedirs: True

+ealogdir:
+  file.directory:
+    - name: /opt/so/log/elasticfleet
+    - user: 947
+    - group: 939
+    - makedirs: True
+
 eastatedir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/state
@@ -52,6 +62,15 @@ eastatedir:
    - group: 939
    - makedirs: True

+eapackageupgrade:
+  file.managed:
+    - name: /usr/sbin/so-elastic-fleet-package-upgrade
+    - source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
+    - user: 947
+    - group: 939
+    - mode: 755
+    - template: jinja
+
 {%   if GLOBALS.role != "so-fleet" %}
 eaintegrationsdir:
  file.directory:
@@ -75,12 +94,53 @@ eaintegration:
    - user: 947
    - group: 939

+eaoptionalintegrationsdir:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional
+    - user: 947
+    - group: 939
+    - makedirs: True
+
+{% for minion in node_data %}
+{% set role = node_data[minion]["role"] %}
+{% if role in [ "eval","fleet","heavynode","import","manager","managersearch","standalone" ] %}
+{% set optional_integrations = salt['pillar.get']('elasticfleet:optional_integrations', {}) %}
+{% set integration_keys = salt['pillar.get']('elasticfleet:optional_integrations', {}).keys() %}
+fleet_server_integrations_{{ minion }}:
+  file.directory:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}
+    - user: 947
+    - group: 939
+    - makedirs: True
+{% for integration in integration_keys %}
+{% if 'enabled_nodes' in optional_integrations[integration]%}
+{% set enabled_nodes = optional_integrations[integration]["enabled_nodes"] %}
+{% if minion in enabled_nodes %}
+optional_integrations_dynamic_{{ minion }}_{{ integration }}:
+  file.managed:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}/{{ integration }}.json
+    - source: salt://elasticfleet/files/integrations-optional/{{ integration }}.json
+    - user: 947
+    - group: 939
+    - template: jinja
+    - defaults:
+        NAME: {{ minion }}
+{% else %}
+optional_integrations_dynamic_{{ minion }}_{{ integration }}_delete:
+  file.absent:
+    - name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}/{{ integration }}.json
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
 ea-integrations-load:
  file.absent:
    - name: /opt/so/state/eaintegrations.txt
    - onchanges:
      - file: eaintegration
      - file: eadynamicintegration
+      - file: /opt/so/conf/elastic-fleet/integrations-optional/*
 {% endif %}
 {% else %}

--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -2,7 +2,7 @@ elasticfleet:
  enabled: False
  config:
    server:
-      custom_fqdn: ''
+      custom_fqdn: []
      enable_auto_configuration: True
      endpoints_enrollment: ''
      es_token: ''
@@ -13,7 +13,10 @@ elasticfleet:
        - broker
        - capture_loss
        - cluster
+        - conn-summary
+        - console
        - ecat_arp_info
+        - known_certs
        - known_hosts
        - known_services
        - loaded_scripts
@@ -25,10 +28,75 @@ elasticfleet:
        - stderr
        - stdout
  packages:
+    - apache
+    - auditd
+    - auth0
    - aws
    - azure
+    - barracuda
+    - carbonblack_edr
+    - checkpoint
+    - cisco_asa
+    - cisco_duo
+    - cisco_meraki
+    - cisco_umbrella
    - cloudflare
+    - crowdstrike
+    - darktrace
+    - elastic_agent
+    - elasticsearch
+    - endpoint
+    - f5_bigip
    - fim
+    - fireeye
+    - fleet_server
+    - fortinet
+    - fortinet_fortigate
+    - gcp
    - github
    - google_workspace
+    - http_endpoint
+    - httpjson
+    - juniper
+    - juniper_srx
+    - kafka_log
+    - lastpass
+    - log
+    - m365_defender
+    - microsoft_defender_endpoint
+    - microsoft_dhcp
+    - mimecast
+    - netflow
+    - o365
+    - okta
+    - osquery_manager
+    - panw
+    - pfsense
+    - pulse_connect_secure
+    - redis
+    - sentinel_one
+    - snyk
+    - sonicwall_firewall
+    - sophos
+    - sophos_central
+    - symantec_endpoint
+    - system
+    - tcp
+    - tenable_sc
+    - ti_abusech
+    - ti_misp
+    - ti_otx
+    - ti_recordedfuture
+    - udp
+    - vsphere
+    - windows
+    - zscaler_zia
+    - zscaler_zpa
    - 1password
+  optional_integrations:
+    sublime_platform:
+      enabled_nodes: []
+      api_key:
+      base_url: https://api.platform.sublimesecurity.com
+      poll_interval: 5m
+      limit: 100
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -15,15 +15,30 @@
 include:
  - elasticfleet.config
  - elasticfleet.sostatus
+  - ssl

