update index template priorities + explicity add datastream config options

rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices
remove unused close/delete configs on datastream index templates
2026-03-23 21:12:39 +01:00 · 2026-03-17 13:50:15 -05:00 · 2026-03-17 13:49:20 -05:00 · 2026-03-16 17:26:45 -05:00 · 2026-03-16 16:53:22 -05:00 · 2026-03-16 16:52:42 -05:00
11 changed files with 131 additions and 90 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -34,7 +34,6 @@ body:
        - 2.4.201
        - 2.4.210
        - 2.4.211
-        - 3.0.0
        - Other (please provide detail below)
    validations:
      required: true
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -550,6 +550,22 @@ retry() {
        return $exitcode
 }

+rollover_index() {
+  idx=$1
+  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
+  if [[ $exists -eq 200 ]]; then
+    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
+
+    if [[ $rollover -eq 200 ]]; then
+      echo "Successfully triggered rollover for $idx..."
+    else
+      echo "Could not trigger rollover for $idx..."
+    fi
+  else
+    echo "Could not find index $idx..."
+  fi
+}
+
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -117,7 +117,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-case*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -129,8 +129,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
-              lifecycle:
-                name: so-case-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -141,14 +139,7 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    so-common:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -212,7 +203,9 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - winlog-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-*-so*
@@ -272,7 +265,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-detection*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -284,8 +277,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
-              lifecycle:
-                name: so-detection-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -296,11 +287,6 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    sos-backup:
      index_sorting: false
      index_template:
@@ -460,7 +446,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - endgame*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -508,8 +494,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-idh:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -566,8 +550,8 @@ elasticsearch:
        - common-dynamic-mappings
        ignore_missing_component_templates: []
        index_patterns:
-        - so-idh-*
-        priority: 500
+        - logs-idh-so*
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -677,11 +661,13 @@ elasticsearch:
        - common-dynamic-mappings
        - winlog-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-import-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -736,7 +722,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-ip*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -751,19 +737,12 @@ elasticsearch:
              mapping:
                total_fields:
                  limit: 1500
-              lifecycle:
-                name: so-ip-mappings-logs
              number_of_replicas: 0
              number_of_shards: 1
              refresh_interval: 30s
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    so-items:
      index_sorting: false
      index_template:
@@ -772,7 +751,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .items-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -851,8 +830,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-kratos:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -873,7 +850,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-kratos-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -921,8 +898,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-hydra:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -983,7 +958,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-hydra-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1038,7 +1013,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .lists-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1524,6 +1499,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.cloudbeat@custom
        index_patterns:
@@ -1759,6 +1737,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.heartbeat@custom
        index_patterns:
@@ -3018,8 +2999,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-logs-soc:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -3074,11 +3053,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-soc-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3668,10 +3649,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-logstash-default*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3971,8 +3955,8 @@ elasticsearch:
        - common-dynamic-mappings
        ignore_missing_component_templates: []
        index_patterns:
-        - logs-redis-default*
-        priority: 500
+        - logs-redis.log*
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4083,11 +4067,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-strelka-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4197,11 +4183,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4311,11 +4299,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4425,11 +4415,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-syslog-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4541,11 +4533,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-zeek-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -462,19 +462,14 @@ function add_sensor_to_minion() {
        echo "      lb_procs: '$CORECOUNT'"
        echo "suricata:"
        echo "  enabled: True "
+        echo "  pcap:"
+        echo "    enabled: True"
        if [[ $is_pcaplimit ]]; then
-            echo "  pcap:"
            echo "    maxsize: $MAX_PCAP_SPACE"
        fi
        echo "  config:"
        echo "    af-packet:"
        echo "      threads: '$CORECOUNT'"
-        echo "pcap:"
-        echo "  enabled: True"
-        if [[ $is_pcaplimit ]]; then
-            echo "  config:"
-            echo "    diskfreepercentage: $DFREEPERCENT"
-        fi
        echo "  "
    } >> $PILLARFILE
    if [ $? -ne 0 ]; then
--- a/salt/manager/tools/sbin/so-yaml.py
+++ b/salt/manager/tools/sbin/so-yaml.py
@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
    pieces = key.split(".", 1)
    if len(pieces) > 1:
-        if not pieces[0] in content:
+        if pieces[0] not in content or content[pieces[0]] is None:
            content[pieces[0]] = {}
        addKey(content[pieces[0]], pieces[1], value)
    elif key in content:
@@ -346,7 +346,12 @@ def get(args):
        print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
        return 2

-    print(yaml.safe_dump(output))
+    if isinstance(output, bool):
+        print(str(output).lower())
+    elif isinstance(output, (dict, list)):
+        print(yaml.safe_dump(output).strip())
+    else:
+        print(output)
    return 0


