Merge pull request #15167 from Security-Onion-Solutions/2.4/dev

2.4.190
Merge pull request #15166 from Security-Onion-Solutions/2.4.190
2025-12-06 09:12:45 +01:00 · 2025-10-24 16:01:05 -04:00 · 2025-10-23 14:09:13 -04:00 · 2025-10-23 14:07:05 -04:00 · 2025-10-21 09:36:45 -04:00 · 2025-10-21 09:33:41 -04:00
61 changed files with 2290 additions and 149 deletions
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.180-20250916 ISO image released on 2025/09/17
+### 2.4.190-20251024 ISO image released on 2025/10/24
 ### Download and Verify
-2.4.180-20250916 ISO image:  
+2.4.190-20251024 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.180-20250916.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso
-MD5: DE93880E38DE4BE45D05A41E1745CB1F  
+MD5: 25358481FB876226499C011FC0710358  
-SHA1: AEA6948911E50A4A38E8729E0E965C565402E3FC  
+SHA1: 0B26173C0CE136F2CA40A15046D1DFB78BCA1165  
-SHA256: C9BD8CA071E43B048ABF9ED145B87935CB1D4BB839B2244A06FAD1BBA8EAC84A  
+SHA256: 4FD9F62EDA672408828B3C0C446FE5EA9FF3C4EE8488A7AB1101544A3C487872  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.180-20250916.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.180-20250916.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.180-20250916.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.180-20250916.iso.sig securityonion-2.4.180-20250916.iso
+gpg --verify securityonion-2.4.190-20251024.iso.sig securityonion-2.4.190-20251024.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 16 Sep 2025 06:30:19 PM EDT using RSA key ID FE507013
+gpg: Signature made Thu 23 Oct 2025 07:21:46 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/salt/_modules/hypervisor.py
+++ b/salt/_modules/hypervisor.py
@@ -0,0 +1,91 @@
 #!/opt/saltstack/salt/bin/python3
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 #
 # Note: Per the Elastic License 2.0, the second limitation states:
 #
 #   "You may not move, change, disable, or circumvent the license key functionality
 #    in the software, and you may not remove or obscure any functionality in the
 #    software that is protected by the license key."
 """
 Salt execution module for hypervisor operations.
 This module provides functions for managing hypervisor configurations,
 including VM file management.
 """
 import json
 import logging
 import os
 log = logging.getLogger(__name__)
 __virtualname__ = 'hypervisor'
 def __virtual__():
    """
    Only load this module if we're on a system that can manage hypervisors.
    """
    return __virtualname__
 def remove_vm_from_vms_file(vms_file_path, vm_hostname, vm_role):
    """
    Remove a VM entry from the hypervisorVMs file.
    Args:
        vms_file_path (str): Path to the hypervisorVMs file
        vm_hostname (str): Hostname of the VM to remove (without role suffix)
        vm_role (str): Role of the VM
    Returns:
        dict: Result dictionary with success status and message
    CLI Example:
        salt '*' hypervisor.remove_vm_from_vms_file /opt/so/saltstack/local/salt/hypervisor/hosts/hypervisor1VMs node1 nsm
    """
    try:
        # Check if file exists
        if not os.path.exists(vms_file_path):
            msg = f"VMs file not found: {vms_file_path}"
            log.error(msg)
            return {'result': False, 'comment': msg}
        # Read current VMs
        with open(vms_file_path, 'r') as f:
            content = f.read().strip()
            vms = json.loads(content) if content else []
        # Find and remove the VM entry
        original_count = len(vms)
        vms = [vm for vm in vms if not (vm.get('hostname') == vm_hostname and vm.get('role') == vm_role)]
        if len(vms) < original_count:
            # VM was found and removed, write back to file
            with open(vms_file_path, 'w') as f:
                json.dump(vms, f, indent=2)
            # Set socore:socore ownership (939:939)
            os.chown(vms_file_path, 939, 939)
            msg = f"Removed VM {vm_hostname}_{vm_role} from {vms_file_path}"
            log.info(msg)
            return {'result': True, 'comment': msg}
        else:
            msg = f"VM {vm_hostname}_{vm_role} not found in {vms_file_path}"
            log.warning(msg)
            return {'result': False, 'comment': msg}
    except json.JSONDecodeError as e:
        msg = f"Failed to parse JSON in {vms_file_path}: {str(e)}"
        log.error(msg)
        return {'result': False, 'comment': msg}
    except Exception as e:
        msg = f"Failed to remove VM {vm_hostname}_{vm_role} from {vms_file_path}: {str(e)}"
        log.error(msg)
        return {'result': False, 'comment': msg}
--- a/salt/_modules/qcow2.py
+++ b/salt/_modules/qcow2.py
@@ -7,12 +7,14 @@
 """
 Salt module for managing QCOW2 image configurations and VM hardware settings. This module provides functions
-for modifying network configurations within QCOW2 images and adjusting virtual machine hardware settings.
+for modifying network configurations within QCOW2 images, adjusting virtual machine hardware settings, and
-It serves as a Salt interface to the so-qcow2-modify-network and so-kvm-modify-hardware scripts.
+creating virtual storage volumes. It serves as a Salt interface to the so-qcow2-modify-network,
 so-kvm-modify-hardware, and so-kvm-create-volume scripts.
-The module offers two main capabilities:
+The module offers three main capabilities:
 1. Network Configuration: Modify network settings (DHCP/static IP) within QCOW2 images
 2. Hardware Configuration: Adjust VM hardware settings (CPU, memory, PCI passthrough)
 3. Volume Management: Create and attach virtual storage volumes for NSM data
 This module is intended to work with Security Onion's virtualization infrastructure and is typically
 used in conjunction with salt-cloud for VM provisioning and management.
