Merge pull request #11476 from Security-Onion-Solutions/2.4/dev

2.4.20
Merge pull request #11475 from Security-Onion-Solutions/2.4.20
2025-12-06 17:22:49 +01:00 · 2023-10-06 16:45:11 -04:00 · 2023-10-05 11:41:55 -04:00 · 2023-10-05 11:37:49 -04:00 · 2023-10-05 11:27:48 -04:00 · 2023-10-03 10:17:37 -04:00
148 changed files with 3158 additions and 15964 deletions
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,18 +1,18 @@
-### 2.4.5-20230807 ISO image released on 2023/08/07
+### 2.4.20-20231006 ISO image released on 2023/10/06
 ### Download and Verify
-2.4.5-20230807 ISO image:  
+2.4.20-20231006 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
-MD5: F83FD635025A3A65B380EAFCEB61A92E  
+MD5: 269F00308C53976BF0EAE788D1DB29DB  
-SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08  
+SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27  
-SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7  
+SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.5-20230807.iso.sig securityonion-2.4.5-20230807.iso
+gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sat 05 Aug 2023 10:12:46 AM EDT using RSA key ID FE507013
+gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-## Security Onion 2.4 Release Candidate 2 (RC2)
+## Security Onion 2.4
-Security Onion 2.4 Release Candidate 2 (RC2) is here!
+Security Onion 2.4 is here!
 ## Screenshots
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.5
+2.4.20
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -4,14 +4,9 @@ base:
    - global.adv_global
    - docker.soc_docker
    - docker.adv_docker
    - firewall.soc_firewall
    - firewall.adv_firewall
    - influxdb.token
    - logrotate.soc_logrotate
    - logrotate.adv_logrotate
    - nginx.soc_nginx
    - nginx.adv_nginx
    - node_data.ips
    - ntp.soc_ntp
    - ntp.adv_ntp
    - patch.needs_restarting
@@ -22,6 +17,13 @@ base:
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf
  '* and not *_desktop':
    - firewall.soc_firewall
    - firewall.adv_firewall
    - nginx.soc_nginx
    - nginx.adv_nginx
    - node_data.ips
  '*_manager or *_managersearch':
    - match: compound
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -188,6 +188,9 @@
          'docker_clean'
          ],
      'so-desktop': [
          'ssl',
          'docker_clean',
          'telegraf'
          ],
  }, grain='role') %}
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -21,7 +21,6 @@ commonpkgs:
      - python3-dateutil
      - python3-docker
      - python3-packaging
      - python3-watchdog
      - python3-lxml
      - git
      - rsync
@@ -47,10 +46,16 @@ python-rich:
 {% endif %}
 {% if GLOBALS.os_family == 'RedHat' %}
 remove_mariadb:
  pkg.removed:
    - name: mariadb-devel
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - python3-dnf-plugin-versionlock
      - curl
      - device-mapper-persistent-data
      - fuse
@@ -63,26 +68,19 @@ commonpkgs:
      - httpd-tools
      - jq
      - lvm2
      {% if GLOBALS.os == 'CentOS Stream' %}
      - MariaDB-devel
      {% else %}
      - mariadb-devel
      {% endif %}
      - net-tools
      - nmap-ncat
      - openssl
      - procps-ng
      - python3-dnf-plugin-versionlock
      - python3-docker
      - python3-m2crypto
      - python3-packaging
      - python3-pyyaml
      - python3-rich
      - python3-watchdog
      - rsync
      - sqlite
      - tcpdump
      - unzip
      - wget
      - yum-utils
 {% endif %}
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -19,4 +19,5 @@ soup_manager_scripts:
    - source: salt://manager/tools/sbin
    - include_pat:
        - so-firewall
-        - soup
+        - so-repo-sync
        - soup
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -154,13 +154,11 @@ check_salt_minion_status() {
 	return $status
 }
 copy_new_files() {
  # Copy new files over to the salt dir
  cd $UPDATE_DIR
-  rsync -a salt $DEFAULT_SALT_DIR/
+  rsync -a salt $DEFAULT_SALT_DIR/ --delete
-  rsync -a pillar $DEFAULT_SALT_DIR/
+  rsync -a pillar $DEFAULT_SALT_DIR/ --delete
  chown -R socore:socore $DEFAULT_SALT_DIR/
  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
  cd /tmp
@@ -242,7 +240,7 @@ gpg_rpm_import() {
 	    else
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
@@ -446,6 +444,10 @@ set_os() {
 			OS=centos
 			OSVER=9
 			is_centos=true
 		elif grep -q "Oracle Linux Server release 9" /etc/system-release; then
 			OS=oel
 			OSVER=9
 			is_oracle=true
 		fi
 		cron_service_name="crond"
 	else
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -0,0 +1,233 @@
 #!/bin/bash
 #
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 RECENT_LOG_LINES=200
 EXCLUDE_STARTUP_ERRORS=N
 EXCLUDE_FALSE_POSITIVE_ERRORS=N
 EXCLUDE_KNOWN_ERRORS=N
 while [[ $# -gt 0 ]]; do
    case $1 in
        --exclude-connection-errors)
            EXCLUDE_STARTUP_ERRORS=Y
            ;;
        --exclude-false-positives)
            EXCLUDE_FALSE_POSITIVE_ERRORS=Y
            ;;
        --exclude-known-errors)
            EXCLUDE_KNOWN_ERRORS=Y
            ;;
        --unknown)
            EXCLUDE_STARTUP_ERRORS=Y
            EXCLUDE_FALSE_POSITIVE_ERRORS=Y
            EXCLUDE_KNOWN_ERRORS=Y
            ;;
        --recent-log-lines)
            shift
            RECENT_LOG_LINES=$1
            ;;
        *)
            echo "Usage: $0 [options]"
            echo ""
            echo "where options are:"
            echo "  --recent-log-lines N            looks at the most recent N log lines per file or container; defaults to 200"
            echo "  --exclude-connection-errors     exclude errors caused by a recent server or container restart"
            echo "  --exclude-false-positives       exclude logs that are known false positives"
            echo "  --exclude-known-errors          exclude errors that are known and non-critical issues"
            echo "  --unknown                       exclude everything mentioned above; only show unknown errors"
            echo ""
            echo "A non-zero return value indicates errors were found"
            exit 1
            ;;
    esac
    shift
 done
 echo "Security Onion Log Check - $(date)"
 echo "-------------------------------------------"
 echo ""
 echo "- RECENT_LOG_LINES:                $RECENT_LOG_LINES"
 echo "- EXCLUDE_STARTUP_ERRORS:          $EXCLUDE_STARTUP_ERRORS"
 echo "- EXCLUDE_FALSE_POSITIVE_ERRORS:   $EXCLUDE_FALSE_POSITIVE_ERRORS"
 echo "- EXCLUDE_KNOWN_ERRORS:            $EXCLUDE_KNOWN_ERRORS"
 echo ""
 function status() {
    header "$1"
 }
 function exclude_container() {
    name=$1
    exclude_id=$(docker ps | grep "$name" | awk '{print $1}')
    if [[ -n "$exclude_id" ]]; then
        CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g")
        return $?
    fi
    return $?
 }
 function exclude_log() {
    name=$1
    cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new
    mv /tmp/log_check_files.new /tmp/log_check_files
 }
 function check_for_errors() {
    if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then
        RESULT=1
    fi
 }
 EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__"
 if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked"           # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset"                   # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable"                  # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process"             # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates"   # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction"                 # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host"             # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running"                  # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable"                  # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py"                   # server not yet ready (python stack output)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror"                    # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail"                     # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect"                      # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards"               # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics"       # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe"                  # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502"                  # server not yet ready (nginx waiting on upstream)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non"    # server not yet ready (salt waiting on minions)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term"                 # server not yet ready (influxdb not yet setup)
 fi
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error"      # false positive
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error"             # false positive
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'"                   # false positive
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index"                 # false positive
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror"                      # false positive
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror"             # false positive (elastic command line)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template"    # false positive (elastic security)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template"        # false positive (elastic security)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors"                    # false positive (suricata stats)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template"               # false positive (elastic templates)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated"                   # false positive (playbook)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows"                      # false positive (playbook)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors"           # false positive (playbook)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml"                   # false positive (playbook)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h"                    # false positive (zeek test data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules"           # false positive (error in rulename)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input"          # false positive (Invalid user input in hunt query)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example"                      # false positive (example test data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200"                   # false positive (request successful, contained error string in content)
 fi
 if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise"                        # redis/python generic stack line, rely on other lines for actual error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)"              # redis/python generic stack line, rely on other lines for actual error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror"                     # idstools connection timeout
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror"                 # idstools connection timeout
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden"                    # playbook
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml"                          # Elastic ML errors 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled"             # elastic agent during shutdown
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128"         # soctopus errors during forced restart by highstate
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update"       # airgap can't update GeoIP DB
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror"            # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord"                 # playbook expected error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip"        # known issue in GH
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail"                     # zeek
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
 fi
 RESULT=0
 # Check Security Onion container stdout/stderr logs
 CONTAINER_IDS=$(docker ps -q)
 exclude_container so-kibana   # kibana error logs are too verbose with large varieties of errors most of which are temporary
 exclude_container so-idstools # ignore due to known issues and noisy logging
 exclude_container so-playbook # ignore due to several playbook known issues
 for container_id in $CONTAINER_IDS; do
    container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
    status "Checking container $container_name"
    docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1
    check_for_errors
 done
 # Check Security Onion related log files
 find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files
 if [[ -f /var/log/cron ]]; then
    echo "/var/log/cron" >> /tmp/log_check_files
 fi
 exclude_log "kibana.log"   # kibana error logs are too verbose with large varieties of errors most of which are temporary
 exclude_log "spool"        # disregard zeek analyze logs as this is data specific
 exclude_log "import"       # disregard imported test data the contains error strings
 exclude_log "update.log"   # ignore playbook updates due to several known issues
 exclude_log "playbook.log" # ignore due to several playbook known issues
 for log_file in $(cat /tmp/log_check_files); do
    status "Checking log file $log_file"
    tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check
    check_for_errors
 done
 # Cleanup temp files
 rm -f /tmp/log_check_files
 rm -f /tmp/log_check
 if [[ $RESULT -eq 0 ]]; then
    echo -e "\nResult: No errors found"
 else
    echo -e "\nResult: One or more errors found"
 fi
 exit $RESULT
--- a/salt/common/tools/sbin/so-test
+++ b/salt/common/tools/sbin/so-test
@@ -5,4 +5,14 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 set -e
 # Playback live sample data onto monitor interface
 so-tcpreplay /opt/samples/* 2> /dev/null
 # Ingest sample pfsense log entry
 if is_sensor_node; then
    echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1
 fi
--- a/salt/common/tools/sbin_jinja/so-desktop-install
+++ b/salt/common/tools/sbin_jinja/so-desktop-install
@@ -5,15 +5,15 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 source /usr/sbin/so-common
 doc_desktop_url="$DOC_BASE_URL/desktop.html"
-{# we only want the script to install the desktop if it is Rocky -#}
+{# we only want the script to install the desktop if it is OEL -#}
-{% if grains.os == 'Rocky' -%}
+{% if grains.os == 'OEL' -%}
 {#   if this is a manager -#}
 {%   if grains.master == grains.id.split('_')|first -%}
-source /usr/sbin/so-common
+pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls"
 doc_desktop_url="$DOC_BASE_URL/desktop.html"
 pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
 if [ -f "$pillar_file" ]; then
  if ! grep -q "^desktop:$" "$pillar_file"; then
@@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then
    fi
  else # desktop is already added
    echo "The desktop pillar already exists in $pillar_file."
