watch some values

engines config for valueWatch
watch files change engine
2025-12-06 09:12:45 +01:00 · 2024-04-29 17:14:00 -04:00 · 2024-04-29 14:02:10 -04:00 · 2024-04-24 13:19:39 -04:00 · 2024-04-19 09:32:32 -04:00 · 2024-04-18 13:50:37 -04:00
415 changed files with 774708 additions and 374563 deletions
--- a/.github/.gitleaks.toml
+++ b/.github/.gitleaks.toml
@@ -536,11 +536,10 @@ secretGroup = 4
 [allowlist]
 description = "global allow lists"
-regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''']
+regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''']
 paths = [
    '''gitleaks.toml''',
    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
    '''(go.mod|go.sum)$''',
    '''salt/nginx/files/enterprise-attack.json'''
 ]
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -0,0 +1,190 @@
 body:
  - type: markdown
    attributes:
      value: |
        ⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️
        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
  - type: dropdown
    attributes:
      label: Version
      description: Which version of Security Onion 2.4.x are you asking about?
      options:
        -
        - 2.4 Pre-release (Beta, Release Candidate)
        - 2.4.10
        - 2.4.20
        - 2.4.30
        - 2.4.40
        - 2.4.50
        - 2.4.60
        - 2.4.70
        - 2.4.80
        - 2.4.90
        - 2.4.100
        - Other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Installation Method
      description: How did you install Security Onion?
      options:
        -
        - Security Onion ISO image
        - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc.
        - Network installation on Ubuntu
        - Network installation on Debian
        - Other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Description
      description: >
        Is this discussion about installation, configuration, upgrading, or other?
      options:
        -
        - installation
        - configuration
        - upgrading
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Installation Type
      description: >
        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
      options:
        -
        - Import
        - Eval
        - Standalone
        - Distributed
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Location
      description: >
        Is this deployment in the cloud, on-prem with Internet access, or airgap?
      options:
        -
        - cloud
        - on-prem with Internet access
        - airgap
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Hardware Specs
      description: >
        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://docs.securityonion.net/en/2.4/hardware.html?
      options:
        -
        - Meets minimum requirements
        - Exceeds minimum requirements
        - Does not meet minimum requirements
        - other (please provide detail below)
    validations:
      required: true
  - type: input
    attributes:
      label: CPU
      description: How many CPU cores do you have?
    validations:
      required: true
  - type: input
    attributes:
      label: RAM
      description: How much RAM do you have?
    validations:
      required: true
  - type: input
    attributes:
      label: Storage for /
      description: How much storage do you have for the / partition?
    validations:
      required: true
  - type: input
    attributes:
      label: Storage for /nsm
      description: How much storage do you have for the /nsm partition?
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Network Traffic Collection
      description: >
        Are you collecting network traffic from a tap or span port?
      options:
        -
        - tap
        - span port
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Network Traffic Speeds
      description: >
        How much network traffic are you monitoring?
      options:
        -
        - Less than 1Gbps
        - 1Gbps to 10Gbps
        - more than 10Gbps
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Status
      description: >
        Does SOC Grid show all services on all nodes as running OK?
      options:
        -
        - Yes, all services on all nodes are running OK
        - No, one or more services are failed (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Salt Status
      description: >
        Do you get any failures when you run "sudo salt-call state.highstate"?
      options:
        -
        - Yes, there are salt failures (please provide detail below)
        - No, there are no failures
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Logs
      description: >
        Are there any additional clues in /opt/so/log/?
      options:
        -
        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
        - No, there are no additional clues
    validations:
      required: true
  - type: textarea
    attributes:
      label: Detail
      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
      placeholder: |-
        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: Guidelines
      options:
        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
          required: true
--- a/.github/workflows/close-threads.yml
+++ b/.github/workflows/close-threads.yml
@@ -0,0 +1,32 @@
 name: 'Close Threads'
 on:
  schedule:
    - cron: '50 1 * * *'
  workflow_dispatch:
 permissions:
  issues: write
  pull-requests: write
  discussions: write
 concurrency:
  group: lock-threads
 jobs:
  close-threads:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
      - uses: actions/stale@v5
        with:
          days-before-issue-stale: -1
          days-before-issue-close: 60
          stale-issue-message: "This issue is stale because it has been inactive for an extended period. Stale issues convey that the issue, while important to someone, is not critical enough for the author, or other community members to work on, sponsor, or otherwise shepherd the issue through to a resolution."
          close-issue-message: "This issue was closed because it has been stale for an extended period. It will be automatically locked in 30 days, after which no further commenting will be available."
          days-before-pr-stale: 45
          days-before-pr-close: 60
          stale-pr-message: "This PR is stale because it has been inactive for an extended period. The longer a PR remains stale the more out of date with the main branch it becomes."
          close-pr-message: "This PR was closed because it has been stale for an extended period. It will be automatically locked in 30 days. If there is still a commitment to finishing this PR re-open it before it is locked."