@@ -244,3 +246,90 @@ def modify_hardware_config(vm_name, cpu=None, memory=None, pci=None, start=False
    except Exception as e:
        log.error('qcow2 module: An error occurred while executing the script: {}'.format(e))
        raise
 def create_volume_config(vm_name, size_gb, start=False):
    '''
    Usage:
        salt '*' qcow2.create_volume_config vm_name=<name> size_gb=<size> [start=<bool>]
    Options:
        vm_name
            Name of the virtual machine to attach the volume to
        size_gb
            Volume size in GB (positive integer)
            This determines the capacity of the virtual storage volume
        start
            Boolean flag to start the VM after volume creation
            Optional - defaults to False
    Examples:
        1. **Create 500GB Volume:**
            ```bash
            salt '*' qcow2.create_volume_config vm_name='sensor1_sensor' size_gb=500
            ```
            This creates a 500GB virtual volume for NSM storage
        2. **Create 1TB Volume and Start VM:**
            ```bash
            salt '*' qcow2.create_volume_config vm_name='sensor1_sensor' size_gb=1000 start=True
            ```
            This creates a 1TB volume and starts the VM after attachment
    Notes:
        - VM must be stopped before volume creation
        - Volume is created as a qcow2 image and attached to the VM
        - This is an alternative to disk passthrough via modify_hardware_config
        - Volume is automatically attached to the VM's libvirt configuration
        - Requires so-kvm-create-volume script to be installed
        - Volume files are stored in the hypervisor's VM storage directory
    Description:
        This function creates and attaches a virtual storage volume to a KVM virtual machine
        using the so-kvm-create-volume script. It creates a qcow2 disk image of the specified
        size and attaches it to the VM for NSM (Network Security Monitoring) storage purposes.
        This provides an alternative to physical disk passthrough, allowing flexible storage
        allocation without requiring dedicated hardware. The VM can optionally be started
        after the volume is successfully created and attached.
    Exit Codes:
        0: Success
        1: Invalid parameters
        2: VM state error (running when should be stopped)
        3: Volume creation error
        4: System command error
        255: Unexpected error
    Logging:
        - All operations are logged to the salt minion log
        - Log entries are prefixed with 'qcow2 module:'
        - Volume creation and attachment operations are logged
        - Errors include detailed messages and stack traces
        - Final status of volume creation is logged
    '''
    # Validate size_gb parameter
    if not isinstance(size_gb, int) or size_gb <= 0:
        raise ValueError('size_gb must be a positive integer.')
    cmd = ['/usr/sbin/so-kvm-create-volume', '-v', vm_name, '-s', str(size_gb)]
    if start:
        cmd.append('-S')
    log.info('qcow2 module: Executing command: {}'.format(' '.join(shlex.quote(arg) for arg in cmd)))
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, check=False)
        ret = {
            'retcode': result.returncode,
            'stdout': result.stdout,
            'stderr': result.stderr
        }
        if result.returncode != 0:
            log.error('qcow2 module: Script execution failed with return code {}: {}'.format(result.returncode, result.stderr))
        else:
            log.info('qcow2 module: Script executed successfully.')
        return ret
    except Exception as e:
        log.error('qcow2 module: An error occurred while executing the script: {}'.format(e))
        raise
--- a/salt/common/grains.sls
+++ b/salt/common/grains.sls
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% set nsm_exists = salt['file.directory_exists']('/nsm') %}
 {% if nsm_exists %}
 {%   set nsm_total = salt['cmd.shell']('df -BG /nsm | tail -1 | awk \'{print $2}\'') %}
 nsm_total:
  grains.present:
    - name: nsm_total
    - value: {{ nsm_total }}
 {% else %}
 nsm_missing:
  test.succeed_without_changes:
    - name: /nsm does not exist, skipping grain assignment
 {% endif %}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -4,6 +4,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - common.grains
  - common.packages
 {% if GLOBALS.role in GLOBALS.manager_roles %}
  - manager.elasticsearch # needed for elastic_curl_config state
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -222,6 +222,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Initialized license manager"  # SOC log: before fields.status was changed to fields.licenseStatus
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal"           # docker container getting recycled
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tcp 127.0.0.1:6791: bind: address already in use" # so-elastic-fleet agent restarting. Seen starting w/ 8.18.8 https://github.com/elastic/kibana/issues/201459
 fi
 RESULT=0
--- a/salt/common/tools/sbin_jinja/so-import-pcap
+++ b/salt/common/tools/sbin_jinja/so-import-pcap
@@ -173,7 +173,7 @@ for PCAP in $INPUT_FILES; do
  status "- assigning unique identifier to import: $HASH"
  pcap_data=$(pcapinfo "${PCAP}")
-  if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time:    1970-01-01|Last packet time:    n/a"; then
+  if ! echo "$pcap_data" | grep -q "Earliest packet time:" || echo "$pcap_data" |egrep -q "Latest packet time:   1970-01-01|Latest packet time:   n/a"; then
    status "- this PCAP file is invalid; skipping"
    INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1))
  else
@@ -205,8 +205,8 @@ for PCAP in $INPUT_FILES; do
      HASHES="${HASHES} ${HASH}"
    fi
-    START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
+    START=$(pcapinfo "${PCAP}" -a |grep "Earliest packet time:" | awk '{print $4}')
-    END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')
+    END=$(pcapinfo "${PCAP}" -e |grep "Latest packet time:" | awk '{print $4}')
    status "- found PCAP data spanning dates $START through $END"
    # compare $START to $START_OLDEST
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/elasticsearch-logs.json
@@ -40,7 +40,7 @@
          "enabled": true,
          "vars": {
            "paths": [
-              "/opt/so/log/elasticsearch/*.log"
+              "/opt/so/log/elasticsearch/*.json"
            ]
          }
        },
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common
@@ -27,7 +27,7 @@ fleet_api() {
    local QUERYPATH=$1
    shift
-    curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --fail 2>/dev/null
+    curl -sK /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/${QUERYPATH}" "$@" --retry 3 --retry-delay 10 --fail 2>/dev/null
 }
 elastic_fleet_integration_check() {
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend
@@ -8,6 +8,7 @@
 . /usr/sbin/so-elastic-fleet-common
 ERROR=false