-    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file."
+    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced."
    echo "Additional documentation can be found at $doc_desktop_url."
  fi
 else # if the pillar file doesn't exist
@@ -75,17 +75,22 @@ fi
 {#-  if this is not a manager #}
 {%   else -%}
-echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url."
+echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:"
 echo "desktop:"
 echo "  gui:"
 echo "    enabled: true"
 echo ""
 echo "Please view the documentation at $doc_desktop_url."
 {#- endif if this is a manager #}
 {%   endif -%}
-{#- if not Rocky #}
+{#- if not OEL #}
 {%- else %}
-echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url."
+echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url."
-{#- endif grains.os == Rocky #}
+{#- endif grains.os == OEL #}
 {% endif -%}
 exit 0
--- a/salt/common/tools/sbin_jinja/so-import-evtx
+++ b/salt/common/tools/sbin_jinja/so-import-evtx
@@ -80,8 +80,8 @@ function evtx2es() {
    -e "SHIFTTS=$SHIFTDATE" \
    -v "$EVTX:/tmp/data.evtx" \
    -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-    -v "/nsm/import/evtx-end_newest:/tmp/newest" \
+    -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
-    -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \
+    -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
    --entrypoint "/evtx_calc_timestamps.sh" \
    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
 }
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
 VALID_EVTXS_COUNT=0
 SKIPPED_EVTXS_COUNT=0
 touch /nsm/import/evtx-start_oldest
 touch /nsm/import/evtx-end_newest
 echo $START_OLDEST > /nsm/import/evtx-start_oldest
 echo $END_NEWEST > /nsm/import/evtx-end_newest
 # paths must be quoted in case they include spaces
 for EVTX in $INPUT_FILES; do
  EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
    status "- this EVTX has already been imported; skipping"
    SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
  else
    # create EVTX directory
    EVTX_DIR=$HASH_DIR/evtx
    mkdir -p $EVTX_DIR
    # create import timestamp files
    for i in evtx-start_oldest evtx-end_newest; do
      if ! [ -f "$i" ]; then
        touch /nsm/import/$HASH/$i
      fi
    done
    # import evtx and write them to import ingest pipeline
    status "- importing logs to Elasticsearch..."
@@ -154,28 +155,37 @@ for EVTX in $INPUT_FILES; do
      VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
    fi
    # compare $START to $START_OLDEST
    START=$(cat /nsm/import/evtx-start_oldest)
    START_COMPARE=$(date -d $START +%s)
    START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
    if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
      START_OLDEST=$START
    fi  
    # compare $ENDNEXT to $END_NEWEST
    END=$(cat /nsm/import/evtx-end_newest)
    ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
    ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
    END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
    if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
      END_NEWEST=$ENDNEXT
    fi  
    cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
    chmod 644 "${EVTX_DIR}"/data.evtx
  fi # end of valid evtx
  # determine start and end and make sure they aren't reversed
  START=$(cat /nsm/import/$HASH/evtx-start_oldest)
  END=$(cat /nsm/import/$HASH/evtx-end_newest)
  START_EPOCH=`date -d "$START" +"%s"`
  END_EPOCH=`date -d "$END" +"%s"`
  if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then
    TEMP=$START
    START=$END
    END=$TEMP
  fi
  # compare $START to $START_OLDEST
  START_COMPARE=$(date -d $START +%s)
  START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
  if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
    START_OLDEST=$START
  fi
  # compare $ENDNEXT to $END_NEWEST
  ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
  ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
  END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
  if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
    END_NEWEST=$ENDNEXT
  fi
  status
 done # end of for-loop processing evtx files
--- a/salt/common/tools/sbin_jinja/so-salt-minion-check
+++ b/salt/common/tools/sbin_jinja/so-salt-minion-check
--- a/salt/desktop/files/00-background
+++ b/salt/desktop/files/00-background
@@ -0,0 +1,8 @@
 # Specify the dconf path
 [org/gnome/desktop/background]
 # Specify the path to the desktop background image file
 picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg'
 # Specify one of the rendering options for the background image:
 picture-options='zoom'
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -1,8 +1,5 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'OEL' %}
+{% if grains.os == 'OEL' %}
 desktop_packages:
  pkg.installed:
--- a/salt/desktop/remove_gui.sls
+++ b/salt/desktop/remove_gui.sls
@@ -1,7 +1,5 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'OEL' %}
+{% if grains.os == 'OEL' %}
 remove_graphical_target:
  file.symlink:
--- a/salt/desktop/scripts/convert-gnome-classic.sh
+++ b/salt/desktop/scripts/convert-gnome-classic.sh
@@ -1,4 +0,0 @@
 #!/bin/bash
 echo "Setting default session to gnome-classic"
 cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/
 sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard
--- a/salt/desktop/trusted-ca.sls
+++ b/salt/desktop/trusted-ca.sls
@@ -31,6 +31,6 @@ update_ca_certs:
 desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 {% endif %}
--- a/salt/desktop/xwindows.sls
+++ b/salt/desktop/xwindows.sls
@@ -1,7 +1,5 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'OEL' %}
+{% if grains.os == 'OEL' %}
 include:
  - desktop.packages
@@ -14,10 +12,7 @@ graphical_target:
    - require:
      - desktop_packages
-convert_gnome_classic:
+{# set users to use gnome-classic #}
  cmd.script:
    - name: salt://desktop/scripts/convert-gnome-classic.sh
 {%   for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
 {%     set username = username.split('/')[2] %}
 {%     if username != 'zeek' %}
@@ -35,6 +30,23 @@ convert_gnome_classic:
 {%     endif %}
 {%   endfor %}
 desktop_wallpaper:
  file.managed:
    - name: /usr/local/share/backgrounds/so-wallpaper.jpg
    - source: salt://desktop/files/so-wallpaper.jpg
    - makedirs: True
 set_wallpaper:
  file.managed:
    - name: /etc/dconf/db/local.d/00-background
    - source: salt://desktop/files/00-background
 run_dconf_update:
  cmd.run:
    - name: 'dconf update'
    - onchanges:
      - file: set_wallpaper
 {% else %}
 desktop_xwindows_os_fail:
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -178,6 +178,9 @@ docker:
      extra_env: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
        - 0.0.0.0:514:514/tcp
        - 0.0.0.0:514:514/udp
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -8,7 +8,7 @@ docker:
    helpLink: docker.html
    advanced: True
  containers:
-    so-curator: &dockerOptions
+    so-dockerregistry: &dockerOptions
      final_octet:
        description: Last octet of the container IP address.
        helpLink: docker.html
@@ -20,6 +20,7 @@ docker:
        helpLink: docker.html
        advanced: True
        multiline: True
        forcedType: "[]string"
      custom_bind_mounts:
        description: List of custom local volume bindings.