-{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval'] %}
+# If enabled, automatically update Fleet Logstash Outputs
+{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
 so-elastic-fleet-auto-configure-logstash-outputs:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-outputs-update
+    - retry: True
+{% endif %}

-#so-elastic-fleet-auto-configure-server-urls:
-#  cmd.run:
-#    - name: /usr/sbin/so-elastic-fleet-urls-update
+# If enabled, automatically update Fleet Server URLs & ES Connection
+{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-fleet'] %}
+so-elastic-fleet-auto-configure-server-urls:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-urls-update
+    - retry: True
+{% endif %}
+
+# Automatically update Fleet Server Elasticsearch URLs
+{% if grains.role not in ['so-fleet'] %}
+so-elastic-fleet-auto-configure-elasticsearch-urls:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-es-url-update
+    - retry: True
 {% endif %}

 {%   if SERVICETOKEN != '' %}
@@ -50,8 +65,10 @@ so-elastic-fleet:
      - {{ BINDING }}
      {% endfor %}
    - binds:
-      - /etc/pki:/etc/pki:ro
-      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
+      - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
+      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
+      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
+      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
@@ -59,25 +76,45 @@ so-elastic-fleet:
      {% endif %}      
    - environment:
      - FLEET_SERVER_ENABLE=true
-      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
+      - FLEET_URL=https://{{ GLOBALS.hostname }}:8220
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
-      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
-      - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
+      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
+      - LOGS_PATH=logs
      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    - watch:
+      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleet_crt
 {%   endif %}

 {%  if GLOBALS.role != "so-fleet" %}
+so-elastic-fleet-package-statefile:
+  file.managed:
+    - name: /opt/so/state/elastic_fleet_packages.txt
+    - contents: {{ELASTICFLEETMERGED.packages}}
+
+so-elastic-fleet-package-upgrade:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-package-upgrade
+    - onchanges:
+      - file: /opt/so/state/elastic_fleet_packages.txt
+
 so-elastic-fleet-integrations:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-integration-policy-load
+
+so-elastic-agent-grid-upgrade:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-agent-grid-upgrade
+    - retry: True
 {%  endif %}