--- a/salt/manager/tools/sbin/so-yaml_test.py
+++ b/salt/manager/tools/sbin/so-yaml_test.py
@@ -393,7 +393,7 @@ class TestRemove(unittest.TestCase):

            result = soyaml.get([filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
-            self.assertIn("45\n...", mock_stdout.getvalue())
+            self.assertEqual("45\n", mock_stdout.getvalue())

    def test_get_str(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
@@ -404,7 +404,18 @@ class TestRemove(unittest.TestCase):

            result = soyaml.get([filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
-            self.assertIn("hello\n...", mock_stdout.getvalue())
+            self.assertEqual("hello\n", mock_stdout.getvalue())
+
+    def test_get_bool(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get([filename, "key2"])
+            self.assertEqual(result, 0)
+            self.assertEqual("false\n", mock_stdout.getvalue())

    def test_get_list(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -88,7 +88,7 @@ check_err() {
        echo 'No route to host'
      ;;
      160)
-        echo 'Incompatiable Elasticsearch upgrade'
+        echo 'Incompatible Elasticsearch upgrade'
      ;;
      161)
        echo 'Required intermediate Elasticsearch upgrade not complete'
@@ -362,7 +362,7 @@ preupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if changes are needed."

-    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_3.0.0   
+    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
    true
 }

@@ -370,12 +370,12 @@ postupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Running post upgrade processes."

-    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_3.0.0
+    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
    true
 }

 check_minimum_version() {
-  if [[ "$INSTALLEDVERSION" != "2.4.210" ]] && [[ ! "$INSTALLEDVERSION" =~ ^3\. ]]; then
+  if [[ ! "$INSTALLEDVERSION" =~ ^(2\.4\.21[0-9]+|3\.) ]]; then
    echo "You must be on at least Security Onion 2.4.210 to upgrade. Currently installed version: $INSTALLEDVERSION"
    exit 1
  fi
@@ -385,12 +385,33 @@ check_minimum_version() {

 up_to_3.0.0() {
  determine_elastic_agent_upgrade
+  migrate_pcap_to_suricata

  INSTALLEDVERSION=3.0.0
 }

+migrate_pcap_to_suricata() {
+  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
+  local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
+
+  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
+    [[ -f "$pillar_file" ]] || continue
+    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
+    so-yaml.py remove "$pillar_file" pcap
+  done
+}
+
 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
+    rollover_index "$idx"
+  done
+
+  # Remove ILM for so-case and so-detection indices
+  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
+    so-elasticsearch-query $idx/_ilm/remove -XPOST
+  done
+
  POSTVERSION=3.0.0
 }

--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -387,15 +387,13 @@ http {
 		error_page 429 = @error429;

 		location @error401 {
-			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}

-			if ($request_uri ~* ^/(?!(^/api/.*))) {
-				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
-			}
+			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";

-			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,6 +1,7 @@
 suricata:
  enabled: False
  pcap:
+    enabled: "no"
    filesize: 1000mb
    maxsize: 25
    compression: "none"
@@ -141,8 +142,6 @@ suricata:
        enabled: "no"
      tls-store:
        enabled: "no"
-      pcap-log:
-        enabled: "no"
      alert-debug:
        enabled: "no"
      alert-prelude:
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -11,13 +11,18 @@
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA"] %}

+{# initialize pcap-log in config.outputs since we dont put it in defaults #}
+{%   if 'pcap-log' not in SURICATAMERGED.config.outputs %}
+{%     do SURICATAMERGED.config.outputs.update({'pcap-log': {}}) %}
+{%   endif %}
+
 {%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
 {%   if PCAPBPF and PCAP_BPF_STATUS %}
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}