        advanced: True
@@ -38,12 +39,8 @@ docker:
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
    so-dockerregistry: *dockerOptions
    so-elastalert: *dockerOptions
    so-elastic-fleet-package-registry: *dockerOptions
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
    so-idh: *dockerOptions
    so-idstools: *dockerOptions
    so-influxdb: *dockerOptions
    so-kibana: *dockerOptions
@@ -53,11 +50,21 @@ docker:
    so-nginx: *dockerOptions
    so-playbook: *dockerOptions
    so-redis: *dockerOptions
    so-sensoroni: *dockerOptions
    so-soc: *dockerOptions
    so-soctopus: *dockerOptions
    so-strelka-backend: *dockerOptions
    so-strelka-coordinator: *dockerOptions
    so-strelka-filestream: *dockerOptions
    so-strelka-frontend: *dockerOptions
    so-strelka-gatekeeper: *dockerOptions
    so-strelka-manager: *dockerOptions
    so-strelka-gatekeeper: *dockerOptions
    so-strelka-coordinator: *dockerOptions
    so-elastalert: *dockerOptions
    so-curator: *dockerOptions
    so-elastic-fleet-package-registry: *dockerOptions
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
    so-steno: *dockerOptions
    so-suricata: *dockerOptions
    so-zeek: *dockerOptions
--- a/salt/docker_clean/init.sls
+++ b/salt/docker_clean/init.sls
@@ -9,6 +9,7 @@
 prune_images:
  cmd.run:
    - name: so-docker-prune
    - order: last
 {% else %}
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -31,6 +31,10 @@ so-elastic-agent:
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
--- a/salt/elasticagent/files/elastic-agent.yml.jinja
+++ b/salt/elasticagent/files/elastic-agent.yml.jinja
@@ -430,3 +430,54 @@ inputs:
        exclude_files:
          - >-
            broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
  - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
    name: syslog-udp-514
    revision: 3
    type: udp
    use_output: default
    meta:
      package:
        name: udp
        version: 1.10.0
    data_stream:
      namespace: so
    package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
    streams:
      - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
        data_stream:
          dataset: syslog
        pipeline: syslog
        host: '0.0.0.0:514'
        max_message_size: 10KiB
        processors:
          - add_fields:
              fields:
                module: syslog
              target: event
        tags:
          - syslog
  - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
    name: syslog-tcp-514
    revision: 3
    type: tcp
    use_output: default
    meta:
      package:
        name: tcp
        version: 1.10.0
    data_stream:
      namespace: so
    package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
    streams:
      - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
        data_stream:
          dataset: syslog
        pipeline: syslog
        host: '0.0.0.0:514'
        processors:
          - add_fields:
              fields:
                module: syslog
              target: event
        tags:
          - syslog
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -37,6 +37,8 @@ elasticfleet_sbin_jinja:
    - group: 939 
    - file_mode: 755
    - template: jinja
    - exclude_pat:
      - so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes
 eaconfdir:
  file.directory:
@@ -59,6 +61,14 @@ eastatedir:
    - group: 939
    - makedirs: True
 eapackageupgrade:
  file.managed:
    - name: /usr/sbin/so-elastic-fleet-package-upgrade
    - source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
    - user: 947
    - group: 939
    - template: jinja
 {%   if GLOBALS.role != "so-fleet" %}
 eaintegrationsdir:
  file.directory:
@@ -88,6 +98,7 @@ ea-integrations-load:
    - onchanges:
      - file: eaintegration
      - file: eadynamicintegration
      - file: eapackageupgrade
 {% endif %}
 {% else %}
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -13,7 +13,10 @@ elasticfleet:
        - broker
        - capture_loss
        - cluster
        - conn-summary
        - console
        - ecat_arp_info
        - known_certs
        - known_hosts
        - known_services
        - loaded_scripts
@@ -25,12 +28,53 @@ elasticfleet:
        - stderr
        - stdout
  packages:
    - apache
    - auditd
    - aws
    - azure
    - barracuda
    - cisco_asa
    - cloudflare
    - crowdstrike
    - darktrace
    - elasticsearch
    - endpoint
    - f5_bigip
    - fleet_server
    - fim
    - fortinet
    - fortinet_fortigate
    - gcp
    - github
    - google_workspace
    - http_endpoint
    - httpjson
    - juniper
    - juniper_srx
    - kafka_log
    - lastpass
    - log
    - m365_defender
    - microsoft_defender_endpoint
    - microsoft_dhcp
    - netflow
    - o365
    - okta
    - osquery_manager
    - panw
    - pfsense
    - redis
    - sentinel_one
    - sonicwall_firewall
    - symantec_endpoint
    - system
    - tcp
    - ti_abusech
    - ti_misp
    - ti_otx
    - ti_recordedfuture
    - udp
    - windows
    - zscaler_zia
    - zscaler_zpa
    - 1password
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -22,6 +22,7 @@ include:
 so-elastic-fleet-auto-configure-logstash-outputs:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-outputs-update
    - retry: True
 {% endif %}
 # If enabled, automatically update Fleet Server URLs & ES Connection
@@ -29,6 +30,7 @@ so-elastic-fleet-auto-configure-logstash-outputs:
 so-elastic-fleet-auto-configure-server-urls:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-urls-update
    - retry: True
 {% endif %}
 # Automatically update Fleet Server Elasticsearch URLs
@@ -36,6 +38,7 @@ so-elastic-fleet-auto-configure-server-urls:
 so-elastic-fleet-auto-configure-elasticsearch-urls:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-es-url-update
    - retry: True
 {% endif %}
 {%   if SERVICETOKEN != '' %}
@@ -65,11 +68,6 @@ so-elastic-fleet:
      - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      {% if GLOBALS.os_family == 'Debian' %}
      - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
      - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
      - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
      {% endif %}
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -84,13 +82,8 @@ so-elastic-fleet:
      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
      - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
-      {% if GLOBALS.os_family == 'Debian' %}
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
      - FLEET_CA=/etc/ssl/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
      {% else %}
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      {% endif %}
      - LOGS_PATH=logs
      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
@@ -106,6 +99,11 @@ so-elastic-fleet:
 so-elastic-fleet-integrations:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-integration-policy-load
 so-elastic-agent-grid-upgrade:
  cmd.run:
    - name: /usr/sbin/so-elastic-agent-grid-upgrade
    - retry: True
 {%  endif %}
 delete_so-elastic-fleet_so-status.disabled:
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
@@ -20,8 +20,8 @@
            ],
            "data_stream.dataset": "import",
            "custom": "",
-            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      namespace: default\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true  \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows",
+	    "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true\n- add_fields:\n    target: \"@metadata\"\n    fields:\n        pipeline: logs-system.security-1.34.0\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.sysmon_operational-1.24.0\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.application-1.34.0\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.system-1.34.0\n    \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.powershell_operational-1.24.0\n- add_fields:\n    target: data_stream\n    fields:\n        dataset: import",
-            "tags": [
+	    "tags": [
              "import"
            ]
          }
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
@@ -56,9 +56,15 @@ elastic_fleet_package_version_check() {
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
 }
 elastic_fleet_package_latest_version_check() {
    PACKAGE=$1
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion'
 }
 elastic_fleet_package_install() {
-    PKGKEY=$1
+    PKG=$1
-    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"
+    VERSION=$2
    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION"
 }
 elastic_fleet_package_is_installed() {
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -9,6 +9,9 @@
 RETURN_CODE=0
 if [ ! -f /opt/so/state/eaintegrations.txt ]; then
  # First, check for any package upgrades
  /usr/sbin/so-elastic-fleet-package-upgrade
  # Initial Endpoints
  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
  do
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -46,7 +46,7 @@ do
 done 
 printf "\n### Stripping out unused components"
-find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete 
+find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete 
 printf "\n### Tarring everything up again"
 for OS in "${OSARCH[@]}"
@@ -65,7 +65,7 @@ do
    if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi
    printf "\n\n### Generating $GOOS/$GOARCH Installer...\n"
    docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \
-    --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
+    --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \
    --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
    --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
    {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN"  -o /output/so-elastic-agent_${GOOS}_${GOARCH}
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
@@ -0,0 +1,38 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 . /usr/sbin/so-common
 # Only run on Managers
 if ! is_manager_node; then
    printf "Not a Manager Node... Exiting"
    exit 0
 fi
 # Get current list of Grid Node Agents that need to be upgraded
 RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
 if [ "$CHECKSUM" -ne 1 ]; then
 printf "Failed to query for current Grid Agents...\n"
 exit 1
 fi
 # Generate list of Node Agents that need updates
 OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)'  <<<  "$RAW_JSON")
 if [ "$OUTDATED_LIST" != '[]' ]; then
   AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON")
   printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n"
   # Generate updated JSON payload
   JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }')
   # Update Node Agents
   curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 else
    printf "No Agents need updates... Exiting\n\n"
    exit 0
 fi
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
@@ -12,9 +12,13 @@ if ! is_manager_node; then
 fi
 function update_es_urls() {
-	# Generate updated JSON payload
+	
-    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
+    # Generate updated JSON payload
-
+{% if grains.role not in ['so-import', 'so-eval'] %}
    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}')
 {%- else %}
    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
 {%- endif %}
    # Update Fleet Elasticsearch URLs
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
@@ -42,6 +46,13 @@ NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "$
 NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
 # Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
 if [ "$1" = "--force" ]; then
    printf "\nUpdating List, since --force was specified.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
    update_es_urls
    exit 0
 fi
 if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
    printf "\nHashes match - no update needed.\n"
    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load
@@ -11,7 +11,7 @@
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Setting up {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}")
-elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
 echo
 {%- endfor %}
 echo
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
@@ -0,0 +1,18 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
 {%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
 . /usr/sbin/so-elastic-fleet-common
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Upgrading {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
 elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
 echo
 {%- endfor %}
 echo
 /usr/sbin/so-elasticsearch-templates-load
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -6,11 +6,7 @@
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if GLOBALS.os_family == 'Debian' %}
 INTCA=/etc/ssl/certs/intca.crt
 {% else %}
 INTCA=/etc/pki/tls/certs/intca.crt
 {% endif %}
 . /usr/sbin/so-elastic-fleet-common
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -21,7 +21,7 @@
        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
      {% endfor %}
      {% if grains.id.split('_') | last == 'manager' %}
-        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client','transform']}) %}
      {% else %}
        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
      {% endif %}
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -59,7 +59,7 @@ so-elasticsearch:
      {% if GLOBALS.is_manager %}
      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% else %}
-      - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
      {% endif %}
      - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
      - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
@@ -108,6 +108,7 @@ escomponenttemplates:
    - source: salt://elasticsearch/templates/component
    - user: 930
    - group: 939
    - clean: True
    - onchanges_in:
      - cmd: so-elasticsearch-templates
--- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
+++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
@@ -78,7 +78,10 @@
    { "set":        { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
    { "set":        { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
    { "set":        { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
-    {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
+    { "set":        { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
    { "set":        { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
    { "date":       { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
    { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
    { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
  ],
  "on_failure": [
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -63,8 +63,8 @@
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69",   "field": "event.severity", "value": 2, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
-    { "set":         { "if": "ctx.scan?.entropy?.entropy == 0",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
+    { "set":         { "if": "ctx.scan?.entropy?.entropy == '0'",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
-    { "set":         { "if": "ctx.scan?.pe?.image_version == 0",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
+    { "set":         { "if": "ctx.scan?.pe?.image_version == '0'",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -46,28 +46,37 @@ elasticsearch:
            description: Max number of boolean clauses per query.
            global: True
            helpLink: elasticsearch.html
-  index_settings: 
+  index_settings:
-    so-elasticsearch: &indexSettings
+    global_overrides:
-      warm: 
+      index_template:
-        description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
+        template:
-        global: True
+          settings:
-        helpLink: elasticsearch.html
+            index:
-      close: 
+              number_of_replicas:
-        description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index.
+                description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices.
-        global: True
+                forcedType: int
-        helpLink: elasticsearch.html
+                global: True
-      delete: 
+                helpLink: elasticsearch.html
-        description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable.