 delete_so-elastic-fleet_so-status.disabled:
--- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
+++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
@@ -13,7 +13,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
+++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
@@ -14,7 +14,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations-optional/sublime_platform.json
+++ b/salt/elasticfleet/files/integrations-optional/sublime_platform.json
@@ -0,0 +1,44 @@
+{%- from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED -%}
+{%- from 'sensoroni/map.jinja' import SENSORONIMERGED -%}
+{%- from 'vars/globals.map.jinja' import GLOBALS -%}
+{%- raw -%}
+{
+  "package": {
+    "name": "httpjson",
+    "version": ""
+  },
+  "name": "sublime-platform",
+  "namespace": "default",
+  "description": "",
+  "policy_id": "FleetServer_{%- endraw -%}{{ NAME }}{%- raw -%}",
+  "vars": {},
+  "inputs": {
+    "generic-httpjson": {
+      "enabled": true,
+      "streams": {
+        "httpjson.generic": {
+          "enabled": true,
+          "vars": {
+            "request_method": "GET",
+            "processors": "- drop_event:\n    when:\n        not:\n            contains: \n                message: \"flagged_rules\"\n- decode_json_fields:\n    fields: [\"message\"]\n    document_id: id\n    target: \"\"",
+            "enable_request_tracer": false,
+            "oauth_scopes": [],
+            "request_transforms": "- set:\n    target: header.Authorization\n    value: 'Bearer {% endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.api_key }}{%- raw -%}'\n- set:\n    target: header.accept\n    value: application/json\n- set:\n    target: url.params.last_message_created_at[gte]\n    value: '[[formatDate (now (parseDuration \"-{%- endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.poll_interval }}{%- raw -%}\")) \"2006-01-02T15:04:05Z\"]]'\n- set:\n    target: url.params.reviewed\n    value: false\n- set:\n    target: url.params.flagged\n    value: true\n- set:\n    target: url.params.limit\n    value: {% endraw %}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.limit }}{%- raw -%}",
+            "response_transforms": "",
+            "request_redirect_headers_ban_list": [],
+            "request_encode_as": "application/x-www-form-urlencoded",
+            "request_url": "{%- endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.base_url }}{%- raw -%}/v0/message-groups",
+            "response_split": "target: body.message_groups\ntype: array\nkeep_parent: false\ntransforms:\n    - set:\n        target: body.sublime.request_url\n        value : '[[ .last_response.url.value ]]'",
+            "tags": [
+              "forwarded"
+            ],
+            "pipeline": "sublime",
+            "data_stream.dataset": "sublime",
+            "request_interval": "1m"
+          }
+        }
+      }
+    }
+  }
+}
+{%- endraw -%}
--- a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
+++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
@@ -5,17 +5,16 @@
 	"package": {
 		"name": "endpoint",
 		"title": "Elastic Defend",
-		"version": ""
+		"version": "8.10.2"
 	},
 	"enabled": true,
 	"policy_id": "endpoints-initial",
-	"vars": {},
 	"inputs": [{
-		"type": "endpoint",
+		"type": "ENDPOINT_INTEGRATION_CONFIG",
 		"enabled": true,
 		"streams": [],
 		"config": {
-			"integration_config": {
+			"_config": {
 				"value": {
 					"type": "endpoint",
 					"endpointConfig": {
@@ -25,4 +24,4 @@
 			}
 		}
 	}]
-}
+}
--- a/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
+++ b/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
@@ -13,9 +13,14 @@
        "system.auth": {
          "enabled": true,
          "vars": {
+            "ignore_older": "72h",
            "paths": [
              "/var/log/auth.log*",
              "/var/log/secure*"
+            ],
+            "preserve_original_event": false,
+            "tags": [
+              "system-auth"
            ]
          }
        },
@@ -24,34 +29,49 @@
          "vars": {
            "paths": [
              "/var/log/messages*",
-              "/var/log/syslog*"
-            ]
+              "/var/log/syslog*",
+              "/var/log/system*"
+            ],
+            "tags": [],
+            "ignore_older": "72h"
          }
        }
      }
    },
    "system-winlog": {
      "enabled": true,
-      "vars": {
-        "preserve_original_event": false
-      },
      "streams": {
        "system.application": {
          "enabled": true,
          "vars": {
+            "preserve_original_event": false,
+            "ignore_older": "72h",
+            "language": 0,
            "tags": []
          }
        },
        "system.security": {
          "enabled": true,
          "vars": {
+            "preserve_original_event": false,
+            "ignore_older": "72h",
+            "language": 0,
+            "tags": []
+          }
+        },
+        "system.system": {
+          "enabled": true,
+          "vars": {
+            "preserve_original_event": false,
+            "ignore_older": "72h",
+            "language": 0,
            "tags": []
          }
        }
-        }
-      },
-      "system-system/metrics": {
-        "enabled": false
+      }
+    },
+    "system-system/metrics": {
+      "enabled": false
    }
  }
 }
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
@@ -12,7 +12,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
@@ -20,7 +20,7 @@
            ],
            "data_stream.dataset": "import",
            "custom": "",
-            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      namespace: default\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true  \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows",
+            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true\n- add_fields:\n    target: \"@metadata\"\n    fields:\n        pipeline: logs-system.security-1.43.0\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.sysmon_operational-1.38.0\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.application-1.43.0\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.system-1.43.0\n    \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.powershell_operational-1.38.0\n- add_fields:\n    target: data_stream\n    fields:\n        dataset: import",
            "tags": [
              "import"
            ]
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json
@@ -1,106 +0,0 @@
-{
-  "package": {
-    "name": "elasticsearch",
-    "version": ""
-  },
-  "name": "elasticsearch-logs",
-  "namespace": "default",
-  "description": "Elasticsearch Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "elasticsearch-logfile": {
-      "enabled": true,
-      "streams": {
-        "elasticsearch.audit": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/*_audit.json"
-            ]
-          }
-        },