 # Manage Elastic Defend Integration for Initial Endpoints Policy
 for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
 do
@@ -17,13 +18,18 @@ do
      printf "\n\nIntegration $NAME exists - Upgrading integration policy\n"
      if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then
        echo -e "\nFailed to upgrade integration policy for ${INTEGRATION##*/}"
-        exit 1
+        ERROR=true
        continue
      fi
  else
    printf "\n\nIntegration does not exist - Creating integration\n"
    if ! elastic_fleet_integration_create "@$INTEGRATION"; then
        echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
-        exit 1
+        ERROR=true
        continue
    fi
  fi
 done
 if [[ "$ERROR" == "true" ]]; then
    exit 1
 fi
--- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
+++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
@@ -17,7 +17,6 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
  # Third, configure Elastic Defend Integration seperately
  /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
  # Initial Endpoints
  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
  do
@@ -27,13 +26,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
      printf "\n\nIntegration $NAME exists - Updating integration\n"
      if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
        echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
-        exit 1
+        RETURN_CODE=1
        continue
      fi
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      if ! elastic_fleet_integration_create "@$INTEGRATION"; then
        echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
-        exit 1
+        RETURN_CODE=1
        continue
      fi
    fi
  done
@@ -47,13 +48,15 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
      printf "\n\nIntegration $NAME exists - Updating integration\n"
      if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
        echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
-        exit 1
+        RETURN_CODE=1
        continue
      fi
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      if ! elastic_fleet_integration_create "@$INTEGRATION"; then
        echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
-        exit 1
+        RETURN_CODE=1
        continue
      fi
    fi
  done
@@ -70,14 +73,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
      printf "\n\nIntegration $NAME exists - Updating integration\n"
      if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
        echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
-        exit 1
+        RETURN_CODE=1
        continue
      fi
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      if [ "$NAME" != "elasticsearch-logs" ]; then
        if ! elastic_fleet_integration_create "@$INTEGRATION"; then
          echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
-          exit 1
+          RETURN_CODE=1
          continue
        fi
      fi
    fi
@@ -97,14 +102,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
        printf "\n\nIntegration $NAME exists - Updating integration\n"
        if ! elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"; then
          echo -e "\nFailed to update integration for ${INTEGRATION##*/}"
-          exit 1
+          RETURN_CODE=1
          continue
        fi
      else
        printf "\n\nIntegration does not exist - Creating integration\n"
        if [ "$NAME" != "elasticsearch-logs" ]; then
          if ! elastic_fleet_integration_create "@$INTEGRATION"; then
            echo -e "\nFailed to create integration for ${INTEGRATION##*/}"
-            exit 1
+            RETURN_CODE=1
            continue
          fi
        fi
      fi
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-integration-upgrade
@@ -24,6 +24,7 @@ fi
 default_packages=({% for pkg in SUPPORTED_PACKAGES %}"{{ pkg }}"{% if not loop.last %} {% endif %}{% endfor %})
 ERROR=false
 for AGENT_POLICY in $agent_policies; do
    if ! integrations=$(elastic_fleet_integration_policy_names "$AGENT_POLICY"); then
        # this script upgrades default integration packages, exit 1 and let salt handle retrying
@@ -73,11 +74,13 @@ for AGENT_POLICY in $agent_policies; do
                        echo "No errors detected. Proceeding with upgrade..."
                        if ! elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"; then
                            echo "Error: Upgrade failed for $PACKAGE_NAME with integration ID '$INTEGRATION_ID'."
-                            exit 1
+                            ERROR=true
                            continue
                        fi
                    else
                        echo "Errors detected during dry run for $PACKAGE_NAME policy upgrade..."
-                        exit 1
+                        ERROR=true
                        continue
                    fi
                fi
            {%- if not AUTO_UPGRADE_INTEGRATIONS %}
@@ -86,4 +89,7 @@ for AGENT_POLICY in $agent_policies; do
        fi
    done
 done
 if [[ "$ERROR" == "true" ]]; then
    exit 1
 fi
 echo
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
@@ -15,8 +15,21 @@ if ! is_manager_node; then
 fi
 function update_logstash_outputs() {
-	# Generate updated JSON payload
+    if logstash_policy=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_logstash" --retry 3 --retry-delay 10 --fail 2>/dev/null); then
-    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
+        SSL_CONFIG=$(echo "$logstash_policy" | jq -r '.item.ssl')
        if SECRETS=$(echo "$logstash_policy" | jq -er '.item.secrets' 2>/dev/null); then
            JSON_STRING=$(jq -n \
                --arg UPDATEDLIST "$NEW_LIST_JSON" \
                --argjson SECRETS "$SECRETS" \
                --argjson SSL_CONFIG "$SSL_CONFIG" \
                '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG,"secrets": $SECRETS}')
        else
            JSON_STRING=$(jq -n \
                --arg UPDATEDLIST "$NEW_LIST_JSON" \
                --argjson SSL_CONFIG "$SSL_CONFIG" \
                '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl": $SSL_CONFIG}')
        fi
    fi
    # Update Logstash Outputs
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_logstash" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" | jq
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
@@ -63,7 +63,7 @@ printf "\nAdd Manager Elasticsearch Output...\n"
 ESCACRT=$(openssl x509 -in "$INTCA" -outform DER | sha256sum | cut -d' ' -f1 | tr '[:lower:]' '[:upper:]')
 JSON_STRING=$(jq -n \
    --arg ESCACRT "$ESCACRT" \
-        '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ca_trusted_fingerprint": $ESCACRT}')
+        '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ca_trusted_fingerprint": $ESCACRT}')
 if ! fleet_api "outputs" -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"; then
    echo -e "\nFailed to create so-elasticsearch_manager policy..."