+    so-logs: &indexSettings
        global: True
        helpLink: elasticsearch.html
      index_sorting: 
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
        global: True
        helpLink: elasticsearch.html
      index_template:
        index_patterns:
          description: Patterns for matching multiple indices or tables.
          forceType: "[]string"
          multiline: True
          global: True
          helpLink: elasticsearch.html
        template:
          settings:
            index:
              number_of_replicas: 
                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
                forcedType: int
                global: True
                helpLink: elasticsearch.html
              mapping:
                total_fields:
                  limit:
@@ -75,17 +84,59 @@ elasticsearch:
                    global: True
                    helpLink: elasticsearch.html
              refresh_interval: 
-                  description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
+                description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
-                  global: True
+                global: True
-                  helpLink: elasticsearch.html
+                helpLink: elasticsearch.html
              number_of_shards: 
-                  description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
+                description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                global: True
                helpLink: elasticsearch.html
              sort:
                field:
                  description: The field to sort by. Must set index_sorting to True.
                  global: True
                  helpLink: elasticsearch.html
-              number_of_replicas: 
+                order:
-                  description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
+                  description: The order to sort by. Must set index_sorting to True.
                  global: True
                  helpLink: elasticsearch.html
          mappings:
            _meta:
              package:
                name:
                  description: Meta settings for the mapping.
                  global: True
                  helpLink: elasticsearch.html
              managed_by:
                  description: Meta settings for the mapping.
                  global: True
                  helpLink: elasticsearch.html
              managed:
                  description: Meta settings for the mapping.
                  forcedType: bool
                  global: True
                  helpLink: elasticsearch.html
        composed_of:
          description: The index template is composed of these component templates.
          forcedType: "[]string"
          global: True
          helpLink: elasticsearch.html
        priority:
          description: The priority of the index template.
          forcedType: int
          global: True
          helpLink: elasticsearch.html
        data_stream:
          hidden:
            description: Hide the data stream.
            forcedType: bool
            global: True
            helpLink: elasticsearch.html
          allow_custom_routing:
            description: Allow custom routing for the data stream.
            forcedType: bool
            global: True
            helpLink: elasticsearch.html
      policy:
        phases:
          hot:
@@ -97,6 +148,7 @@ elasticsearch:
              set_priority:
                priority:
                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  helpLink: elasticsearch.html
              rollover:
@@ -117,19 +169,178 @@ elasticsearch:
              set_priority:
                priority:
                  description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  helpLink: elasticsearch.html
          delete:
            min_age:
              description: Minimum age of index. This determines when the index should be deleted.
              global: True
-              helpLink: elastic
+              helpLink: elasticsearch.html
        _meta:
          package:
            name:
              description: Meta settings for the mapping.
              global: True
              helpLink: elasticsearch.html
          managed_by:
            description: Meta settings for the mapping.
            global: True
            helpLink: elasticsearch.html
          managed:
            description: Meta settings for the mapping.
            forcedType: bool
            global: True
            helpLink: elasticsearch.html
    so-logs-system_x_auth: *indexSettings
    so-logs-system_x_syslog: *indexSettings
    so-logs-system_x_system: *indexSettings
    so-logs-system_x_application: *indexSettings
    so-logs-system_x_security: *indexSettings
    so-logs-windows_x_forwarded: *indexSettings
    so-logs-windows_x_powershell: *indexSettings
    so-logs-windows_x_powershell_operational: *indexSettings
    so-logs-windows_x_sysmon_operational: *indexSettings
    so-logs-apache_x_access: *indexSettings
    so-logs-apache_x_error: *indexSettings
    so-logs-auditd_x_log: *indexSettings
    so-logs-aws_x_cloudtrail: *indexSettings
    so-logs-aws_x_cloudwatch_logs: *indexSettings
    so-logs-aws_x_ec2_logs: *indexSettings
    so-logs-aws_x_elb_logs: *indexSettings
    so-logs-aws_x_firewall_logs: *indexSettings
    so-logs-aws_x_route53_public_logs: *indexSettings
    so-logs-aws_x_route53_resolver_logs: *indexSettings
    so-logs-aws_x_s3access: *indexSettings
    so-logs-aws_x_vpcflow: *indexSettings
    so-logs-aws_x_waf: *indexSettings
    so-logs-azure_x_activitylogs: *indexSettings
    so-logs-azure_x_application_gateway: *indexSettings
    so-logs-azure_x_auditlogs: *indexSettings
    so-logs-azure_x_eventhub: *indexSettings
    so-logs-azure_x_firewall_logs: *indexSettings
    so-logs-azure_x_identity_protection: *indexSettings
    so-logs-azure_x_platformlogs: *indexSettings
    so-logs-azure_x_provisioning: *indexSettings
    so-logs-azure_x_signinlogs: *indexSettings
    so-logs-azure_x_springcloudlogs: *indexSettings
    so-logs-barracuda_x_waf: *indexSettings
    so-logs-cisco_asa_x_log: *indexSettings
    so-logs-cloudflare_x_audit: *indexSettings
    so-logs-cloudflare_x_logpull: *indexSettings
    so-logs-crowdstrike_x_falcon: *indexSettings
    so-logs-crowdstrike_x_fdr: *indexSettings
    so-logs-darktrace_x_ai_analyst_alert: *indexSettings
    so-logs-darktrace_x_model_breach_alert: *indexSettings
    so-logs-darktrace_x_system_status_alert: *indexSettings
    so-logs-f5_bigip_x_log: *indexSettings
    so-logs-fim_x_event: *indexSettings
    so-logs-fortinet_x_clientendpoint: *indexSettings
    so-logs-fortinet_x_firewall: *indexSettings
    so-logs-fortinet_x_fortimail: *indexSettings
    so-logs-fortinet_x_fortimanager: *indexSettings
    so-logs-fortinet_x_fortigate: *indexSettings
    so-logs-gcp_x_audit: *indexSettings
    so-logs-gcp_x_dns: *indexSettings
    so-logs-gcp_x_firewall: *indexSettings
    so-logs-gcp_x_loadbalancing_logs: *indexSettings
    so-logs-gcp_x_vpcflow: *indexSettings
    so-logs-github_x_audit: *indexSettings
    so-logs-github_x_code_scanning: *indexSettings
    so-logs-github_x_dependabot: *indexSettings
    so-logs-github_x_issues: *indexSettings
    so-logs-github_x_secret_scanning: *indexSettings
    so-logs-google_workspace_x_access_transparency: *indexSettings
    so-logs-google_workspace_x_admin: *indexSettings
    so-logs-google_workspace_x_alert: *indexSettings
    so-logs-google_workspace_x_context_aware_access: *indexSettings
    so-logs-google_workspace_x_device: *indexSettings
    so-logs-google_workspace_x_drive: *indexSettings
    so-logs-google_workspace_x_gcp: *indexSettings
    so-logs-google_workspace_x_group_enterprise: *indexSettings
    so-logs-google_workspace_x_groups: *indexSettings
    so-logs-google_workspace_x_login: *indexSettings
    so-logs-google_workspace_x_rules: *indexSettings
    so-logs-google_workspace_x_saml: *indexSettings
    so-logs-google_workspace_x_token: *indexSettings
    so-logs-google_workspace_x_user_accounts: *indexSettings
    so-logs-http_endpoint_x_generic: *indexSettings
    so-logs-httpjson_x_generic: *indexSettings
    so-logs-juniper_x_junos: *indexSettings
    so-logs-juniper_x_netscreen: *indexSettings
    so-logs-juniper_x_srx: *indexSettings
    so-logs-juniper_srx_x_log: *indexSettings
    so-logs-kafka_log_x_generic: *indexSettings
    so-logs-lastpass_x_detailed_shared_folder: *indexSettings
    so-logs-lastpass_x_event_report: *indexSettings
    so-logs-lastpass_x_user: *indexSettings
    so-logs-m365_defender_x_event: *indexSettings
    so-logs-m365_defender_x_incident: *indexSettings
    so-logs-m365_defender_x_log: *indexSettings
    so-logs-microsoft_defender_endpoint_x_log: *indexSettings
    so-logs-microsoft_dhcp_x_log: *indexSettings
    so-logs-netflow_x_log: *indexSettings
    so-logs-o365_x_audit: *indexSettings
    so-logs-okta_x_system: *indexSettings
    so-logs-panw_x_panos: *indexSettings
    so-logs-pfsense_x_log: *indexSettings
    so-logs-sentinel_one_x_activity: *indexSettings
    so-logs-sentinel_one_x_agent: *indexSettings
    so-logs-sentinel_one_x_alert: *indexSettings
    so-logs-sentinel_one_x_group: *indexSettings
    so-logs-sentinel_one_x_threat: *indexSettings
    so-logs-sonicwall_firewall_x_log: *indexSettings
    so-logs-symantec_endpoint_x_log: *indexSettings
    so-logs-ti_abusech_x_malware: *indexSettings
    so-logs-ti_abusech_x_malwarebazaar: *indexSettings
    so-logs-ti_abusech_x_threatfox: *indexSettings
    so-logs-ti_abusech_x_url: *indexSettings
    so-logs-ti_misp_x_threat: *indexSettings
    so-logs-ti_misp_x_threat_attributes: *indexSettings
    so-logs-ti_otx_x_threat: *indexSettings
    so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
    so-logs-ti_recordedfuture_x_threat: *indexSettings
    so-logs-zscaler_zia_x_alerts: *indexSettings
    so-logs-zscaler_zia_x_dns: *indexSettings
    so-logs-zscaler_zia_x_firewall: *indexSettings
    so-logs-zscaler_zia_x_tunnel: *indexSettings
    so-logs-zscaler_zia_x_web: *indexSettings
    so-logs-zscaler_zpa_x_app_connector_status: *indexSettings
    so-logs-zscaler_zpa_x_audit: *indexSettings
    so-logs-zscaler_zpa_x_browser_access: *indexSettings
    so-logs-zscaler_zpa_x_user_activity: *indexSettings
    so-logs-zscaler_zpa_x_user_status: *indexSettings
    so-logs-1password_x_item_usages: *indexSettings
    so-logs-1password_x_signin_attempts: *indexSettings
    so-logs-osquery-manager-actions: *indexSettings
    so-logs-osquery-manager-action_x_responses: *indexSettings
    so-logs-elastic_agent_x_apm_server: *indexSettings
    so-logs-elastic_agent_x_auditbeat: *indexSettings
    so-logs-elastic_agent_x_cloudbeat: *indexSettings
    so-logs-elastic_agent_x_endpoint_security: *indexSettings
    so-logs-endpoint_x_alerts: *indexSettings
    so-logs-endpoint_x_events_x_api: *indexSettings
    so-logs-endpoint_x_events_x_file: *indexSettings
    so-logs-endpoint_x_events_x_library: *indexSettings
    so-logs-endpoint_x_events_x_network: *indexSettings
    so-logs-endpoint_x_events_x_process: *indexSettings
    so-logs-endpoint_x_events_x_registry: *indexSettings
    so-logs-endpoint_x_events_x_security: *indexSettings
    so-logs-elastic_agent_x_filebeat: *indexSettings
    so-logs-elastic_agent_x_fleet_server: *indexSettings
    so-logs-elastic_agent_x_heartbeat: *indexSettings
    so-logs-elastic_agent: *indexSettings
    so-logs-elastic_agent_x_metricbeat: *indexSettings
    so-logs-elastic_agent_x_osquerybeat: *indexSettings
    so-logs-elastic_agent_x_packetbeat: *indexSettings
    so-case: *indexSettings
    so-common: *indexSettings
    so-endgame: *indexSettings
-    so-firewall: *indexSettings
+    so-idh: *indexSettings
    so-suricata: *indexSettings
    so-import: *indexSettings
-    so-kibana: *indexSettings
+    so-kratos: *indexSettings
    so-logstash: *indexSettings
    so-osquery: *indexSettings
    so-redis: *indexSettings
    so-strelka: *indexSettings
    so-syslog: *indexSettings
--- a/salt/elasticsearch/template.map.jinja
+++ b/salt/elasticsearch/template.map.jinja
@@ -1,9 +1,28 @@
-{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
+{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
+{% set DEFAULT_GLOBAL_OVERRIDES = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings.pop('global_overrides') %}
-{% for index, settings in ES_INDEX_SETTINGS.items() %}
+
-  {% if settings.index_template is defined %}
+{% set PILLAR_GLOBAL_OVERRIDES = {} %}
-    {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
+{% if salt['pillar.get']('elasticsearch:index_settings') is defined %}
-      {% do settings.index_template.template.settings.index.pop('sort') %}
+{%   set ES_INDEX_PILLAR = salt['pillar.get']('elasticsearch:index_settings') %}
-    {% endif %}
+{%   if ES_INDEX_PILLAR.global_overrides is defined %}
-  {% endif %}
+{%     set PILLAR_GLOBAL_OVERRIDES = ES_INDEX_PILLAR.pop('global_overrides') %}
 {%   endif %}
 {% endif %}
 {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %}
 {% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %}
 {% for index in ES_INDEX_SETTINGS_ORIG.keys() %}
 {%   do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %}
 {% endfor %}
 {% set ES_INDEX_SETTINGS = {} %}
 {% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update(salt['defaults.merge'](ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %}
 {% for index, settings in ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.items() %}
 {%   if settings.index_template is defined %}
 {%     if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
 {%       do settings.index_template.template.settings.index.pop('sort') %}
 {%     endif %}
 {%   endif %}
 {%   do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index]}) %}
 {% endfor %}
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.apm_server-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json
@@ -1,339 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "decision_id",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "message": {
                "type": "match_only_text"
              },
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "result": {
                "type": "object"
              },
              "input": {
                "type": "object"
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "decision_id": {
                "type": "text"
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.filebeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "message": {
                "type": "text"
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json
@@ -1,329 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json
@@ -1,322 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "elastic_agent"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json
@@ -1,952 +0,0 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-system.application-1.6.4",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "event.code",
                  "event.original",
                  "error.message",
                  "message",
                  "winlog.api",
                  "winlog.activity_id",
                  "winlog.computer_name",
                  "winlog.event_data.AuthenticationPackageName",
                  "winlog.event_data.Binary",
                  "winlog.event_data.BitlockerUserInputTime",
                  "winlog.event_data.BootMode",
                  "winlog.event_data.BootType",
                  "winlog.event_data.BuildVersion",