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -11,7 +11,7 @@ jobs:
    steps:
      - name: "Contributor Check"
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: cla-assistant/github-action@v2.1.3-beta
+        uses: cla-assistant/github-action@v2.3.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
--- a/.github/workflows/lock-threads.yml
+++ b/.github/workflows/lock-threads.yml
@@ -0,0 +1,25 @@
 name: 'Lock Threads'
 on:
  schedule:
    - cron: '50 2 * * *'
  workflow_dispatch:
 permissions:
  issues: write
  pull-requests: write
  discussions: write
 concurrency:
  group: lock-threads
 jobs:
  lock-threads:
    runs-on: ubuntu-latest
    steps:
      - uses: jertel/lock-threads@main
        with:
          include-discussion-currently-open: true
          discussion-inactive-days: 90
          issue-inactive-days: 30
          pr-inactive-days: 30
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.30-20231228 ISO image released on 2024/01/02
+### 2.4.60-20240320 ISO image released on 2024/03/20
 ### Download and Verify
-2.4.30-20231228 ISO image:  
+2.4.60-20240320 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231228.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.60-20240320.iso
-MD5: DBD47645CD6FA8358C51D8753046FB54  
+MD5: 178DD42D06B2F32F3870E0C27219821E  
-SHA1: 2494091065434ACB028F71444A5D16E8F8A11EDF  
+SHA1: 73EDCD50817A7F6003FE405CF1808A30D034F89D  
-SHA256: 3345AE1DC58AC7F29D82E60D9A36CDF8DE19B7DFF999D8C4F89C7BD36AEE7F1D  
+SHA256: DD334B8D7088A7B78160C253B680D645E25984BA5CCAB5CC5C327CA72137FC06  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231228.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.60-20240320.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231228.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.60-20240320.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231228.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.60-20240320.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.30-20231228.iso.sig securityonion-2.4.30-20231228.iso
+gpg --verify securityonion-2.4.60-20240320.iso.sig securityonion-2.4.60-20240320.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 28 Dec 2023 10:08:31 AM EST using RSA key ID FE507013
+gpg: Signature made Tue 19 Mar 2024 03:17:58 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/1
+++ b/1
@@ -1 +0,0 @@
 20231204
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.30
+2.4.70
--- a/assets/images/screenshots/analyzers/echotrail.png
+++ b/assets/images/screenshots/analyzers/echotrail.png
--- a/assets/images/screenshots/analyzers/elasticsearch.png
+++ b/assets/images/screenshots/analyzers/elasticsearch.png
--- a/assets/images/screenshots/analyzers/sublime.png
+++ b/assets/images/screenshots/analyzers/sublime.png
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -19,4 +19,4 @@ role:
  receiver:
  standalone:
  searchnode:
-  sensor:
+  sensor:
--- a/files/salt/master/master
+++ b/files/salt/master/master
@@ -41,7 +41,8 @@ file_roots:
  base:
    - /opt/so/saltstack/local/salt
    - /opt/so/saltstack/default/salt
-
+    - /nsm/elastic-fleet/artifacts
    - /opt/so/rules/nids
 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
--- a/pillar/kafka/nodes.sls
+++ b/pillar/kafka/nodes.sls
@@ -0,0 +1,30 @@
 {% set current_kafkanodes = salt.saltutil.runner('mine.get', tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-receiver', fun='network.ip_addrs', tgt_type='compound') %}
 {% set pillar_kafkanodes = salt['pillar.get']('kafka:nodes', default={}, merge=True) %}
 {% set existing_ids = [] %}
 {% for node in pillar_kafkanodes.values() %}
  {% if node.get('id') %}
    {% do existing_ids.append(node['nodeid']) %}
  {% endif %}
 {% endfor %}
 {% set all_possible_ids = range(1, 256)|list %}
 {% set available_ids = [] %}
 {% for id in all_possible_ids %}
  {% if id not in existing_ids %}
    {% do available_ids.append(id) %}
  {% endif %}
 {% endfor %}
 {% set final_nodes = pillar_kafkanodes.copy() %}
 {% for minionid, ip in current_kafkanodes.items() %}
    {% set hostname = minionid.split('_')[0] %}
    {% if hostname not in final_nodes %}
        {% set new_id = available_ids.pop(0) %}
        {% do final_nodes.update({hostname: {'nodeid': new_id, 'ip': ip[0]}}) %}
    {% endif %}
 {% endfor %}
 kafka:
  nodes: {{ final_nodes|tojson }}
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -43,8 +43,6 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - kratos.soc_kratos
@@ -61,12 +59,12 @@ base:
    - elastalert.adv_elastalert
    - backup.soc_backup
    - backup.adv_backup
    - curator.soc_curator
    - curator.adv_curator
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
    - kafka.nodes
    - kafka.soc_kafka
    - kafka.adv_kafka
    - stig.soc_stig
  '*_sensor':
    - healthcheck.sensor
@@ -82,6 +80,8 @@ base:
    - suricata.adv_suricata
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
    - stig.soc_stig
    - soc.license
  '*_eval':
    - secrets
@@ -107,14 +107,10 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
    - curator.adv_curator
    - kratos.soc_kratos
    - kratos.adv_kratos
    - redis.soc_redis
@@ -166,14 +162,10 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - zeek.soc_zeek
@@ -186,6 +178,10 @@ base:
    - suricata.adv_suricata
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
    - stig.soc_stig
    - kafka.nodes
    - kafka.soc_kafka
    - kafka.adv_kafka
  '*_heavynode':
    - elasticsearch.auth
@@ -194,8 +190,6 @@ base:
    - logstash.adv_logstash
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - curator.soc_curator
    - curator.adv_curator
    - redis.soc_redis
    - redis.adv_redis
    - zeek.soc_zeek
@@ -230,6 +224,8 @@ base:
    - redis.adv_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
    - stig.soc_stig
    - soc.license
  '*_receiver':
    - logstash.nodes
@@ -242,6 +238,9 @@ base:
    - redis.adv_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
    - kafka.nodes
    - kafka.soc_kafka
    - kafka.adv_kafka
  '*_import':
    - secrets
@@ -264,12 +263,8 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - curator.soc_curator
    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - kratos.soc_kratos