-        "elasticsearch.deprecation": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/*_deprecation.json"
-            ]
-          }
-        },
-        "elasticsearch.gc": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/gc.log.[0-9]*",
-              "/var/log/elasticsearch/gc.log"
-            ]
-          }
-        },
-        "elasticsearch.server": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/elasticsearch/*.log"
-            ]
-          }
-        },
-        "elasticsearch.slowlog": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/*_index_search_slowlog.json",
-              "/var/log/elasticsearch/*_index_indexing_slowlog.json"
-            ]
-          }
-        }
-      }
-    },
-    "elasticsearch-elasticsearch/metrics": {
-      "enabled": false,
-      "vars": {
-        "hosts": [
-          "http://localhost:9200"
-        ],
-        "scope": "node"
-      },
-      "streams": {
-        "elasticsearch.stack_monitoring.ccr": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.cluster_stats": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.enrich": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.index": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.index_recovery": {
-          "enabled": false,
-          "vars": {
-            "active.only": true
-          }
-        },
-        "elasticsearch.stack_monitoring.index_summary": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.ml_job": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.node": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.node_stats": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.pending_tasks": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.shard": {
-          "enabled": false
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json
@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "kratos-logs",
-  "namespace": "so",
-  "description": "Kratos logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/kratos/kratos.log"
-            ],
-            "data_stream.dataset": "kratos",
-            "tags": ["so-kratos"],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos",
-            "custom": "pipeline: kratos"
-          }
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json
@@ -3,7 +3,7 @@
    "name": "osquery_manager",
    "version": ""
  },
-  "name": "osquery-grid-nodes",
+  "name": "osquery-grid-nodes_heavy",
  "namespace": "default",
  "policy_id": "so-grid-nodes_heavy",
  "inputs": {
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json
@@ -1,76 +0,0 @@
-{
-  "package": {
-    "name": "redis",
-    "version": ""
-  },
-  "name": "redis-logs",
-  "namespace": "default",
-  "description": "Redis logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "redis-logfile": {
-      "enabled": true,
-      "streams": {
-        "redis.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/redis/redis.log"
-            ],
-            "tags": [
-              "redis-log"
-            ],
-            "preserve_original_event": false
-          }
-        }
-      }
-    },
-    "redis-redis": {
-      "enabled": false,
-      "streams": {
-        "redis.slowlog": {
-          "enabled": false,
-          "vars": {
-            "hosts": [
-              "127.0.0.1:6379"
-            ],
-            "password": ""
-          }
-        }
-      }
-    },
-    "redis-redis/metrics": {
-      "enabled": false,
-      "vars": {
-        "hosts": [
-          "127.0.0.1:6379"
-        ],
-        "idle_timeout": "20s",
-        "maxconn": 10,
-        "network": "tcp",
-        "password": ""
-      },
-      "streams": {
-        "redis.info": {
-          "enabled": false,
-          "vars": {
-            "period": "10s"
-          }
-        },
-        "redis.key": {
-          "enabled": false,
-          "vars": {
-            "key.patterns": "- limit: 20\n  pattern: *\n",
-            "period": "10s"
-          }
-        },
-        "redis.keyspace": {
-          "enabled": false,
-          "vars": {
-            "period": "10s"
-          }
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json
@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-auth-sync-logs",
-  "namespace": "so",
-  "description": "Security Onion - Elastic Auth Sync - Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/soc/sync.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
-            "processors": "- dissect:\n    tokenizer: \"%{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: auth_sync",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json
@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-salt-relay-logs",
-  "namespace": "so",
-  "description": "Security Onion - Salt Relay - Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/soc/salt-relay.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
-            "processors": "- dissect:\n    tokenizer: \"%{soc.ts} | %{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: salt_relay",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json
@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-sensoroni-logs",
-  "namespace": "so",
-  "description": "Security Onion - Sensoroni - Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/sensoroni/sensoroni.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": [],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"sensoroni\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: sensoroni\n- rename:\n    fields:\n      - from: \"sensoroni.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"sensoroni.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"sensoroni.fields.method\"\n        to: \"http.request.method\"\n      - from: \"sensoroni.fields.path\"\n        to: \"url.path\"\n      - from: \"sensoroni.message\"\n        to: \"event.action\"\n      - from: \"sensoroni.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json
@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-server-logs",
-  "namespace": "so",
-  "description": "Security Onion Console Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/soc/sensoroni-server.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: server\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}
--- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json
@@ -4,7 +4,7 @@
    "name": "system",
    "version": ""
  },
-  "name": "system-grid-nodes",
+  "name": "system-grid-nodes_heavy",
  "namespace": "default",
  "inputs": {
    "system-logfile": {
--- a/salt/elasticfleet/install_agent_grid.sls
+++ b/salt/elasticfleet/install_agent_grid.sls
@@ -14,12 +14,14 @@ run_installer:
    - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
    - cwd: /opt/so
    - args: -token={{ GRIDNODETOKENGENERAL }}
+    - retry: True
 {% else %} 
 run_installer:
  cmd.script:
    - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
    - cwd: /opt/so
    - args: -token={{ GRIDNODETOKENHEAVY }}
+    - retry: True
 {% endif %}  