                  "winlog.event_data.Company",
                  "winlog.event_data.CorruptionActionState",
                  "winlog.event_data.CreationUtcTime",
                  "winlog.event_data.Description",
                  "winlog.event_data.Detail",
                  "winlog.event_data.DeviceName",
                  "winlog.event_data.DeviceNameLength",
                  "winlog.event_data.DeviceTime",
                  "winlog.event_data.DeviceVersionMajor",
                  "winlog.event_data.DeviceVersionMinor",
                  "winlog.event_data.DriveName",
                  "winlog.event_data.DriverName",
                  "winlog.event_data.DriverNameLength",
                  "winlog.event_data.DwordVal",
                  "winlog.event_data.EntryCount",
                  "winlog.event_data.ExtraInfo",
                  "winlog.event_data.FailureName",
                  "winlog.event_data.FailureNameLength",
                  "winlog.event_data.FileVersion",
                  "winlog.event_data.FinalStatus",
                  "winlog.event_data.Group",
                  "winlog.event_data.IdleImplementation",
                  "winlog.event_data.IdleStateCount",
                  "winlog.event_data.ImpersonationLevel",
                  "winlog.event_data.IntegrityLevel",
                  "winlog.event_data.IpAddress",
                  "winlog.event_data.IpPort",
                  "winlog.event_data.KeyLength",
                  "winlog.event_data.LastBootGood",
                  "winlog.event_data.LastShutdownGood",
                  "winlog.event_data.LmPackageName",
                  "winlog.event_data.LogonGuid",
                  "winlog.event_data.LogonId",
                  "winlog.event_data.LogonProcessName",
                  "winlog.event_data.LogonType",
                  "winlog.event_data.MajorVersion",
                  "winlog.event_data.MaximumPerformancePercent",
                  "winlog.event_data.MemberName",
                  "winlog.event_data.MemberSid",
                  "winlog.event_data.MinimumPerformancePercent",
                  "winlog.event_data.MinimumThrottlePercent",
                  "winlog.event_data.MinorVersion",
                  "winlog.event_data.NewProcessId",
                  "winlog.event_data.NewProcessName",
                  "winlog.event_data.NewSchemeGuid",
                  "winlog.event_data.NewTime",
                  "winlog.event_data.NominalFrequency",
                  "winlog.event_data.Number",
                  "winlog.event_data.OldSchemeGuid",
                  "winlog.event_data.OldTime",
                  "winlog.event_data.OriginalFileName",
                  "winlog.event_data.Path",
                  "winlog.event_data.PerformanceImplementation",
                  "winlog.event_data.PreviousCreationUtcTime",
                  "winlog.event_data.PreviousTime",
                  "winlog.event_data.PrivilegeList",
                  "winlog.event_data.ProcessId",
                  "winlog.event_data.ProcessName",
                  "winlog.event_data.ProcessPath",
                  "winlog.event_data.ProcessPid",
                  "winlog.event_data.Product",
                  "winlog.event_data.PuaCount",
                  "winlog.event_data.PuaPolicyId",
                  "winlog.event_data.QfeVersion",
                  "winlog.event_data.Reason",
                  "winlog.event_data.SchemaVersion",
                  "winlog.event_data.ScriptBlockText",
                  "winlog.event_data.ServiceName",
                  "winlog.event_data.ServiceVersion",
                  "winlog.event_data.ShutdownActionType",
                  "winlog.event_data.ShutdownEventCode",
                  "winlog.event_data.ShutdownReason",
                  "winlog.event_data.Signature",
                  "winlog.event_data.SignatureStatus",
                  "winlog.event_data.Signed",
                  "winlog.event_data.StartTime",
                  "winlog.event_data.State",
                  "winlog.event_data.Status",
                  "winlog.event_data.StopTime",
                  "winlog.event_data.SubjectDomainName",
                  "winlog.event_data.SubjectLogonId",
                  "winlog.event_data.SubjectUserName",
                  "winlog.event_data.SubjectUserSid",
                  "winlog.event_data.TSId",
                  "winlog.event_data.TargetDomainName",
                  "winlog.event_data.TargetInfo",
                  "winlog.event_data.TargetLogonGuid",
                  "winlog.event_data.TargetLogonId",
                  "winlog.event_data.TargetServerName",
                  "winlog.event_data.TargetUserName",
                  "winlog.event_data.TargetUserSid",
                  "winlog.event_data.TerminalSessionId",
                  "winlog.event_data.TokenElevationType",
                  "winlog.event_data.TransmittedServices",
                  "winlog.event_data.UserSid",
                  "winlog.event_data.Version",
                  "winlog.event_data.Workstation",
                  "winlog.event_data.param1",
                  "winlog.event_data.param2",
                  "winlog.event_data.param3",
                  "winlog.event_data.param4",
                  "winlog.event_data.param5",
                  "winlog.event_data.param6",
                  "winlog.event_data.param7",
                  "winlog.event_data.param8",
                  "winlog.event_id",
                  "winlog.keywords",
                  "winlog.channel",
                  "winlog.record_id",
                  "winlog.related_activity_id",
                  "winlog.opcode",
                  "winlog.provider_guid",
                  "winlog.provider_name",
                  "winlog.task",
                  "winlog.user.identifier",
                  "winlog.user.name",
                  "winlog.user.domain",
                  "winlog.user.type"
                ]
              }
            }
          },
          "mappings": {
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              },
              {
                "winlog.user_data": {
                  "path_match": "winlog.user_data.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "winlog": {
                "properties": {
                  "related_activity_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "computer_name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "process": {
                    "properties": {
                      "pid": {
                        "type": "long"
                      },
                      "thread": {
                        "properties": {
                          "id": {
                            "type": "long"
                          }
                        }
                      }
                    }
                  },
                  "keywords": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "channel": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "event_data": {
                    "properties": {
                      "SignatureStatus": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "OriginalFileName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BootMode": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Product": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetLogonGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FileVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "StopTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Status": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "CorruptionActionState": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "KeyLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PreviousCreationUtcTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetInfo": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ServiceVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectUserSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PerformanceImplementation": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetUserSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Group": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Description": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ShutdownActionType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DwordVal": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessPid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceVersionMajor": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ScriptBlockText": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TransmittedServices": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MaximumPerformancePercent": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FinalStatus": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IdleStateCount": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MajorVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Path": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SchemaVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TokenElevationType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MinorVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectLogonId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IdleImplementation": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessPath": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "QfeVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceVersionMinor": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "OldTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IpAddress": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Company": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PuaPolicyId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IntegrityLevel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LastShutdownGood": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IpPort": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DriverNameLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LmPackageName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "UserSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LastBootGood": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PuaCount": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Signed": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "StartTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ShutdownEventCode": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewProcessName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FailureNameLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ServiceName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PreviousTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "State": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BootType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Binary": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ImpersonationLevel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MemberName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetUserName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Detail": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TerminalSessionId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MemberSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DriverName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceNameLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "OldSchemeGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "CreationUtcTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Reason": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ShutdownReason": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetServerName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Number": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BuildVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectDomainName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MinimumPerformancePercent": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonProcessName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TSId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetDomainName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PrivilegeList": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param7": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param8": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param5": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param6": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DriveName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewProcessId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ExtraInfo": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param3": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param4": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param1": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param2": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetLogonId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Workstation": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectUserName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FailureName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewSchemeGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Signature": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MinimumThrottlePercent": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "EntryCount": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BitlockerUserInputTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "AuthenticationPackageName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NominalFrequency": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "opcode": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "type": "long"
                  },
                  "record_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "event_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "task": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "provider_guid": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "activity_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "api": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "provider_name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "user": {
                    "properties": {
                      "identifier": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "domain": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "event": {
                "properties": {
                  "ingested": {
                    "type": "date"
                  },
                  "code": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "original": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "created": {
                    "type": "date"
                  },
                  "module": {
                    "type": "constant_keyword",
                    "value": "system"
                  },
                  "dataset": {
                    "type": "constant_keyword",
                    "value": "system.application"
                  }
                }
              },
              "error": {
                "properties": {
                  "message": {
                    "type": "match_only_text"
                  }
                }
              },
              "message": {
                "type": "match_only_text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "system"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json
@@ -1,530 +0,0 @@
 {
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "default_pipeline": "logs-system.auth-1.6.4",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.os.full",