-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -22,6 +22,10 @@ suricata:
      title: Classifications
      helpLink: suricata.html
  pcap:
+    enabled:
+      description: Enables or disables the Suricata packet recording process.
+      forcedType: bool
+      helpLink: suricata.html
    filesize: 
      description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
      advanced: True
@@ -209,12 +213,6 @@ suricata:
              header:
                description: Header name where the actual IP address will be reported.
                helpLink: suricata.html
-      pcap-log:
-        enabled:
-          description: This value is ignored by SO. pcapengine in globals takes precedence.
-          readonly: True
-          helpLink: suricata.html
-          advanced: True        
    asn1-max-frames:
      description: Maximum nuber of asn1 frames to decode.
      helpLink: suricata.html
Author	SHA1	Message	Date
reyesj2	a52e5d0474	update index template priorities + explicity add datastream config options	2026-03-17 13:50:15 -05:00
reyesj2	1a943aefc5	rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices	2026-03-17 13:49:20 -05:00
reyesj2	eaf3f10adc	remove unused close/delete configs on datastream index templates	2026-03-16 17:26:45 -05:00
reyesj2	84f4e460f6	update index patterns	2026-03-16 16:53:22 -05:00
reyesj2	88841c9814	remove ilm configs from non-datastream indices	2026-03-16 16:52:42 -05:00
Josh Patterson	5b2def6fdd	Merge pull request #15618 from Security-Onion-Solutions/delta forcedType bool	2026-03-16 12:50:06 -04:00
Josh Patterson	9b6d29212d	forcedType bool	2026-03-16 12:46:25 -04:00
Josh Patterson	c1bff03b1c	Merge pull request #15615 from Security-Onion-Solutions/delta initialize pcap-log	2026-03-14 20:33:28 -04:00
Josh Patterson	b00f113658	initialize pcap-log	2026-03-14 19:45:50 -04:00
Jason Ertel	7dcd923ebf	Merge pull request #15612 from Security-Onion-Solutions/jertel/wip API errors will no longer redirect	2026-03-13 17:04:51 -04:00
Jason Ertel	1fcd8a7c1a	API errors will no longer redirect	2026-03-13 16:53:38 -04:00
Mike Reeves	a9196348ab	Merge pull request #15609 from Security-Onion-Solutions/moresoup Moresoup	2026-03-13 16:16:35 -04:00
Mike Reeves	12dec366e0	Fix so-yaml get to output booleans in YAML format and add bool test	2026-03-13 15:58:47 -04:00
Mike Reeves	1713f6af76	Fix so-yaml tests to match scalar output without document end marker	2026-03-13 15:53:53 -04:00
Mike Reeves	7f4adb70bd	Fix so-yaml get to print scalar values without YAML document end marker	2026-03-13 15:34:04 -04:00
Mike Reeves	e2483e4be0	Fix so-yaml addKey crash when intermediate key has None value	2026-03-13 15:22:29 -04:00
Mike Reeves	322c0b8d56	Move pcap.enabled under suricata.pcap.enabled in so-minion	2026-03-13 15:14:19 -04:00
Mike Reeves	81c1d8362d	Fix pcap migration to strip yaml document end marker from so-yaml output	2026-03-13 15:09:37 -04:00
Mike Reeves	d1156ee3fd	Merge pull request #15608 from Security-Onion-Solutions/moresoup Improve soup version checks and migrate pcap to suricata	2026-03-13 14:59:57 -04:00
Mike Reeves	18f971954b	Improve soup version checks and migrate pcap pillar to suricata Consolidate version checks to use regex patterns for 2.4.21X and 3.x versions. Add migrate_pcap_to_suricata to move pcap.enabled to suricata.pcap.enabled in minion and pcap pillar files during upgrade.	2026-03-13 14:54:23 -04:00
Josh Patterson	e55ac7062c	Merge pull request #15574 from Security-Onion-Solutions/delta pcap cleanup state. enable/disable pcap for suricata in soc	2026-03-13 14:54:06 -04:00
Josh Patterson	c178eada22	Merge pull request #15595 from Security-Onion-Solutions/TOoSmOotH-patch-5 Update version check to include 2.4.211	2026-03-13 14:32:59 -04:00
Doug Burks	92213e302f	Merge pull request #15603 from Security-Onion-Solutions/dougburks-patch-1 Remove version 3.0.0 from 2.4 discussion template	2026-03-13 10:53:24 -04:00
Doug Burks	72193b0249	Remove version 3.0.0 from 2.4 discussion template	2026-03-13 10:51:25 -04:00
Mike Reeves	066d7106b0	Merge pull request #15599 from Security-Onion-Solutions/TOoSmOotH-patch-6 Add version 2.4.211 to discussion template	2026-03-13 10:49:12 -04:00
Mike Reeves	89f144df75	Remove upgrade instructions for 2.4 branch Removed outdated instructions for upgrading to the latest 2.4 branch.	2026-03-11 16:05:06 -04:00
Mike Reeves	cfccbe2bed	Update version check to include 2.4.211	2026-03-11 15:59:23 -04:00
Josh Patterson	0360d4145c	sensors run pcap.cleanup state	2026-03-10 15:58:26 -04:00
Josh Patterson	398bd0c1da	Update VERSION	2026-03-10 15:00:19 -04:00
Josh Patterson	32241faf55	cleanup steno	2026-03-10 14:02:28 -04:00
Josh Patterson	88de779ff7	revert to salt 3006.19	2026-03-10 11:31:56 -04:00
Josh Patterson	d452694c55	enable/disable suricata pcap	2026-03-10 11:30:24 -04:00
Josh Patterson	7fba8ac2b4	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-10 11:24:44 -04:00
Josh Patterson	6809a40257	Merge remote-tracking branch 'origin/delta' into delta	2026-03-05 16:40:02 -05:00
Josh Patterson	cea55a72c3	upgrade salt 3006.23	2026-03-05 16:35:15 -05:00
Jason Ertel	e38a4a21ee	version for delta	2026-03-05 11:52:51 -05:00