@@ -71,6 +71,13 @@ if ! fleet_api "outputs" -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: applicatio
 fi
 printf "\n\n"
 # so-manager_elasticsearch should exist and be disabled. Now update it before checking its the only default policy
 MANAGER_OUTPUT_ENABLED=$(echo "$JSON_STRING" | jq 'del(.id) | .is_default = true | .is_default_monitoring = true')
 if ! curl -sK /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$MANAGER_OUTPUT_ENABLED"; then
    echo -e "\n failed to update so-manager_elasticsearch"
    exit 1
 fi
 # At this point there should only be two policies. fleet-default-output & so-manager_elasticsearch
 status "Verifying so-manager_elasticsearch policy is configured as the current default"
@@ -79,7 +86,7 @@ if DEFAULTPOLICY=$(fleet_api "outputs/fleet-default-output"); then
    fleet_default=$(echo "$DEFAULTPOLICY" | jq -er '.item.is_default')
    fleet_default_monitoring=$(echo "$DEFAULTPOLICY" | jq -er '.item.is_default_monitoring')
 #   Check that fleet-default-output isn't configured as a default for anything ( both variables return false )
-    if [[ ! $fleet_default ]] && [[ ! $fleet_default_monitoring ]]; then
+    if [[ $fleet_default == "false" ]] && [[ $fleet_default_monitoring == "false" ]]; then
        echo -e "\nso-manager_elasticsearch is configured as the current default policy..."
    else
        echo -e "\nVerification of so-manager_elasticsearch policy failed... The default 'fleet-default-output' output is still active..."
@@ -120,7 +127,7 @@ JSON_STRING=$( jq -n \
                  --arg LOGSTASHCRT "$LOGSTASHCRT" \
                  --arg LOGSTASHKEY "$LOGSTASHKEY" \
                  --arg LOGSTASHCA "$LOGSTASHCA" \
-                  '{"name":"grid-logstash","is_default":true,"is_default_monitoring":true,"id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055", "{{ GLOBALS.manager }}:5055"],"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]},"proxy_id":null}'
+                  '{"name":"grid-logstash","is_default":true,"is_default_monitoring":true,"id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055", "{{ GLOBALS.manager }}:5055"],"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"certificate_authorities":[ $LOGSTASHCA ]},"secrets":{"ssl":{"key": $LOGSTASHKEY }},"proxy_id":null}'
                  )
 if ! fleet_api "outputs" -XPOST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"; then
    echo -e "\nFailed to create logstash fleet output"
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -1991,6 +1991,70 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
    so-logs-elasticsearch_x_server:
      index_sorting: false
      index_template:
        composed_of:
        - logs-elasticsearch.server@package
        - logs-elasticsearch.server@custom
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates:
        - logs-elasticsearch.server@custom
        index_patterns:
        - logs-elasticsearch.server-*
        priority: 501
        template:
          mappings:
            _meta:
              managed: true
              managed_by: security_onion
              package:
                name: elastic_agent
          settings:
            index:
              lifecycle:
                name: so-logs-elasticsearch.server-logs
              mapping:
                total_fields:
                  limit: 5000
              number_of_replicas: 0
              sort:
                field: '@timestamp'
                order: desc
      policy:
        _meta:
          managed: true
          managed_by: security_onion
          package:
            name: elastic_agent
        phases:
          cold:
            actions:
              set_priority:
                priority: 0
            min_age: 60d
          delete:
            actions:
              delete: {}
            min_age: 365d
          hot:
            actions:
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
              set_priority:
                priority: 100
            min_age: 0ms
          warm:
            actions:
              set_priority:
                priority: 50
            min_age: 30d
    so-logs-endpoint_x_actions:
      index_sorting: false
      index_template:
--- a/salt/elasticsearch/files/ingest/global@custom
+++ b/salt/elasticsearch/files/ingest/global@custom
@@ -23,6 +23,7 @@
    { "set":        { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } },
    { "rename":       { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } },
    { "set":        { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
    { "set":        { "if": "ctx.event?.dataset != null && ctx.event?.dataset == 'elasticsearch.server'", "field": "event.module", "value":"elasticsearch" }},
    {"append":      {"field":"related.ip","value":["{{source.ip}}","{{destination.ip}}"],"allow_duplicates":false,"if":"ctx?.event?.dataset == 'endpoint.events.network' && ctx?.source?.ip != null","ignore_failure":true}},
    {"foreach":     {"field":"host.ip","processor":{"append":{"field":"related.ip","value":"{{_ingest._value}}","allow_duplicates":false}},"if":"ctx?.event?.module == 'endpoint' && ctx?.host?.ip != null","ignore_missing":true, "description":"Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip"}},
    { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
--- a/salt/elasticsearch/files/log4j2.properties
+++ b/salt/elasticsearch/files/log4j2.properties
@@ -20,8 +20,28 @@ appender.rolling.strategy.type = DefaultRolloverStrategy
 appender.rolling.strategy.action.type = Delete
 appender.rolling.strategy.action.basepath = /var/log/elasticsearch
 appender.rolling.strategy.action.condition.type = IfFileName
-appender.rolling.strategy.action.condition.glob = *.gz