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -34,7 +34,6 @@
          'suricata',
          'utility',
          'schedule',
          'soctopus',
          'tcpreplay',
          'docker_clean'
          ],
@@ -101,8 +100,9 @@
          'suricata.manager',
          'utility',
          'schedule',
-          'soctopus',
+          'docker_clean',
-          'docker_clean'
+          'stig',
          'kafka'
          ],
      'so-managersearch': [
          'salt.master',
@@ -122,8 +122,9 @@
          'suricata.manager',
          'utility',
          'schedule',
-          'soctopus',
+          'docker_clean',
-          'docker_clean'
+          'stig',
          'kafka'
          ],
      'so-searchnode': [
          'ssl',
@@ -131,7 +132,8 @@
          'telegraf',
          'firewall',
          'schedule',
-          'docker_clean'
+          'docker_clean',
          'stig'
          ],
      'so-standalone': [
          'salt.master',
@@ -154,9 +156,10 @@
          'healthcheck',
          'utility',
          'schedule',
          'soctopus',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
          'stig',
          'kafka'
          ],
      'so-sensor': [
          'ssl',
@@ -168,13 +171,15 @@
          'healthcheck',
          'schedule',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
          'stig'
          ],
      'so-fleet': [
          'ssl',
          'telegraf',
          'firewall',
          'logstash',
          'nginx',
          'healthcheck',
          'schedule',
          'elasticfleet',
@@ -185,7 +190,9 @@
          'telegraf',
          'firewall',
          'schedule',
-          'docker_clean'
+          'docker_clean',
          'kafka',
          'elasticsearch.ca'
          ],
      'so-desktop': [
          'ssl',
@@ -194,10 +201,6 @@
          ],
  }, grain='role') %}
  {% if grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
    {% do allowed_states.append('mysql') %}
  {% endif %}
  {%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('zeek') %}
  {%- endif %}
@@ -219,18 +222,10 @@
    {% do allowed_states.append('kibana.secrets') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
    {% do allowed_states.append('curator') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}
  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('playbook') %}
  {% endif %}
  {% if grains.role in ['so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -1,7 +1,10 @@
-{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% if GLOBALS.pcap_engine == "TRANSITION" %}
-{% import 'bpf/macros.jinja' as MACROS %}
+{%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
-
+{% else %}
-{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
+{%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
-
+{%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
-{% set PCAPBPF = BPFMERGED.pcap %}
+{%   import 'bpf/macros.jinja' as MACROS %}
 {{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {%   set PCAPBPF = BPFMERGED.pcap %}
 {% endif %}
--- a/salt/bpf/soc_bpf.yaml
+++ b/salt/bpf/soc_bpf.yaml
@@ -1,6 +1,6 @@
 bpf:
  pcap:
-    description: List of BPF filters to apply to PCAP.
+    description: List of BPF filters to apply to Stenographer.
    multiline: True
    forcedType: "[]string"
    helpLink: bpf.html
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -70,3 +70,17 @@ x509_signing_policies:
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
  kafka:
    - minions: '*'
    - signing_private_key: /etc/pki/ca.key
    - signing_cert: /etc/pki/ca.crt
    - C: US
    - ST: Utah
    - L: Salt Lake City
    - basicConstraints: "critical CA:false"
    - keyUsage: "digitalSignature, keyEncipherment"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: "serverAuth, clientAuth"
    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -4,7 +4,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - common.soup_scripts
  - common.packages
 {% if GLOBALS.role in GLOBALS.manager_roles %}
  - manager.elasticsearch # needed for elastic_curl_config state
@@ -134,6 +133,18 @@ common_sbin_jinja:
    - file_mode: 755
    - template: jinja
 {% if not GLOBALS.is_manager%}
 # prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
 # these two states remove the scripts from non manager nodes
 remove_soup:
  file.absent:
    - name: /usr/sbin/soup
 remove_so-firewall:
  file.absent:
    - name: /usr/sbin/so-firewall
 {% endif %}
 so-status_script:
  file.managed:
    - name: /usr/sbin/so-status
@@ -179,6 +190,14 @@ so-status_check_cron:
    - month: '*'
    - dayweek: '*'
 # This cronjob/script runs a check if the node needs restarted, but should be used for future status checks as well
 common_status_check_cron:
  cron.present:
    - name: '/usr/sbin/so-common-status-check > /dev/null 2>&1'
    - identifier: common_status_check
    - user: root
    - minute: '*/10'
 remove_post_setup_cron:
  cron.absent:
    - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -1,23 +1,88 @@
-# Sync some Utilities
+{% if '2.4' in salt['cp.get_file_str']('/etc/soversion') %}
 soup_scripts:
  file.recurse:
    - name: /usr/sbin
    - user: root
    - group: root
    - file_mode: 755
    - source: salt://common/tools/sbin
    - include_pat:
        - so-common
        - so-image-common
-soup_manager_scripts:
+{%   import_yaml '/opt/so/saltstack/local/pillar/global/soc_global.sls' as SOC_GLOBAL %}
-  file.recurse:
+{%   if SOC_GLOBAL.global.airgap %}
-    - name: /usr/sbin
+{%     set UPDATE_DIR='/tmp/soagupdate/SecurityOnion' %}
-    - user: root
+{%   else %}
-    - group: root
+{%     set UPDATE_DIR='/tmp/sogh/securityonion' %}
-    - file_mode: 755
+{%   endif %}
-    - source: salt://manager/tools/sbin
+
-    - include_pat:
+remove_common_soup:
-        - so-firewall
+  file.absent:
-        - so-repo-sync
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
-        - soup
+
 remove_common_so-firewall:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
 copy_so-common_common_tools_sbin:
  file.copy:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-common
    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
    - force: True