            "host.type",
            "event.action",
            "event.category",
            "event.code",
            "event.kind",
            "event.outcome",
            "event.provider",
            "event.type",
            "ecs.version",
            "error.message",
            "group.id",
            "group.name",
            "message",
            "process.name",
            "related.hosts",
            "related.user",
            "source.as.organization.name",
            "source.geo.city_name",
            "source.geo.continent_name",
            "source.geo.country_iso_code",
            "source.geo.country_name",
            "source.geo.region_iso_code",
            "source.geo.region_name",
            "user.effective.name",
            "user.id",
            "user.name",
            "system.auth.ssh.method",
            "system.auth.ssh.signature",
            "system.auth.ssh.event",
            "system.auth.sudo.error",
            "system.auth.sudo.tty",
            "system.auth.sudo.pwd",
            "system.auth.sudo.user",
            "system.auth.sudo.command",
            "system.auth.useradd.home",
            "system.auth.useradd.shell",
            "version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "process": {
          "properties": {
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "pid": {
              "type": "long"
            }
          }
        },
        "source": {
          "properties": {
            "geo": {
              "properties": {
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "as": {
              "properties": {
                "number": {
                  "type": "long"
                },
                "organization": {
                  "properties": {
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "port": {
              "type": "long"
            },
            "ip": {
              "type": "ip"
            }
          }
        },
        "error": {
          "properties": {
            "message": {
              "type": "match_only_text"
            }
          }
        },
        "message": {
          "type": "match_only_text"
        },
        "version": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "system": {
          "properties": {
            "auth": {
              "properties": {
                "ssh": {
                  "properties": {
                    "method": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "dropped_ip": {
                      "type": "ip"
                    },
                    "signature": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "event": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "sudo": {
                  "properties": {
                    "tty": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "error": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "pwd": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "user": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "command": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "useradd": {
                  "properties": {
                    "shell": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "home": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            }
          }
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "related": {
          "properties": {
            "hosts": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "user": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword",
              "value": "logs"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "sequence": {
              "type": "long"
            },
            "ingested": {
              "type": "date"
            },
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "type": "constant_keyword",
              "value": "system"
            },
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "dataset": {
              "type": "constant_keyword",
              "value": "system.auth"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "user": {
          "properties": {
            "effective": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "group": {
          "properties": {
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "system"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json
@@ -1,327 +0,0 @@
 {
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "default_pipeline": "logs-system.syslog-1.6.4",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.os.full",
            "host.type",
            "event.action",
            "event.category",
            "event.code",
            "event.kind",
            "event.outcome",
            "event.provider",
            "event.type",
            "ecs.version",
            "message",
            "process.name"
          ]
        }
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "process": {
          "properties": {
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "pid": {
              "type": "long"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword",
              "value": "logs"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "sequence": {
              "type": "long"
            },
            "ingested": {
              "type": "date"
            },
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "type": "constant_keyword",
              "value": "system"
            },
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "dataset": {
              "type": "constant_keyword",
              "value": "system.syslog"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "message": {
          "type": "match_only_text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "system"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json
@@ -1,986 +0,0 @@
 {
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "default_pipeline": "logs-system.system-1.6.4",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "event.action",
            "event.category",
            "event.code",
            "event.kind",
            "event.original",
            "event.outcome",
            "event.provider",
            "event.type",
            "error.message",
            "message",
            "winlog.api",
            "winlog.activity_id",
            "winlog.computer_name",
            "winlog.event_data.AuthenticationPackageName",
            "winlog.event_data.Binary",
            "winlog.event_data.BitlockerUserInputTime",
            "winlog.event_data.BootMode",
            "winlog.event_data.BootType",
            "winlog.event_data.BuildVersion",
            "winlog.event_data.Company",
            "winlog.event_data.CorruptionActionState",
            "winlog.event_data.CreationUtcTime",
            "winlog.event_data.Description",
            "winlog.event_data.Detail",
            "winlog.event_data.DeviceName",
            "winlog.event_data.DeviceNameLength",
            "winlog.event_data.DeviceTime",
            "winlog.event_data.DeviceVersionMajor",
            "winlog.event_data.DeviceVersionMinor",
            "winlog.event_data.DriveName",
            "winlog.event_data.DriverName",
            "winlog.event_data.DriverNameLength",
            "winlog.event_data.DwordVal",
            "winlog.event_data.EntryCount",
            "winlog.event_data.ExtraInfo",
            "winlog.event_data.FailureName",
            "winlog.event_data.FailureNameLength",
            "winlog.event_data.FileVersion",
            "winlog.event_data.FinalStatus",
            "winlog.event_data.Group",
            "winlog.event_data.IdleImplementation",
            "winlog.event_data.IdleStateCount",
            "winlog.event_data.ImpersonationLevel",
            "winlog.event_data.IntegrityLevel",
            "winlog.event_data.IpAddress",
            "winlog.event_data.IpPort",
            "winlog.event_data.KeyLength",
            "winlog.event_data.LastBootGood",
            "winlog.event_data.LastShutdownGood",
            "winlog.event_data.LmPackageName",
            "winlog.event_data.LogonGuid",
            "winlog.event_data.LogonId",
            "winlog.event_data.LogonProcessName",
            "winlog.event_data.LogonType",
            "winlog.event_data.MajorVersion",
            "winlog.event_data.MaximumPerformancePercent",
            "winlog.event_data.MemberName",
            "winlog.event_data.MemberSid",
            "winlog.event_data.MinimumPerformancePercent",
            "winlog.event_data.MinimumThrottlePercent",
            "winlog.event_data.MinorVersion",
            "winlog.event_data.NewProcessId",
            "winlog.event_data.NewProcessName",
            "winlog.event_data.NewSchemeGuid",
            "winlog.event_data.NewTime",
            "winlog.event_data.NominalFrequency",
            "winlog.event_data.Number",
            "winlog.event_data.OldSchemeGuid",
            "winlog.event_data.OldTime",
            "winlog.event_data.OriginalFileName",
            "winlog.event_data.Path",
            "winlog.event_data.PerformanceImplementation",
            "winlog.event_data.PreviousCreationUtcTime",
            "winlog.event_data.PreviousTime",
            "winlog.event_data.PrivilegeList",
            "winlog.event_data.ProcessId",
            "winlog.event_data.ProcessName",
            "winlog.event_data.ProcessPath",
            "winlog.event_data.ProcessPid",
            "winlog.event_data.Product",
            "winlog.event_data.PuaCount",
            "winlog.event_data.PuaPolicyId",
            "winlog.event_data.QfeVersion",
            "winlog.event_data.Reason",
            "winlog.event_data.SchemaVersion",
            "winlog.event_data.ScriptBlockText",
            "winlog.event_data.ServiceName",
            "winlog.event_data.ServiceVersion",
            "winlog.event_data.ShutdownActionType",
            "winlog.event_data.ShutdownEventCode",
            "winlog.event_data.ShutdownReason",
            "winlog.event_data.Signature",
            "winlog.event_data.SignatureStatus",
            "winlog.event_data.Signed",
            "winlog.event_data.StartTime",
            "winlog.event_data.State",
            "winlog.event_data.Status",
            "winlog.event_data.StopTime",
            "winlog.event_data.SubjectDomainName",
            "winlog.event_data.SubjectLogonId",
            "winlog.event_data.SubjectUserName",
            "winlog.event_data.SubjectUserSid",
            "winlog.event_data.TSId",
            "winlog.event_data.TargetDomainName",
            "winlog.event_data.TargetInfo",
            "winlog.event_data.TargetLogonGuid",
            "winlog.event_data.TargetLogonId",
            "winlog.event_data.TargetServerName",
            "winlog.event_data.TargetUserName",
            "winlog.event_data.TargetUserSid",
            "winlog.event_data.TerminalSessionId",
            "winlog.event_data.TokenElevationType",
            "winlog.event_data.TransmittedServices",
            "winlog.event_data.UserSid",
            "winlog.event_data.Version",
            "winlog.event_data.Workstation",
            "winlog.event_data.param1",
            "winlog.event_data.param2",
            "winlog.event_data.param3",
            "winlog.event_data.param4",
            "winlog.event_data.param5",
            "winlog.event_data.param6",
            "winlog.event_data.param7",
            "winlog.event_data.param8",
            "winlog.event_id",
            "winlog.keywords",
            "winlog.channel",
            "winlog.record_id",
            "winlog.related_activity_id",
            "winlog.opcode",
            "winlog.provider_guid",
            "winlog.provider_name",
            "winlog.task",
            "winlog.user.identifier",
            "winlog.user.name",
            "winlog.user.domain",
            "winlog.user.type"
          ]
        }
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        },
        {
          "winlog.user_data": {
            "path_match": "winlog.user_data.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "winlog": {
          "properties": {
            "related_activity_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "computer_name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "process": {
              "properties": {
                "pid": {
                  "type": "long"
                },
                "thread": {
                  "properties": {
                    "id": {
                      "type": "long"
                    }
                  }
                }
              }
            },
            "keywords": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "channel": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "event_data": {
              "properties": {
                "SignatureStatus": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "OriginalFileName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BootMode": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Product": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetLogonGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FileVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "StopTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Status": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "CorruptionActionState": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "KeyLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PreviousCreationUtcTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetInfo": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ServiceVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectUserSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PerformanceImplementation": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetUserSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Group": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Description": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ShutdownActionType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DwordVal": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessPid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceVersionMajor": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ScriptBlockText": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TransmittedServices": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MaximumPerformancePercent": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FinalStatus": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IdleStateCount": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MajorVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Path": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SchemaVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TokenElevationType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MinorVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectLogonId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IdleImplementation": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessPath": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "QfeVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceVersionMinor": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "OldTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IpAddress": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Company": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PuaPolicyId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IntegrityLevel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LastShutdownGood": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IpPort": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DriverNameLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LmPackageName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "UserSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LastBootGood": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PuaCount": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Signed": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "StartTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ShutdownEventCode": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewProcessName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FailureNameLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ServiceName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PreviousTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "State": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BootType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Binary": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ImpersonationLevel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MemberName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetUserName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Detail": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TerminalSessionId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MemberSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DriverName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceNameLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "OldSchemeGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "CreationUtcTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Reason": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ShutdownReason": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetServerName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Number": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BuildVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectDomainName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MinimumPerformancePercent": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonProcessName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TSId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetDomainName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PrivilegeList": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param7": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param8": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param5": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param6": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DriveName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewProcessId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ExtraInfo": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param3": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param4": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param1": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param2": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetLogonId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Workstation": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectUserName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FailureName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewSchemeGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Signature": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MinimumThrottlePercent": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "EntryCount": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BitlockerUserInputTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "AuthenticationPackageName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NominalFrequency": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "opcode": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "type": "long"
            },
            "record_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "event_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "task": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider_guid": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "activity_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "api": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider_name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "user": {
              "properties": {
                "identifier": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "original": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "type": "constant_keyword",
              "value": "system"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "sequence": {
              "type": "long"
            },
            "ingested": {
              "type": "date"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "dataset": {
              "type": "constant_keyword",
              "value": "system.system"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "error": {
          "properties": {
            "message": {
              "type": "match_only_text"
            }
          }
        },
        "message": {
          "type": "match_only_text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "system"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json
@@ -1,12 +0,0 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json
--- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json
+++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json
@@ -20,7 +20,10 @@
                      "type": "float"
                    }
                  }
-                }
+                },
 		"image_version": {
 	          "type": "float"
 		}
              }
            },
            "elf": {
@@ -33,10 +36,17 @@
                  }
                }
              }
-            }
+            },
 	    "entropy": {
              "properties": {
                "entropy": {
 	          "type": "float"
 		}
 	      }
 	    }
          }
        }
      }
    }
  }
-}
+}
--- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
+++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
@@ -6,8 +6,7 @@
 . /usr/sbin/so-common
-{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
+{%- from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
 {%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
 {%- for index, settings in ES_INDEX_SETTINGS.items() %}
 {%-   if settings.policy is defined %}
--- a/salt/firewall/containers.map.jinja
+++ b/salt/firewall/containers.map.jinja
@@ -58,6 +58,7 @@
 {% set NODE_CONTAINERS = [
     'so-curator',
     'so-elasticsearch',
     'so-elastic-agent',
     'so-logstash',
     'so-nginx',
     'so-redis',
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -20,13 +20,12 @@ firewall:
    managersearch: []
    receiver: []
    searchnode: []
    securityonion_desktop: []
    self: []
    sensor: []
    standalone: []
    strelka_frontend: []
    syslog: []
-    workstation: []
+    desktop: []
    customhostgroup0: []
    customhostgroup1: []
    customhostgroup2: []
@@ -290,6 +289,11 @@ firewall:
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
            desktop:
              portgroups:
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
            customhostgroup0:
              portgroups: []
            customhostgroup1:
@@ -462,9 +466,15 @@ firewall:
            endgame:
              portgroups:
                - endgame
-            workstation:
+            desktop:
              portgroups:
                - docker_registry
                - influxdb
                - sensoroni
                - yum
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
            customhostgroup0:
              portgroups: []
            customhostgroup1:
@@ -514,7 +524,7 @@ firewall:
            receiver:
              portgroups:
                - salt_manager
-            workstation:
+            desktop:
              portgroups:
                - salt_manager
            self:
@@ -650,9 +660,15 @@ firewall:
            endgame:
              portgroups:
                - endgame
-            workstation:
+            desktop:
              portgroups:
                - docker_registry
                - influxdb
                - sensoroni
                - yum
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
            customhostgroup0:
              portgroups: []
            customhostgroup1:
@@ -702,7 +718,7 @@ firewall:
            receiver:
              portgroups:
                - salt_manager
-            workstation:
+            desktop:
              portgroups:
                - salt_manager
            self:
@@ -846,9 +862,15 @@ firewall:
            strelka_frontend:
              portgroups:
                - strelka_frontend
-            workstation:
+            desktop:
              portgroups:
                - docker_registry
                - influxdb
                - sensoroni
                - yum
                - elastic_agent_control
                - elastic_agent_data
                - elastic_agent_update
            customhostgroup0:
              portgroups: []
            customhostgroup1:
@@ -901,7 +923,7 @@ firewall:
            receiver:
              portgroups:
                - salt_manager
-            workstation:
+            desktop:
              portgroups:
                - salt_manager
            self:
@@ -1142,6 +1164,12 @@ firewall:
            localhost:
              portgroups:
                - all
            self:
              portgroups:
                - syslog
            syslog:
              portgroups:
                - syslog
            customhostgroup0:
              portgroups: []
            customhostgroup1:
@@ -1200,9 +1228,6 @@ firewall:
            analyst:
              portgroups:
                - nginx
            workstation:
              portgroups:
                - yum
            customhostgroup0:
              portgroups: []
            customhostgroup1:
--- a/salt/firewall/soc_firewall.yaml
+++ b/salt/firewall/soc_firewall.yaml
@@ -39,13 +39,12 @@ firewall:
    managersearch: *hostgroupsettings
    receiver: *hostgroupsettings
    searchnode: *hostgroupsettings
    securityonion_desktop: *hostgroupsettings
    self: *ROhostgroupsettingsadv
    sensor: *hostgroupsettings
    standalone: *hostgroupsettings
    strelka_frontend: *hostgroupsettings
    syslog: *hostgroupsettings
-    workstation: *hostgroupsettings
+    desktop: *hostgroupsettings
    customhostgroup0: &customhostgroupsettings
      description: List of IP or CIDR blocks to allow to this hostgroup.
      forcedType: "[]string"
@@ -216,7 +215,7 @@ firewall:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
-            workstation:
+            desktop:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
@@ -366,7 +365,7 @@ firewall:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
-            workstation:
+            desktop:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
@@ -404,7 +403,7 @@ firewall:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
-            workstation:
+            desktop:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
@@ -457,7 +456,7 @@ firewall:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
-            workstation:
+            desktop:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
@@ -495,7 +494,7 @@ firewall:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
-            workstation:
+            desktop:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
@@ -554,7 +553,7 @@ firewall:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
-            workstation:
+            desktop:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
@@ -596,7 +595,7 @@ firewall:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
-            workstation:
+            desktop:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
@@ -822,7 +821,7 @@ firewall:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
-            workstation:
+            desktop:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
--- a/salt/idh/soc_idh.yaml
+++ b/salt/idh/soc_idh.yaml
@@ -23,7 +23,7 @@ idh:
                  class: *loggingOptions
                  filename: *loggingOptions
      portscan_x_enabled: &serviceOptions
-        description: To enable this opencanary module, set this value to true. To disable set to false.
+        description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid.
        helpLink: idh.html
      portscan_x_logfile: *loggingOptions
      portscan_x_synrate:
--- a/salt/idstools/enabled.sls
+++ b/salt/idstools/enabled.sls
@@ -26,8 +26,8 @@ so-idstools:
      - http_proxy={{ proxy }}
      - https_proxy={{ proxy }}
      - no_proxy={{ salt['pillar.get']('manager:no_proxy') }}
-      {% if DOCKER.containers['so-elastalert'].extra_env %}
+      {% if DOCKER.containers['so-idstools'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-idstools'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -63,12 +63,23 @@ delete_so-idstools_so-status.disabled:
 so-rule-update:
  cron.present:
-    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
+    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download_cron.log 2>&1
    - identifier: so-rule-update
    - user: root
    - minute: '1'
    - hour: '7'
 # order this last to give so-idstools container time to be ready
 run_so-rule-update:
  cmd.run:
    - name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download_idstools_state.log 2>&1'
    - require:
      - docker_container: so-idstools
    - onchanges:
      - file: idstoolsetcsync
      - file: synclocalnidsrules
    - order: last
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/idstools/etc/rulecat.conf
+++ b/salt/idstools/etc/rulecat.conf
@@ -3,8 +3,8 @@
 --merged=/opt/so/rules/nids/all.rules
 --local=/opt/so/rules/nids/local.rules
 {%-   if GLOBALS.md_engine == "SURICATA" %}
--local=/opt/so/rules/nids/sorules/extraction.rules
+--local=/opt/so/rules/nids/extraction.rules
--local=/opt/so/rules/nids/sorules/filters.rules
+--local=/opt/so/rules/nids/filters.rules
 {%-   endif %}
 --url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules
 --disable=/opt/so/idstools/etc/disable.conf
--- a/salt/idstools/sorules/extraction.rules
+++ b/salt/idstools/sorules/extraction.rules
@@ -1,26 +0,0 @@
 # Extract all PDF mime type
 alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;)
 alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;)
 alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;)
 alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;)
 # Extract EXE/DLL file types
 alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;)
 alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;)
 alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;)
 alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100007; rev:1;)
 alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;)
 alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;)
 alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;)
 alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100011; rev:1;)
 # Extract all Zip files
 alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;)
 alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;)
 alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;)
 alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100015; rev:1;)
 # Extract Word Docs
 alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;)
 alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;)
 alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;)
 alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;)