+appender.rolling.strategy.action.condition.glob = *.log.gz
 appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified
 appender.rolling.strategy.action.condition.nested_condition.age = 7D
 appender.rolling_json.type = RollingFile
 appender.rolling_json.name = rolling_json
 appender.rolling_json.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.json
 appender.rolling_json.layout.type = ECSJsonLayout
 appender.rolling_json.layout.dataset = elasticsearch.server
 appender.rolling_json.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.json.gz
 appender.rolling_json.policies.type = Policies
 appender.rolling_json.policies.time.type = TimeBasedTriggeringPolicy
 appender.rolling_json.policies.time.interval = 1
 appender.rolling_json.policies.time.modulate = true
 appender.rolling_json.strategy.type = DefaultRolloverStrategy
 appender.rolling_json.strategy.action.type = Delete
 appender.rolling_json.strategy.action.basepath = /var/log/elasticsearch
 appender.rolling_json.strategy.action.condition.type = IfFileName
 appender.rolling_json.strategy.action.condition.glob = *.json.gz
 appender.rolling_json.strategy.action.condition.nested_condition.type = IfLastModified
 appender.rolling_json.strategy.action.condition.nested_condition.age = 1D
 rootLogger.level = info
 rootLogger.appenderRef.rolling.ref = rolling
 rootLogger.appenderRef.rolling_json.ref = rolling_json
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -392,6 +392,7 @@ elasticsearch:
    so-logs-elastic_agent_x_metricbeat: *indexSettings
    so-logs-elastic_agent_x_osquerybeat: *indexSettings
    so-logs-elastic_agent_x_packetbeat: *indexSettings
    so-logs-elasticsearch_x_server: *indexSettings
    so-metrics-endpoint_x_metadata: *indexSettings
    so-metrics-endpoint_x_metrics: *indexSettings
    so-metrics-endpoint_x_policy: *indexSettings
--- a/salt/hypervisor/map.jinja
+++ b/salt/hypervisor/map.jinja
@@ -13,6 +13,7 @@
 {# Import defaults.yaml for model hardware capabilities #}
 {% import_yaml 'hypervisor/defaults.yaml' as DEFAULTS %}
 {% set HYPERVISORMERGED = salt['pillar.get']('hypervisor', default=DEFAULTS.hypervisor, merge=True) %}
 {# Get hypervisor nodes from pillar #}
 {% set NODES = salt['pillar.get']('hypervisor:nodes', {}) %}
@@ -30,9 +31,10 @@
    {% set model = '' %}
    {% if grains %}
      {% set minion_id = grains.keys() | first %}
-      {% set model = grains[minion_id].get('sosmodel', '') %}
+      {% set model = grains[minion_id].get('sosmodel', grains[minion_id].get('byodmodel', '')) %}
    {% endif %}
-    {% set model_config = DEFAULTS.hypervisor.model.get(model, {}) %}
+
    {% set model_config = HYPERVISORMERGED.model.get(model, {}) %}
    {# Get VM list from VMs file #}
    {% set vms = {} %}
@@ -56,10 +58,26 @@
      {% set role = vm.get('role', '') %}
      {% do salt.log.debug('salt/hypervisor/map.jinja: Processing VM - hostname: ' ~ hostname ~ ', role: ' ~ role) %}
-      {# Load VM configuration from config file #}
+      {# Try to load VM configuration from config file first, then .error file if config doesn't exist #}
      {% set vm_file = 'hypervisor/hosts/' ~ hypervisor ~ '/' ~ hostname ~ '_' ~ role %}
      {% set vm_error_file = vm_file ~ '.error' %}
      {% do salt.log.debug('salt/hypervisor/map.jinja: VM config file: ' ~ vm_file) %}
-      {% import_json vm_file as vm_state %}
+      
      {# Check if base config file exists #}
      {% set config_exists = salt['file.file_exists']('/opt/so/saltstack/local/salt/' ~ vm_file) %}
      {% set error_exists = salt['file.file_exists']('/opt/so/saltstack/local/salt/' ~ vm_error_file) %}
      {% set vm_state = none %}
      {% if config_exists %}
        {% import_json vm_file as vm_state %}
        {% do salt.log.debug('salt/hypervisor/map.jinja: Loaded VM config from base file') %}
      {% elif error_exists %}
        {% import_json vm_error_file as vm_state %}
        {% do salt.log.debug('salt/hypervisor/map.jinja: Loaded VM config from .error file') %}
      {% else %}
        {% do salt.log.warning('salt/hypervisor/map.jinja: No config or error file found for VM ' ~ hostname ~ '_' ~ role) %}
      {% endif %}
      {% if vm_state %}
        {% do salt.log.debug('salt/hypervisor/map.jinja: VM config content: ' ~ vm_state | tojson) %}
        {% set vm_data = {'config': vm_state.config} %}
@@ -83,7 +101,7 @@
        {% endif %}
        {% do vms.update({hostname ~ '_' ~ role: vm_data}) %}
      {% else %}
-        {% do salt.log.debug('salt/hypervisor/map.jinja: Config file empty: ' ~ vm_file) %}
+        {% do salt.log.debug('salt/hypervisor/map.jinja: Skipping VM ' ~ hostname ~ '_' ~ role ~ ' - no config available') %}
      {% endif %}
    {% endfor %}
--- a/salt/hypervisor/tools/sbin/so-nvme-raid1.sh
+++ b/salt/hypervisor/tools/sbin/so-nvme-raid1.sh
@@ -30,7 +30,9 @@
 #
 # WARNING: This script will DESTROY all data on the target drives!
 #
-# USAGE: sudo ./so-nvme-raid1.sh
+# USAGE: 
 #   sudo ./so-nvme-raid1.sh              # Normal operation
 #   sudo ./so-nvme-raid1.sh --force-cleanup  # Force cleanup of existing RAID
 #
 #################################################################
@@ -41,6 +43,19 @@ set -e
 RAID_ARRAY_NAME="md0"
 RAID_DEVICE="/dev/${RAID_ARRAY_NAME}"
 MOUNT_POINT="/nsm"
 FORCE_CLEANUP=false
 # Parse command line arguments
 for arg in "$@"; do
    case $arg in
        --force-cleanup)
            FORCE_CLEANUP=true
            shift
            ;;
        *)
            ;;
    esac
 done
 # Function to log messages
 log() {
@@ -55,6 +70,91 @@ check_root() {
    fi
 }
 # Function to force cleanup all RAID components
 force_cleanup_raid() {
    log "=== FORCE CLEANUP MODE ==="
    log "This will destroy all RAID configurations and data on target drives!"