 {% endif %}
--- a/salt/elasticfleet/soc_elasticfleet.yaml
+++ b/salt/elasticfleet/soc_elasticfleet.yaml
@@ -12,10 +12,11 @@ elasticfleet:
  config:
    server:
      custom_fqdn:
-        description: Custom FQDN for Agents to connect to.
+        description: Custom FQDN for Agents to connect to. One per line.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
+        forcedType: "[]string"
      enable_auto_configuration:
        description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
        global: True
@@ -39,3 +40,36 @@ elasticfleet:
        helpLink: elastic-fleet.html
        sensitive: True
        advanced: True
+  optional_integrations:
+    sublime_platform:
+      enabled_nodes:
+        description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: "[]string"
+      api_key:
+        description: API key for Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: string
+        sensitive: True
+      base_url:
+        description: Base URL for Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: string
+      poll_interval:
+        description: Poll interval for alerts from Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: string
+      limit:
+        description: The maximum number of message groups to return from Sublime Platform.
+        global: True
+        helpLink: elastic-fleet.html
+        advanced: True
+        forcedType: int
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
@@ -42,6 +42,23 @@ elastic_fleet_integration_create() {
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }

+
+elastic_fleet_integration_remove() {
+
+    AGENT_POLICY=$1
+
+    NAME=$2
+
+    INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id')
+
+    JSON_STRING=$( jq -n \
+                    --arg INTEGRATIONID "$INTEGRATION_ID" \
+                    '{"packagePolicyIds":[$INTEGRATIONID]}'
+                    )
+
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
 elastic_fleet_integration_update() {

    UPDATE_ID=$1
@@ -51,14 +68,33 @@ elastic_fleet_integration_update() {
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }

+elastic_fleet_integration_policy_upgrade() {
+
+    INTEGRATION_ID=$1
+
+    JSON_STRING=$( jq -n \
+                    --arg INTEGRATIONID "$INTEGRATION_ID" \
+                    '{"packagePolicyIds":[$INTEGRATIONID]}'
+                    )
+
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
+
 elastic_fleet_package_version_check() {
    PACKAGE=$1
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
 }