    - preserve: True
 copy_so-image-common_common_tools_sbin:
  file.copy:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-image-common
    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
    - force: True
    - preserve: True
 copy_soup_manager_tools_sbin:
  file.copy:
    - name: /opt/so/saltstack/default/salt/manager/tools/sbin/soup
    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
    - force: True
    - preserve: True
 copy_so-firewall_manager_tools_sbin:
  file.copy:
    - name: /opt/so/saltstack/default/salt/manager/tools/sbin/so-firewall
    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
    - force: True
    - preserve: True
 copy_so-common_sbin:
  file.copy:
    - name: /usr/sbin/so-common
    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
    - force: True
    - preserve: True
 copy_so-image-common_sbin:
  file.copy:
    - name: /usr/sbin/so-image-common
    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
    - force: True
    - preserve: True
 copy_soup_sbin:
  file.copy:
    - name: /usr/sbin/soup
    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
    - force: True
    - preserve: True
 copy_so-firewall_sbin:
  file.copy:
    - name: /usr/sbin/so-firewall
    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
    - force: True
    - preserve: True
 copy_so-yaml_sbin:
  file.copy:
    - name: /usr/sbin/so-yaml.py
    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-yaml.py
    - force: True
    - preserve: True
 {% else %}
 fix_23_soup_sbin:
  cmd.run:
    - name: curl -s -f -o /usr/sbin/soup https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.3/main/salt/common/tools/sbin/soup
 fix_23_soup_salt:
  cmd.run:
    - name: curl -s -f -o /opt/so/saltstack/defalt/salt/common/tools/sbin/soup https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.3/main/salt/common/tools/sbin/soup
 {% endif %}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -248,6 +248,14 @@ get_random_value() {
 	head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
 }
 get_agent_count() {
 	if [ -f /opt/so/log/agents/agentstatus.log ]; then
 		AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}')
 	else
 		AGENTCOUNT=0
 	fi
 }
 gpg_rpm_import() {
 	if [[ $is_oracle ]]; then
 	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
@@ -329,7 +337,7 @@ lookup_salt_value() {
 		local=""
 	fi
-	salt-call --no-color  ${kind}.get ${group}${key} --out=${output} ${local}
+	salt-call -lerror --no-color  ${kind}.get ${group}${key} --out=${output} ${local}
 }
 lookup_pillar() {
@@ -366,6 +374,13 @@ is_feature_enabled() {
 	return 1
 }
 read_feat() {
 	if [ -f /opt/so/log/sostatus/lks_enabled ]; then
 		lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
 		echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
 	fi
 }
 require_manager() {
 	if is_manager_node; then
 		echo "This is a manager, so we can proceed."
@@ -559,6 +574,15 @@ status () {
    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
 }
 sync_options() {
 	set_version
 	set_os
 	salt_minion_count
 	get_agent_count
 	echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT:$AGENTCOUNT/$(read_feat)"
 }
 systemctl_func() {
 	local action=$1
 	local echo_action=$1
--- a/salt/common/tools/sbin/so-common-status-check
+++ b/salt/common/tools/sbin/so-common-status-check
@@ -0,0 +1,103 @@
 #!/usr/bin/env python3
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 import sys
 import subprocess
 import os
 import json
 sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
 import salt.config
 import salt.loader
 __opts__ = salt.config.minion_config('/etc/salt/minion')
 __grains__ = salt.loader.grains(__opts__)
 def check_needs_restarted():
  osfam = __grains__['os_family']
  val = '0'
  outfile = "/opt/so/log/sostatus/needs_restarted"
  if osfam == 'Debian':
    if os.path.exists('/var/run/reboot-required'):
      val = '1'
  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      val = '1'
  else:
    fail("Unsupported OS")
  with open(outfile, 'w') as f:
    f.write(val)
 def check_for_fps():
    feat = 'fps'
    feat_full = feat.replace('ps', 'ips')
    fps = 0
    try:
        result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
        if result.returncode == 0:
            fps = 1
    except FileNotFoundError:
        fn = '/proc/sys/crypto/' + feat_full + '_enabled'
        try:
          with open(fn, 'r') as f:
              contents = f.read()
              if '1' in contents:
                  fps = 1
        except:
          # Unknown, so assume 0
          fps = 0
    with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
       f.write(str(fps))
 def check_for_lks():
    feat = 'Lks'
    feat_full = feat.replace('ks', 'uks')
    lks = 0
    result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
    data = json.loads(result.stdout)
    for device in data['blockdevices']:
        if 'children' in device:
            for gc in device['children']:
                if 'children' in gc:
                    try:
                        arg = 'is' + feat_full
                        result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
                        if result.returncode == 0:
                           lks = 1
                    except FileNotFoundError:
                        for ggc in gc['children']:
                            if 'crypt' in ggc['type']:
                                lks = 1
        if lks:
            break
    with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
       f.write(str(lks))
 def fail(msg):
  print(msg, file=sys.stderr)
  sys.exit(1)
 def main():
  proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
  if proc.stdout.strip() != "0":
    fail("This program must be run as root")
  # Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
  org_umask = os.umask(0o022)
  check_needs_restarted()
  check_for_fps()
  check_for_lks()
  # Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
  os.umask(org_umask)
 if __name__ == "__main__":
  main()
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -42,7 +42,6 @@ container_list() {
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=(
      "so-curator"