    # Stop all MD arrays
    log "Stopping all MD arrays"
    mdadm --stop --scan 2>/dev/null || true
    # Wait for arrays to stop
    sleep 2
    # Remove any running md devices
    for md in /dev/md*; do
        if [ -b "$md" ]; then
            log "Stopping $md"
            mdadm --stop "$md" 2>/dev/null || true
        fi
    done
    # Force cleanup both NVMe drives
    for device in "/dev/nvme0n1" "/dev/nvme1n1"; do
        log "Force cleaning $device"
        # Kill any processes using the device
        fuser -k "${device}"* 2>/dev/null || true
        # Unmount any mounted partitions
        for part in "${device}"*; do
            if [ -b "$part" ]; then
                umount -f "$part" 2>/dev/null || true
            fi
        done
        # Force zero RAID superblocks on partitions
        for part in "${device}"p*; do
            if [ -b "$part" ]; then
                log "Zeroing RAID superblock on $part"
                mdadm --zero-superblock --force "$part" 2>/dev/null || true
            fi
        done
        # Zero superblock on the device itself
        log "Zeroing RAID superblock on $device"
        mdadm --zero-superblock --force "$device" 2>/dev/null || true
        # Remove LVM physical volumes
        pvremove -ff -y "$device" 2>/dev/null || true
        # Wipe all filesystem and partition signatures
        log "Wiping all signatures from $device"
        wipefs -af "$device" 2>/dev/null || true
        # Overwrite the beginning of the drive (partition table area)
        log "Clearing partition table on $device"
        dd if=/dev/zero of="$device" bs=1M count=10 2>/dev/null || true
        # Clear the end of the drive (backup partition table area)
        local device_size=$(blockdev --getsz "$device" 2>/dev/null || echo "0")
        if [ "$device_size" -gt 0 ]; then
            dd if=/dev/zero of="$device" bs=512 seek=$(( device_size - 2048 )) count=2048 2>/dev/null || true
        fi
        # Force kernel to re-read partition table
        blockdev --rereadpt "$device" 2>/dev/null || true
        partprobe -s "$device" 2>/dev/null || true
    done
    # Clear mdadm configuration
    log "Clearing mdadm configuration"
    echo "DEVICE partitions" > /etc/mdadm.conf
    # Remove any fstab entries for the RAID device or mount point
    log "Cleaning fstab entries"
    sed -i "\|${RAID_DEVICE}|d" /etc/fstab
    sed -i "\|${MOUNT_POINT}|d" /etc/fstab
    # Wait for system to settle
    udevadm settle
    sleep 5
    log "Force cleanup complete!"
    log "Proceeding with RAID setup..."
 }
 # Function to find MD arrays using specific devices
 find_md_arrays_using_devices() {
    local target_devices=("$@")
@@ -205,10 +305,15 @@ check_existing_raid() {
            fi
            log "Error: $device appears to be part of an existing RAID array"
-            log "To reuse this device, you must first:"
+            log "Old RAID metadata detected but array is not running."
-            log "1. Unmount any filesystems"
+            log ""
-            log "2. Stop the RAID array: mdadm --stop $array_name"
+            log "To fix this, run the script with --force-cleanup:"
-            log "3. Zero the superblock: mdadm --zero-superblock ${device}p1"
+            log "  sudo $0 --force-cleanup"
            log ""
            log "Or manually clean up with:"
            log "1. Stop any arrays: mdadm --stop --scan"
            log "2. Zero superblocks: mdadm --zero-superblock --force ${device}p1"
            log "3. Wipe signatures: wipefs -af $device"
            exit 1
        fi
    done
@@ -238,7 +343,7 @@ ensure_devices_free() {
    done
    # Clear MD superblock
-    mdadm --zero-superblock "${device}"* 2>/dev/null || true
+    mdadm --zero-superblock --force "${device}"* 2>/dev/null || true
    # Remove LVM PV if exists
    pvremove -ff -y "$device" 2>/dev/null || true
@@ -263,6 +368,11 @@ main() {
    # Check if running as root
    check_root
    # If force cleanup flag is set, do aggressive cleanup first
    if [ "$FORCE_CLEANUP" = true ]; then
        force_cleanup_raid
    fi
    # Check for existing RAID setup
    check_existing_raid
--- a/salt/hypervisor/tools/sbin_jinja/so-kvm-create-volume
+++ b/salt/hypervisor/tools/sbin_jinja/so-kvm-create-volume
@@ -0,0 +1,586 @@
 #!/usr/bin/python3
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 #
 # Note: Per the Elastic License 2.0, the second limitation states:
 #
 #   "You may not move, change, disable, or circumvent the license key functionality
 #    in the software, and you may not remove or obscure any functionality in the
 #    software that is protected by the license key."
 {% if 'vrt' in salt['pillar.get']('features', []) %}
 """
 Script for creating and attaching virtual volumes to KVM virtual machines for NSM storage.
 This script provides functionality to create pre-allocated raw disk images and attach them
 to VMs as virtio-blk devices for high-performance network security monitoring data storage.
 The script handles the complete volume lifecycle:
 1. Volume Creation: Creates pre-allocated raw disk images using qemu-img
 2. Volume Attachment: Attaches volumes to VMs as virtio-blk devices
 3. VM Management: Stops/starts VMs as needed during the process
 This script is designed to work with Security Onion's virtualization infrastructure and is typically
 used during VM provisioning to add dedicated NSM storage volumes.
 **Usage:**
    so-kvm-create-volume -v <vm_name> -s <size_gb> [-S]
 **Options:**
    -v, --vm          Name of the virtual machine to attach the volume to (required).
    -s, --size        Size of the volume in GB (required, must be a positive integer).
    -S, --start       Start the VM after volume creation and attachment (optional).