--- a/salt/idstools/sorules/filters.rules
+++ b/salt/idstools/sorules/filters.rules
@@ -1,11 +0,0 @@
 # Start the filters at sid 1200000
 # Example of filtering out *google.com from being in the dns log.
 #config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;)
 # Example of filtering out  *google.com from being in the http log.
 #config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;)
 # Example of filtering out  someuseragent from being in the http log.
 #config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;)
 # Example of filtering out  Google's certificate from being in the ssl log.
 #config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;)
 # Example of filtering out a md5 of a file from being in the files log.
 #config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;)
--- a/salt/idstools/tools/sbin_jinja/so-rule-update
+++ b/salt/idstools/tools/sbin_jinja/so-rule-update
@@ -1,5 +1,9 @@
 #!/bin/bash
-. /usr/sbin/so-common
+
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
    . /usr/sbin/so-common
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
 {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
@@ -9,28 +13,30 @@
 # Download the rules from the internet
 {%- if proxy %}
-export http_proxy={{ proxy }} 
+    export http_proxy={{ proxy }}
-export https_proxy={{ proxy }} 
+    export https_proxy={{ proxy }}
-export no_proxy="{{ noproxy }}" 
+    export no_proxy="{{ noproxy }}"
 {%- endif %}
-mkdir -p /nsm/rules/suricata
+    mkdir -p /nsm/rules/suricata
-chown -R socore:socore /nsm/rules/suricata
+    chown -R socore:socore /nsm/rules/suricata
 # Download the rules from the internet
 {%- if GLOBALS.airgap != 'True' %}
 {%-   if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
-docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
+    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
-docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
+    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %}
-docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
+    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   endif %}
 {%- endif %}
-argstr=""
+    argstr=""
-for arg in "$@"; do
+    for arg in "$@"; do
-    argstr="${argstr} \"${arg}\""
+        argstr="${argstr} \"${arg}\""
-done
+    done
-docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
+    docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
 fi
--- a/salt/influxdb/config.sls
+++ b/salt/influxdb/config.sls
@@ -25,6 +25,14 @@ influxlogdir:
    - group: 939
    - makedirs: True
 influxetcdir:
  file.directory:
    - name: /opt/so/conf/influxdb/etc
    - dir_mode: 750
    - user: 939
    - group: 939
    - makedirs: True
 influxdbdir:
  file.directory:
    - name: /nsm/influxdb
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -38,6 +38,7 @@ so-influxdb:
    - binds:
      - /opt/so/log/influxdb/:/log:rw
      - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro
      - /opt/so/conf/influxdb/etc:/etc/influxdb2:rw
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
--- a/salt/logrotate/init.sls
+++ b/salt/logrotate/init.sls
@@ -3,6 +3,7 @@
 logrotateconfdir:
  file.directory:
    - name: /opt/so/conf/logrotate
    - makedirs: True
 commonlogrotatescript:
  file.managed:
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -73,7 +73,7 @@ so-logstash:
      {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
      {% else %}
-      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
      {% endif %}
      {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %}
      - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -26,6 +26,15 @@ repo_log_dir:
      - user
      - group
 yara_log_dir:
  file.directory:
    - name: /opt/so/log/yarasync
    - user: socore
    - group: socore
    - recurse:
      - user
      - group
 repo_conf_dir:
  file.directory:
    - name: /opt/so/conf/reposync
@@ -52,21 +61,23 @@ manager_sbin:
    - group: 939
    - file_mode: 755
-#manager_sbin_jinja:
+yara_update_scripts:
-#  file.recurse:
+  file.recurse:
-#    - name: /usr/sbin
+    - name: /usr/sbin/
-#    - source: salt://manager/tools/sbin_jinja
+    - source: salt://manager/tools/sbin_jinja/
-#    - user: 939
+    - user: socore
-#    - group: 939 
+    - group: socore
-#    - file_mode: 755
+    - file_mode: 755
-#    - template: jinja
+    - template: jinja
    - defaults:
        EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
 so-repo-sync:
-  {% if MANAGERMERGED.reposync.enabled %}
+  {%     if MANAGERMERGED.reposync.enabled %}
  cron.present:
-  {% else %}
+  {%     else %}
  cron.absent:
-  {% endif %}
+  {%     endif %}
    - user: socore
    - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
    - identifier: so-repo-sync
@@ -82,7 +93,15 @@ socore_own_saltstack:
      - user
      - group
-{%   if STRELKAMERGED.rules.enabled %}
+rules_dir:
  file.directory:
    - name: /nsm/rules/yara
    - user: socore
    - group: socore
    - makedirs: True
 {%    if STRELKAMERGED.rules.enabled %}
 strelkarepos:
  file.managed:
    - name: /opt/so/conf/strelka/repos.txt
@@ -91,67 +110,45 @@ strelkarepos:
    - defaults:
        STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
    - makedirs: True
 {%   endif %}
 yara_update_scripts:
  file.recurse:
    - name: /usr/sbin/
    - source: salt://manager/tools/sbin_jinja/
    - user: socore
    - group: socore
    - file_mode: 755
    - template: jinja
    - defaults:
        EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
 rules_dir:
  file.directory:
    - name: /nsm/rules/yara
    - user: socore
    - group: socore
    - makedirs: True
 {%   if GLOBALS.airgap %}
 remove_strelka-yara-download:
  cron.absent:
    - user: socore
    - identifier: strelka-yara-download
 strelka-yara-update:
  {%       if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} 
  cron.present:
  {%       else %}
  cron.absent:
  {%       endif %}
    - user: socore
-    - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1'
+    - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1'
    - identifier: strelka-yara-update
    - hour: '7'
    - minute: '1'
 strelka-yara-download:
  {%       if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
  cron.present:
  {%       else %}
  cron.absent:
  {%       endif %}
    - user: socore
    - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1'
    - identifier: strelka-yara-download
    - hour: '7'
    - minute: '1'
 {%      if not GLOBALS.airgap %}
 update_yara_rules:
  cmd.run:
    - name: /usr/sbin/so-yara-update
    - onchanges:
      - file: yara_update_scripts
 {%   else %}
 remove_strelka-yara-update:
  cron.absent:
    - user: socore
    - identifier: strelka-yara-update
 strelka-yara-download:
  cron.present:
    - user: socore
    - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1'
    - identifier: strelka-yara-download
    - hour: '7'
    - minute: '1'
 download_yara_rules:
  cmd.run:
    - name: /usr/sbin/so-yara-download
    - onchanges:
      - file: yara_update_scripts
-{%   endif %}
+{%      endif %}
-
+{%     endif %}
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/manager/tools/sbin/so-firewall-minion
+++ b/salt/manager/tools/sbin/so-firewall-minion
@@ -79,7 +79,7 @@ fi
 		'RECEIVER')
 			so-firewall includehost receiver "$IP" --apply
 			;;
-		'WORKSTATION')
+		'DESKTOP')
-			so-firewall includehost workstation "$IP" --apply
+			so-firewall includehost desktop "$IP" --apply
 			;;
    esac
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -187,15 +187,9 @@ function add_logstash_to_minion() {
 # Security Onion Desktop
 function add_desktop_to_minion() {
    printf '%s\n'\
 		"host:"\
 		"  mainint: '$MNIC'"\
 		"desktop:"\
 		"  gui:"\
-		"    enabled: true"\
+		"    enabled: true"\ >> $PILLARFILE
 		"sensoroni:"\
 		"  enabled: True"\
 		"  config:"\		
 		"    node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE
 }
 # Add basic host info to the minion file
@@ -245,6 +239,10 @@ function add_sensor_to_minion() {
 	echo "      threads: '$CORECOUNT'" >> $PILLARFILE
 	echo "pcap:" >> $PILLARFILE
 	echo "  enabled: True" >> $PILLARFILE
 	if [[ $is_pcaplimit ]]; then
 		echo "  config:" >> $PILLARFILE
 		echo "    diskfreepercentage: 60" >> $PILLARFILE
 	fi
 	echo "  " >> $PILLARFILE
 }
@@ -415,6 +413,7 @@ function apply_ES_state() {
 	salt-call state.apply elasticsearch concurrent=True
 }
 function createEVAL() {
 	is_pcaplimit=true
 	add_elasticsearch_to_minion
 	add_sensor_to_minion
 	add_strelka_to_minion
@@ -435,6 +434,7 @@ function createEVAL() {
 }
 function createSTANDALONE() {
 	is_pcaplimit=true
 	add_elasticsearch_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
@@ -526,8 +526,9 @@ function createIDH() {
 }
 function createHEAVYNODE() {
 	is_pcaplimit=true
 	add_elasticsearch_to_minion
-    add_elastic_agent_to_minion
+	add_elastic_agent_to_minion
 	add_logstash_to_minion
 	add_sensor_to_minion
 	add_strelka_to_minion
@@ -556,6 +557,10 @@ function createRECEIVER() {
 	add_telegraf_to_minion
 }
 function createDESKTOP() {
 	add_desktop_to_minion
 	add_telegraf_to_minion
 }
 function testConnection() {
 	retry 15 3 "salt '$MINION_ID' test.ping" True
--- a/salt/manager/tools/sbin/so-repo-sync
+++ b/salt/manager/tools/sbin/so-repo-sync
@@ -11,6 +11,8 @@ set_version
 set_os
 salt_minion_count
 set -e
 curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup
 dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
-createrepo /nsm/repo	
+createrepo /nsm/repo
--- a/Show More
+++ b/Show More