      "so-elastalert"
      "so-elastic-agent"
      "so-elastic-agent-builder"
@@ -51,16 +50,14 @@ container_list() {
      "so-idh"
      "so-idstools"
      "so-influxdb"
      "so-kafka"
      "so-kibana"
      "so-kratos"
      "so-logstash"
      "so-mysql"
      "so-nginx"
      "so-pcaptools"
      "so-playbook"
      "so-redis"
      "so-soc"
      "so-soctopus"
      "so-steno"
      "so-strelka-backend"
      "so-strelka-filestream"
@@ -68,7 +65,7 @@ container_list() {
      "so-strelka-manager"
      "so-suricata"
      "so-telegraf"
-      "so-zeek" 
+      "so-zeek"
    )
  else
    TRUSTED_CONTAINERS=(
--- a/salt/common/tools/sbin/so-ip-update
+++ b/salt/common/tools/sbin/so-ip-update
@@ -49,10 +49,6 @@ if [ "$CONTINUE" == "y" ]; then
 		sed -i "s|$OLD_IP|$NEW_IP|g" $file
 	done
 	echo "Granting MySQL root user permissions on $NEW_IP"
 	docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'$NEW_IP' IDENTIFIED BY '$(lookup_pillar_secret 'mysql')' WITH GRANT OPTION;" &> /dev/null
 	echo "Removing MySQL root user from $OLD_IP"
 	docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "DROP USER 'root'@'$OLD_IP';" &> /dev/null
 	echo "Updating Kibana dashboards"
 	salt-call state.apply kibana.so_savedobjects_defaults -l info queue=True
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -109,6 +109,8 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connection timed out"         # server not yet ready (telegraf plugin unable to connect)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|command timed out"            # server not yet ready (telegraf plugin waiting for script to finish)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
@@ -119,6 +121,8 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished"     # Telegraf script finished just as the auto kill timeout kicked in
 fi
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -151,15 +155,11 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)"              # redis/python generic stack line, rely on other lines for actual error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror"                     # idstools connection timeout
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror"                 # idstools connection timeout
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden"                    # playbook
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml"                          # Elastic ML errors 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled"             # elastic agent during shutdown
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128"         # soctopus errors during forced restart by highstate
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update"       # airgap can't update GeoIP DB
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror"            # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord"                 # playbook expected error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
@@ -167,6 +167,9 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats"  # Elastic transform temporary error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cannot join on an empty table" # InfluxDB flux query, import nodes
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exhausting result iterator"   # InfluxDB flux query mismatched table results (temporary data issue)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to finish run"         # InfluxDB rare error, self-recoverable
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
@@ -195,6 +198,8 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip"        # known issue in GH
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail"                     # zeek
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unknown column"               # Elastalert errors from running EQL queries
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parsing_exception"            # Elastalert EQL parsing issue. Temp.
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
 fi
@@ -204,7 +209,9 @@ RESULT=0
 CONTAINER_IDS=$(docker ps -q)
 exclude_container so-kibana   # kibana error logs are too verbose with large varieties of errors most of which are temporary
 exclude_container so-idstools # ignore due to known issues and noisy logging
-exclude_container so-playbook # ignore due to several playbook known issues
+exclude_container so-playbook # Playbook is removed as of 2.4.70, disregard output in stopped containers
 exclude_container so-mysql    # MySQL is removed as of 2.4.70, disregard output in stopped containers
 exclude_container so-soctopus # Soctopus is removed as of 2.4.70, disregard output in stopped containers
 for container_id in $CONTAINER_IDS; do
    container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
@@ -222,7 +229,13 @@ exclude_log "kibana.log"   # kibana error logs are too verbose with large variet
 exclude_log "spool"        # disregard zeek analyze logs as this is data specific
 exclude_log "import"       # disregard imported test data the contains error strings
 exclude_log "update.log"   # ignore playbook updates due to several known issues
-exclude_log "playbook.log" # ignore due to several playbook known issues
+exclude_log "cron-cluster-delete.log" # ignore since Curator has been removed
 exclude_log "cron-close.log" # ignore since Curator has been removed
 exclude_log "curator.log"  # ignore since Curator has been removed
 exclude_log "playbook.log" # Playbook is removed as of 2.4.70, logs may still be on disk
 exclude_log "mysqld.log"   # MySQL is removed as of 2.4.70, logs may still be on disk
 exclude_log "soctopus.log" # Soctopus is removed as of 2.4.70, logs may still be on disk
 exclude_log "agentstatus.log" # ignore this log since it tracks agents in error state
 for log_file in $(cat /tmp/log_check_files); do
    status "Checking log file $log_file"
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -41,8 +41,13 @@ done
 if [ $SKIP -ne 1 ]; then
        # Inform user we are about to delete all data
        echo
-        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
+        echo "This script will delete all NSM data from /nsm."