 **Examples:**
 1. **Create and Attach 500GB Volume:**
    ```bash
    so-kvm-create-volume -v vm1_sensor -s 500
    ```
    This command creates and attaches a volume with the following settings:
    - VM Name: `vm1_sensor`
    - Volume Size: `500` GB
    - Volume Path: `/nsm/libvirt/volumes/vm1_sensor-nsm.img`
    - Device: `/dev/vdb` (virtio-blk)
    - VM remains stopped after attachment
 2. **Create Volume and Start VM:**
    ```bash
    so-kvm-create-volume -v vm2_sensor -s 1000 -S
    ```
    This command creates a volume and starts the VM:
    - VM Name: `vm2_sensor`
    - Volume Size: `1000` GB (1 TB)
    - VM is started after volume attachment due to the `-S` flag
 3. **Create Large Volume for Heavy Traffic:**
    ```bash
    so-kvm-create-volume -v vm3_sensor -s 2000 -S
    ```
    This command creates a large volume for high-traffic environments:
    - VM Name: `vm3_sensor`
    - Volume Size: `2000` GB (2 TB)
    - VM is started after attachment
 **Notes:**
 - The script automatically stops the VM if it's running before creating and attaching the volume.
 - Volumes are created with full pre-allocation for optimal performance.
 - Volume files are stored in `/nsm/libvirt/volumes/` with naming pattern `<vm_name>-nsm.img`.
 - Volumes are attached as `/dev/vdb` using virtio-blk for high performance.
 - The script checks available disk space before creating the volume.
 - Ownership is set to `qemu:qemu` with permissions `640`.
 - Without the `-S` flag, the VM remains stopped after volume attachment.
 **Description:**
 The `so-kvm-create-volume` script creates and attaches NSM storage volumes using the following process:
 1. **Pre-flight Checks:**
   - Validates input parameters (VM name, size)
   - Checks available disk space in `/nsm/libvirt/volumes/`
   - Ensures sufficient space for the requested volume size
 2. **VM State Management:**
   - Connects to the local libvirt daemon
   - Stops the VM if it's currently running
   - Retrieves current VM configuration
 3. **Volume Creation:**
   - Creates volume directory if it doesn't exist
   - Uses `qemu-img create` with full pre-allocation
   - Sets proper ownership (qemu:qemu) and permissions (640)
   - Validates volume creation success
 4. **Volume Attachment:**
   - Modifies VM's libvirt XML configuration
   - Adds disk element with virtio-blk driver
   - Configures cache='none' and io='native' for performance
   - Attaches volume as `/dev/vdb`
 5. **VM Redefinition:**
   - Applies the new configuration by redefining the VM
   - Optionally starts the VM if requested
   - Emits deployment status events for monitoring
 6. **Error Handling:**
   - Validates all input parameters
   - Checks disk space before creation
   - Handles volume creation failures
   - Handles volume attachment failures
   - Provides detailed error messages for troubleshooting
 **Exit Codes:**
 - `0`: Success
 - `1`: An error occurred during execution
 **Logging:**
 - Logs are written to `/opt/so/log/hypervisor/so-kvm-create-volume.log`
 - Both file and console logging are enabled for real-time monitoring
 - Log entries include timestamps and severity levels
 - Log prefixes: VOLUME:, VM:, HARDWARE:, SPACE:
 - Detailed error messages are logged for troubleshooting
 """
 import argparse
 import sys
 import os
 import libvirt
 import logging
 import socket
 import subprocess
 import pwd
 import grp
 import xml.etree.ElementTree as ET
 from io import StringIO
 from so_vm_utils import start_vm, stop_vm
 from so_logging_utils import setup_logging
 # Get hypervisor name from local hostname
 HYPERVISOR = socket.gethostname()
 # Volume storage directory
 VOLUME_DIR = '/nsm/libvirt/volumes'
 # Custom exception classes
 class InsufficientSpaceError(Exception):
    """Raised when there is insufficient disk space for volume creation."""
    pass
 class VolumeCreationError(Exception):
    """Raised when volume creation fails."""
    pass
 class VolumeAttachmentError(Exception):
    """Raised when volume attachment fails."""
    pass
 # Custom log handler to capture output
 class StringIOHandler(logging.Handler):
    def __init__(self):
        super().__init__()
        self.strio = StringIO()
    def emit(self, record):
        msg = self.format(record)
        self.strio.write(msg + '\n')
    def get_value(self):
        return self.strio.getvalue()
 def parse_arguments():
    """Parse command-line arguments."""
    parser = argparse.ArgumentParser(description='Create and attach a virtual volume to a KVM virtual machine for NSM storage.')
    parser.add_argument('-v', '--vm', required=True, help='Name of the virtual machine to attach the volume to.')
    parser.add_argument('-s', '--size', type=int, required=True, help='Size of the volume in GB (must be a positive integer).')
    parser.add_argument('-S', '--start', action='store_true', help='Start the VM after volume creation and attachment.')
    args = parser.parse_args()
    # Validate size is positive
    if args.size <= 0:
        parser.error("Volume size must be a positive integer.")
    return args
 def check_disk_space(size_gb, logger):
    """
    Check if there is sufficient disk space available for volume creation.
    Args:
        size_gb: Size of the volume in GB
        logger: Logger instance
    Raises:
        InsufficientSpaceError: If there is not enough disk space
    """
    try:
        stat = os.statvfs(VOLUME_DIR)
        # Available space in bytes
        available_bytes = stat.f_bavail * stat.f_frsize
        # Required space in bytes (add 10% buffer)
        required_bytes = size_gb * 1024 * 1024 * 1024 * 1.1
        available_gb = available_bytes / (1024 * 1024 * 1024)
        required_gb = required_bytes / (1024 * 1024 * 1024)
        logger.info(f"SPACE: Available: {available_gb:.2f} GB, Required: {required_gb:.2f} GB")
        if available_bytes < required_bytes:
            raise InsufficientSpaceError(
                f"Insufficient disk space. Available: {available_gb:.2f} GB, Required: {required_gb:.2f} GB"
            )
        logger.info(f"SPACE: Sufficient disk space available for {size_gb} GB volume")
    except OSError as e:
        logger.error(f"SPACE: Failed to check disk space: {e}")
        raise
 def create_volume_file(vm_name, size_gb, logger):
    """
    Create a pre-allocated raw disk image for the VM.