+elastic_fleet_package_latest_version_check() {
+    PACKAGE=$1
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion'
+}
+
 elastic_fleet_package_install() {
-    PKGKEY=$1
-    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"
+    PKG=$1
+    VERSION=$2
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION"
 }

 elastic_fleet_package_is_installed() {
@@ -92,3 +128,4 @@ elastic_fleet_policy_update() {

    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
+
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# Usage: Run with --force to update the Elastic Defend integration policy
+
+. /usr/sbin/so-elastic-fleet-common
+
+# Manage Elastic Defend Integration for Initial Endpoints Policy
+for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
+do
+  printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
+  elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
+  if [ -n "$INTEGRATION_ID" ]; then
+      printf "\n\nIntegration $NAME exists - Upgrading integration policy\n"
+      elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"
+  else
+    printf "\n\nIntegration does not exist - Creating integration\n"
+    elastic_fleet_integration_create "@$INTEGRATION"
+  fi
+done
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -9,16 +9,20 @@
 RETURN_CODE=0

 if [ ! -f /opt/so/state/eaintegrations.txt ]; then
+  # First, check for any package upgrades
+  /usr/sbin/so-elastic-fleet-package-upgrade
+
+  # Second, configure Elastic Defend Integration seperately
+  /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
+
  # Initial Endpoints
  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
  do
    printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
    elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
    if [ -n "$INTEGRATION_ID" ]; then
-      if [ "$NAME" != "elastic-defend-endpoints" ]; then
-        printf "\n\nIntegration $NAME exists - Updating integration\n"
-        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
-      fi
+      printf "\n\nIntegration $NAME exists - Updating integration\n"
+      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      elastic_fleet_integration_create "@$INTEGRATION"
@@ -35,9 +39,7 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
-      if [ "$NAME" != "elasticsearch-logs" ]; then
-        elastic_fleet_integration_create "@$INTEGRATION"
-      fi
+      elastic_fleet_integration_create "@$INTEGRATION"
    fi
  done
  if [[ "$RETURN_CODE" != "1" ]]; then
@@ -62,7 +64,28 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
  if [[ "$RETURN_CODE" != "1" ]]; then
    touch /opt/so/state/eaintegrations.txt
  fi
+
+  # Fleet Server - Optional integrations
+  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json
+  do
+    if ! [ "$INTEGRATION" == "/opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json" ]; then
+      FLEET_POLICY=`echo "$INTEGRATION"| cut -d'/' -f7`
+      printf "\n\nFleet Server Policy - Loading $INTEGRATION\n"
+      elastic_fleet_integration_check "$FLEET_POLICY" "$INTEGRATION"
+      if [ -n "$INTEGRATION_ID" ]; then
+        printf "\n\nIntegration $NAME exists - Updating integration\n"
+        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
+      else
+        printf "\n\nIntegration does not exist - Creating integration\n"
+        if [ "$NAME" != "elasticsearch-logs" ]; then
+          elastic_fleet_integration_create "@$INTEGRATION"
+        fi
+      fi
+    fi
+  done
+  if [[ "$RETURN_CODE" != "1" ]]; then
+    touch /opt/so/state/eaintegrations.txt
+  fi
 else
  exit $RETURN_CODE
 fi
-
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list
@@ -0,0 +1,15 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-elastic-fleet-common
+
+# Let's snag a cookie from Kibana
+SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
+
+# List configured package policies
+curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq
+
+echo
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -11,6 +11,12 @@
 . /usr/sbin/so-common
 . /usr/sbin/so-elastic-fleet-common

+LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log"
+
+# Check to see if we are already running
+NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
+[ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0
+
 for i in {1..30}
 do
   ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
@@ -40,7 +46,7 @@ do
 done 

 printf "\n### Stripping out unused components"
-find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete 
+find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete 

 printf "\n### Tarring everything up again"
 for OS in "${OSARCH[@]}"
@@ -59,7 +65,7 @@ do
    if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
    printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
    docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
-    --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
+    --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \
    --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
    --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
    {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN"  -o /output/so-elastic-agent_${GOOS}_${GOARCH}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
@@ -0,0 +1,38 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi
+
+# Get current list of Grid Node Agents that need to be upgraded
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
+
+# Check to make sure that the server responded with good data - else, bail from script
+CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
+if [ "$CHECKSUM" -ne 1 ]; then
+ printf "Failed to query for current Grid Agents...\n"
+ exit 1
+fi
+
+# Generate list of Node Agents that need updates
+OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)'  <<<  "$RAW_JSON")
+
+if [ "$OUTDATED_LIST" != '[]' ]; then
+   AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON")
+   printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n"
+
+   # Generate updated JSON payload
+   JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }')
+
+   # Update Node Agents
+   curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+else
+    printf "No Agents need updates... Exiting\n\n"
+    exit 0
+fi
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
+{% else %}
+/bin/elastic-agent inspect
+{% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent service elastic-agent restart
+{% else %}
+service elastic-agent restart
+{% endif %}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent service elastic-agent start
+{% else %}
+service elastic-agent start
+{% endif %}
+
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
+{% else %}
+/bin/elastic-agent status
+{% endif %}
+
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent service elastic-agent stop
+{% else %}
+service elastic-agent stop
+{% endif %}
+
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
+{% else %}
+/bin/elastic-agent version
+{% endif %}
+
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
@@ -0,0 +1,64 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi
+
+function update_es_urls() {
+	
+    # Generate updated JSON payload
+{% if grains.role not in ['so-import', 'so-eval'] %}
+    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}')
+{%- else %}
+    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
+{%- endif %}
+    # Update Fleet Elasticsearch URLs
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
+# Get current list of Fleet Elasticsearch URLs
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch')
+
+# Check to make sure that the server responded with good data - else, bail from script
+CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
+if [ "$CHECKSUM" != "so-manager_elasticsearch" ]; then
+ printf "Failed to query for current Fleet Server Elasticsearch URLs..."
+ exit 1
+fi
+
+# Get the current list of Fleet Server Elasticsearch & hash them
+CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
+CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
+
+# Create array & add initial elements
+NEW_LIST=("https://{{ GLOBALS.hostname }}:9200")
+
+
+# Sort & hash the new list of Fleet Elasticsearch URLs
+NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
+NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
+
+# Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
+if [ "$1" = "--force" ]; then
+    printf "\nUpdating List, since --force was specified.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    update_es_urls
+    exit 0
+fi
+
+if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
+    printf "\nHashes match - no update needed.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    exit 0
+else
+    printf "\nHashes don't match - update needed.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    update_es_urls
+fi
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
@@ -2,7 +2,15 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi

 function update_logstash_outputs() {
 	# Generate updated JSON payload
@@ -27,15 +35,20 @@ CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
 CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')

 # Create array & add initial elements
-if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
+if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
    NEW_LIST=("{{ GLOBALS.url_base }}:5055")
 else
-    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.manager_ip }}:5055")
+    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
 fi

-{% if CUSTOMFQDN != "" %}
-# Add Custom Hostname to list
-NEW_LIST+=("{{ CUSTOMFQDN }}:5055")
+# Query for FQDN entries & add them to the list
+{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
+CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}')
+readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST")
+for CUSTOMNAME in "${CUSTOMFQDN[@]}"
+do
+ NEW_LIST+=("$CUSTOMNAME:5055")
+done
 {% endif %}

 # Query for the current Grid Nodes that are running Logstash
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load
@@ -11,7 +11,7 @@
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Setting up {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}")
-elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
 echo
 {%- endfor %}
 echo
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
+{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
+
+. /usr/sbin/so-elastic-fleet-common
+
+{%- for PACKAGE in SUPPORTED_PACKAGES %}
+echo "Upgrading {{ PACKAGE }} package..."
+VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
+echo
+{%- endfor %}
+echo
+/usr/sbin/so-elasticsearch-templates-load
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.3
 .4.30