-        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo
        echo "This includes Suricata data, Zeek data, and full packet capture (PCAP)."
        echo
        echo "This will NOT delete any Suricata or Zeek logs that have already been ingested into Elasticsearch."
        echo
        echo "If you would like to proceed, then type AGREE and press ENTER."
        echo
        # Read user input
        read INPUT
@@ -54,8 +59,8 @@ delete_pcap() {
  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
-  SURI_LOG="/opt/so/log/suricata/eve.json"
+  SURI_LOG="/nsm/suricata/"
-  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
 }
 delete_zeek() {
  ZEEK_LOG="/nsm/zeek/logs/"
--- a/salt/common/tools/sbin_jinja/so-raid-status
+++ b/salt/common/tools/sbin_jinja/so-raid-status
@@ -49,11 +49,18 @@ check_nsm_raid() {
 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
  MVTEST=$(/usr/local/bin/mvcli info -o vd | grep "No adapter")
-  if [[ -n $MVCLI ]]; then
+  # Check to see if this is a SM based system
-    BOSSRAID=0
+  if [[ -z $MVTEST ]]; then
    if [[ -n $MVCLI ]]; then
      BOSSRAID=0
    else
      BOSSRAID=1
    fi
  else
-    BOSSRAID=1
+    # This doesn't have boss raid so lets make it 0
    BOSSRAID=0
  fi
 }
@@ -90,4 +97,4 @@ else
  RAIDSTATUS=1
 fi
-echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
+echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
--- a/salt/curator/config.sls
+++ b/salt/curator/config.sls
@@ -1,81 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from "curator/map.jinja" import CURATORMERGED %}
 # Create the group
 curatorgroup:
  group.present:
    - name: curator
    - gid: 934
 # Add user
 curator:
  user.present:
    - uid: 934
    - gid: 934
    - home: /opt/so/conf/curator
    - createhome: False
 # Create the log directory
 curlogdir:
  file.directory:
    - name: /opt/so/log/curator
    - user: 934
    - group: 939
 curactiondir:
  file.directory:
    - name: /opt/so/conf/curator/action
    - user: 934
    - group: 939
    - makedirs: True
 actionconfs:
  file.recurse:
    - name: /opt/so/conf/curator/action
    - source: salt://curator/files/action
    - user: 934
    - group: 939
    - template: jinja
    - defaults:
        CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
 curconf:
  file.managed:
    - name: /opt/so/conf/curator/curator.yml
    - source: salt://curator/files/curator.yml
    - user: 934
    - group: 939
    - mode: 660
    - template: jinja
    - show_changes: False
 curator_sbin:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin
    - user: 934
    - group: 939
    - file_mode: 755
 curator_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://curator/tools/sbin_jinja
    - user: 934
    - group: 939 
    - file_mode: 755
    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/defaults.yaml
+++ b/salt/curator/defaults.yaml
@@ -1,100 +0,0 @@
 curator:
  enabled: False
  elasticsearch:
    index_settings:
      logs-import-so:
        close: 73000
        delete: 73001
      logs-strelka-so:
        close: 30
        delete: 365
      logs-suricata-so:
        close: 30
        delete: 365
      logs-syslog-so:
        close: 30
        delete: 365
      logs-zeek-so:
        close: 30
        delete: 365
      logs-elastic_agent-metricbeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-osquerybeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-fleet_server-default:
        close: 30
        delete: 365
      logs-elastic_agent-filebeat-default:
        close: 30
        delete: 365
      logs-elastic_agent-default:
        close: 30
        delete: 365
      logs-system-auth-default:
        close: 30
        delete: 365
      logs-system-application-default:
        close: 30
        delete: 365
      logs-system-security-default:
        close: 30
        delete: 365
      logs-system-system-default:
        close: 30
        delete: 365
      logs-system-syslog-default:
        close: 30
        delete: 365
      logs-windows-powershell-default:
        close: 30
        delete: 365
      logs-windows-sysmon_operational-default:
        close: 30
        delete: 365
      so-beats:
        close: 30
        delete: 365
      so-elasticsearch:
        close: 30
        delete: 365
      so-firewall:
        close: 30
        delete: 365
      so-ids:
        close: 30
        delete: 365
      so-import:
        close: 73000
        delete: 73001
      so-kratos:
        close: 30
        delete: 365
      so-kibana:
        close: 30
        delete: 365
      so-logstash:
        close: 30
        delete: 365
      so-netflow:
        close: 30
        delete: 365
      so-osquery:
        close: 30
        delete: 365
      so-ossec:
        close: 30
        delete: 365
      so-redis:
        close: 30
        delete: 365
      so-strelka:
        close: 30
        delete: 365
      so-syslog:
        close: 30
        delete: 365
      so-zeek:
        close: 30
        delete: 365
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -1,22 +1,17 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - curator.sostatus
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
-  file.comment:
+  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
+    - match: ^so-curator$
    - mode: delete
 so-curator-cluster-close:
  cron.absent:
@@ -26,10 +21,14 @@ so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
-{% else %}
+delete_curator_configuration:
  file.absent:
    - name: /opt/so/conf/curator
    - recurse: True
-{{sls}}_state_not_allowed:
+{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
-  test.fail_without_changes:
+{% if files|length > 0 %}
-    - name: {{sls}}_state_not_allowed
+delete_curator_scripts:
-
+  file.absent:
-{% endif %}
+    - names: {{files|yaml}}
 {% endif %}
--- a/salt/curator/enabled.sls
+++ b/salt/curator/enabled.sls
@@ -1,88 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - curator.config
  - curator.sostatus
 so-curator:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
    - start: True
    - hostname: curator
    - name: so-curator
    - user: curator
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
    - interactive: True
    - tty: True
    - binds:
      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
      - /opt/so/conf/curator/action/:/etc/curator/action:ro
      - /opt/so/log/curator:/var/log/curator:rw
      {% if DOCKER.containers['so-curator'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-curator'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
      {% if DOCKER.containers['so-curator'].extra_hosts %}
    - extra_hosts:
        {% for XTRAHOST in DOCKER.containers['so-curator'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
      {% if DOCKER.containers['so-curator'].extra_env %}
    - environment:
        {% for XTRAENV in DOCKER.containers['so-curator'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - require:
      - file: actionconfs
      - file: curconf
      - file: curlogdir
    - watch:
      - file: curconf
 delete_so-curator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-curator$
 so-curator-cluster-close:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
    - identifier: so-curator-cluster-close
    - user: root
    - minute: '2'
    - hour: '*/1'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 so-curator-cluster-delete:
  cron.present:
    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
    - identifier: so-curator-cluster-delete
    - user: root
    - minute: '*/5'
    - hour: '*'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
--- a/salt/curator/files/action/delete.yml
+++ b/salt/curator/files/action/delete.yml
@@ -1,31 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %}
 {% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %}
 {{ ELASTICMERGED.retention_pct }}
 {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete indices when {{log_size_limit}}(GB) is exceeded.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-.*|so-.*|.ds-logs-.*-so.*)$'
    - filtertype: pattern
      kind: regex
      value: '^(so-case.*)$'
      exclude: True
    - filtertype: space
      source: creation_date
      use_age: True
      disk_space: {{log_size_limit}}
--- a/salt/curator/files/action/logs-elastic_agent-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent default indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Filebeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml
+++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-import-so-close.yml
+++ b/salt/curator/files/action/logs-import-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-import-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close import indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-import-so-delete.yml
+++ b/salt/curator/files/action/logs-import-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-import-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-strelka-so-close.yml
+++ b/salt/curator/files/action/logs-strelka-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Strelka indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-strelka-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-strelka-so-delete.yml
+++ b/salt/curator/files/action/logs-strelka-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-strelka-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-suricata-so-close.yml
+++ b/salt/curator/files/action/logs-suricata-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Suricata indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-suricata-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-suricata-so-delete.yml
+++ b/salt/curator/files/action/logs-suricata-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Suricata indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-suricata-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-syslog-so-close.yml
+++ b/salt/curator/files/action/logs-syslog-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-syslog-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-syslog-so-delete.yml
+++ b/salt/curator/files/action/logs-syslog-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-syslog-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-application-default-close.yaml
+++ b/salt/curator/files/action/logs-system-application-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system application indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.application-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-application-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-application-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.application-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-auth-default-close.yaml
+++ b/salt/curator/files/action/logs-system-auth-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system auth indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.auth-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-auth-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.auth-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-security-default-close.yaml
+++ b/salt/curator/files/action/logs-system-security-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system security indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.security-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-security-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-security-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.security-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-syslog-default-close.yaml
+++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.syslog-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.syslog-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-system-system-default-close.yaml
+++ b/salt/curator/files/action/logs-system-system-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent system system indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-system.system-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-system-system-default-delete.yaml
+++ b/salt/curator/files/action/logs-system-system-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-system.system-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-windows-powershell-default-close.yaml
+++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-windows.powershell-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-windows.powershell-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
+++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/logs-zeek-so-close.yml
+++ b/salt/curator/files/action/logs-zeek-so-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Zeek indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(.ds-logs-zeek-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/logs-zeek-so-delete.yml
+++ b/salt/curator/files/action/logs-zeek-so-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Zeek indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(.ds-logs-zeek-so.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-beats-close.yml
+++ b/salt/curator/files/action/so-beats-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-beats'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Beats indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-beats.*|so-beats.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-beats-delete.yml
+++ b/salt/curator/files/action/so-beats-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-beats'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete beats indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-beats.*|so-beats.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-elasticsearch-close.yml
+++ b/salt/curator/files/action/so-elasticsearch-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-elasticsearch'].close %}
 actions:
  1:
    action: close
    description: >-
      Close elasticsearch indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-elasticsearch-delete.yml
+++ b/salt/curator/files/action/so-elasticsearch-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-elasticsearch'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete elasticsearch indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-firewall-close.yml
+++ b/salt/curator/files/action/so-firewall-close.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-firewall'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Firewall indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-firewall-delete.yml
+++ b/salt/curator/files/action/so-firewall-delete.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-firewall'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete firewall indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-firewall.*|so-firewall.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-ids-close.yml
+++ b/salt/curator/files/action/so-ids-close.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-ids'].close %}
 actions:
  1:
    action: close
    description: >-
      Close IDS indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-ids.*|so-ids.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-ids-delete.yml
+++ b/salt/curator/files/action/so-ids-delete.yml
@@ -1,28 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-ids'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete IDS indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-ids.*|so-ids.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-import-close.yml
+++ b/salt/curator/files/action/so-import-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-import'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Import indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-import.*|so-import.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-import-delete.yml
+++ b/salt/curator/files/action/so-import-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-import'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-import.*|so-import.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-kibana-close.yml
+++ b/salt/curator/files/action/so-kibana-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-kibana'].close %}
 actions:
  1:
    action: close
    description: >-
      Close kibana indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-kibana.*|so-kibana.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-kibana-delete.yml
+++ b/salt/curator/files/action/so-kibana-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-kibana'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete kibana indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kibana.*|so-kibana.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-kratos-close.yml
+++ b/salt/curator/files/action/so-kratos-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-kratos'].close %}
 actions:
  1:
    action: close
    description: >-
      Close kratos indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kratos.*|so-kratos.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-kratos-delete.yml
+++ b/salt/curator/files/action/so-kratos-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-kratos'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete kratos indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-kratos.*|so-kratos.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-logstash-close.yml
+++ b/salt/curator/files/action/so-logstash-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-logstash'].close %}
 actions:
  1:
    action: close
    description: >-
      Close logstash indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-logstash.*|so-logstash.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-logstash-delete.yml
+++ b/salt/curator/files/action/so-logstash-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-logstash'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete logstash indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-logstash.*|so-logstash.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-netflow-close.yml
+++ b/salt/curator/files/action/so-netflow-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-netflow'].close %}
 actions:
  1:
    action: close
    description: >-
      Close netflow indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-netflow.*|so-netflow.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-netflow-delete.yml
+++ b/salt/curator/files/action/so-netflow-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-netflow'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete netflow indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-netflow.*|so-netflow.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-osquery-close.yml
+++ b/salt/curator/files/action/so-osquery-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-osquery'].close %}
 actions:
  1:
    action: close
    description: >-
      Close osquery indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-osquery.*|so-osquery.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-osquery-delete.yml
+++ b/salt/curator/files/action/so-osquery-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-osquery'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete import indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-osquery.*|so-osquery.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-ossec-close.yml
+++ b/salt/curator/files/action/so-ossec-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-ossec'].close %}
 actions:
  1:
    action: close
    description: >-
      Close ossec indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-ossec.*|so-ossec.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-ossec-delete.yml
+++ b/salt/curator/files/action/so-ossec-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-ossec'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete ossec indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-ossec.*|so-ossec.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-redis-close.yml
+++ b/salt/curator/files/action/so-redis-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-redis'].close %}
 actions:
  1:
    action: close
    description: >-
      Close redis indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-redis.*|so-redis.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-redis-delete.yml
+++ b/salt/curator/files/action/so-redis-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-redis'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete redis indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-redis.*|so-redis.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-strelka-close.yml
+++ b/salt/curator/files/action/so-strelka-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-strelka'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Strelka indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-strelka.*|so-strelka.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-strelka-delete.yml
+++ b/salt/curator/files/action/so-strelka-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-strelka'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-strelka.*|so-strelka.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-syslog-close.yml
+++ b/salt/curator/files/action/so-syslog-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-syslog'].close %}
 actions:
  1:
    action: close
    description: >-
      Close syslog indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-syslog.*|so-syslog.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-syslog-delete.yml
+++ b/salt/curator/files/action/so-syslog-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-syslog'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete syslog indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-syslog.*|so-syslog.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/action/so-zeek-close.yml
+++ b/salt/curator/files/action/so-zeek-close.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set cur_close_days = CURATORMERGED['so-zeek'].close %}
 actions:
  1:
    action: close
    description: >-
      Close Zeek indices older than {{cur_close_days}} days.
    options:
      delete_aliases: False
      timeout_override:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex 
      value: '^(logstash-zeek.*|so-zeek.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{cur_close_days}}
      exclude:
--- a/salt/curator/files/action/so-zeek-delete.yml
+++ b/salt/curator/files/action/so-zeek-delete.yml
@@ -1,27 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set DELETE_DAYS = CURATORMERGED['so-zeek'].delete %}
 actions:
  1:
    action: delete_indices
    description: >-
      Delete Zeek indices when older than {{ DELETE_DAYS }} days.
    options:
      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
      kind: regex
      value: '^(logstash-zeek.*|so-zeek.*)$'
    - filtertype: age
      source: name
      direction: older
      timestring: '%Y.%m.%d'
      unit: days
      unit_count: {{ DELETE_DAYS }}
      exclude:
--- a/salt/curator/files/curator.yml
+++ b/salt/curator/files/curator.yml
@@ -1,40 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if GLOBALS.role in ['so-searchnode', 'so-heavynode'] %}
  {%- set elasticsearch = GLOBALS.node_ip -%}
 {% elif GLOBALS.role in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %}
  {%- set elasticsearch = GLOBALS.manager_ip -%}
 {%- endif %}
 {%-   set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%-   set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
 # not a Python "NoneType"
 elasticsearch:
  client:
    hosts:
      - https://{{elasticsearch}}:9200
    cloud_id:
    ca_certs:
    client_cert:
    client_key:
    verify_certs: False
    request_timeout: 30
  other_settings:
    api_key:
      id:
      api_key:
    master_only: False
    username: "{{ ES_USER }}"
    password: "{{ ES_PASS }}"
 logging:
  loglevel: INFO
  logfile: '/var/log/curator/curator.log'
  logformat: default
  blacklist: ['elasticsearch', 'urllib3']
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,13 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'curator/map.jinja' import CURATORMERGED %}
 include:
 {% if CURATORMERGED.enabled %}
  - curator.enabled
 {% else %}
  - curator.disabled
 {% endif %}
--- a/Show More
+++ b/Show More