    Args:
        vm_name: Name of the VM
        size_gb: Size of the volume in GB
        logger: Logger instance
    Returns:
        Path to the created volume file
    Raises:
        VolumeCreationError: If volume creation fails
    """
    # Define volume path (directory already created in main())
    volume_path = os.path.join(VOLUME_DIR, f"{vm_name}-nsm.img")
    # Check if volume already exists
    if os.path.exists(volume_path):
        logger.error(f"VOLUME: Volume already exists: {volume_path}")
        raise VolumeCreationError(f"Volume already exists: {volume_path}")
    logger.info(f"VOLUME: Creating {size_gb} GB volume at {volume_path}")
    # Create volume using qemu-img with full pre-allocation
    try:
        cmd = [
            'qemu-img', 'create',
            '-f', 'raw',
            '-o', 'preallocation=full',
            volume_path,
            f"{size_gb}G"
        ]
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
            check=True
        )
        logger.info(f"VOLUME: Volume created successfully")
        if result.stdout:
            logger.debug(f"VOLUME: qemu-img output: {result.stdout.strip()}")
    except subprocess.CalledProcessError as e:
        logger.error(f"VOLUME: Failed to create volume: {e}")
        if e.stderr:
            logger.error(f"VOLUME: qemu-img error: {e.stderr.strip()}")
        raise VolumeCreationError(f"Failed to create volume: {e}")
    # Set ownership to qemu:qemu
    try:
        qemu_uid = pwd.getpwnam('qemu').pw_uid
        qemu_gid = grp.getgrnam('qemu').gr_gid
        os.chown(volume_path, qemu_uid, qemu_gid)
        logger.info(f"VOLUME: Set ownership to qemu:qemu")
    except (KeyError, OSError) as e:
        logger.error(f"VOLUME: Failed to set ownership: {e}")
        raise VolumeCreationError(f"Failed to set ownership: {e}")
    # Set permissions to 640
    try:
        os.chmod(volume_path, 0o640)
        logger.info(f"VOLUME: Set permissions to 640")
    except OSError as e:
        logger.error(f"VOLUME: Failed to set permissions: {e}")
        raise VolumeCreationError(f"Failed to set permissions: {e}")
    # Verify volume was created
    if not os.path.exists(volume_path):
        logger.error(f"VOLUME: Volume file not found after creation: {volume_path}")
        raise VolumeCreationError(f"Volume file not found after creation: {volume_path}")
    volume_size = os.path.getsize(volume_path)
    logger.info(f"VOLUME: Volume created: {volume_path} ({volume_size} bytes)")
    return volume_path
 def attach_volume_to_vm(conn, vm_name, volume_path, logger):
    """
    Attach the volume to the VM's libvirt XML configuration.
    Args:
        conn: Libvirt connection
        vm_name: Name of the VM
        volume_path: Path to the volume file
        logger: Logger instance
    Raises:
        VolumeAttachmentError: If volume attachment fails
    """
    try:
        # Get the VM domain
        dom = conn.lookupByName(vm_name)
        # Get the XML description of the VM
        xml_desc = dom.XMLDesc()
        root = ET.fromstring(xml_desc)
        # Find the devices element
        devices_elem = root.find('./devices')
        if devices_elem is None:
            logger.error("VM: Could not find <devices> element in XML")
            raise VolumeAttachmentError("Could not find <devices> element in VM XML")
        # Log ALL devices with PCI addresses to find conflicts
        logger.info("DISK_DEBUG: Examining ALL devices with PCI addresses")
        for device in devices_elem:
            address = device.find('./address')
            if address is not None and address.get('type') == 'pci':
                bus = address.get('bus', 'unknown')
                slot = address.get('slot', 'unknown')
                function = address.get('function', 'unknown')
                logger.info(f"DISK_DEBUG: Device {device.tag}: bus={bus}, slot={slot}, function={function}")
        # Log existing disk configuration for debugging
        logger.info("DISK_DEBUG: Examining existing disk configuration")
        existing_disks = devices_elem.findall('./disk')
        for idx, disk in enumerate(existing_disks):
            target = disk.find('./target')
            source = disk.find('./source')
            address = disk.find('./address')
            dev_name = target.get('dev') if target is not None else 'unknown'
            source_file = source.get('file') if source is not None else 'unknown'
            if address is not None:
                slot = address.get('slot', 'unknown')
                bus = address.get('bus', 'unknown')
                logger.info(f"DISK_DEBUG: Disk {idx}: dev={dev_name}, source={source_file}, slot={slot}, bus={bus}")
            else:
                logger.info(f"DISK_DEBUG: Disk {idx}: dev={dev_name}, source={source_file}, no address element")
        # Check if vdb already exists
        for disk in devices_elem.findall('./disk'):
            target = disk.find('./target')
            if target is not None and target.get('dev') == 'vdb':
                logger.error("VM: Device vdb already exists in VM configuration")
                raise VolumeAttachmentError("Device vdb already exists in VM configuration")
        logger.info(f"VM: Attaching volume to {vm_name} as /dev/vdb")
        # Create disk element
        disk_elem = ET.SubElement(devices_elem, 'disk', attrib={
            'type': 'file',
            'device': 'disk'
        })
        # Add driver element
        ET.SubElement(disk_elem, 'driver', attrib={
            'name': 'qemu',
            'type': 'raw',
            'cache': 'none',
            'io': 'native'
        })
        # Add source element
        ET.SubElement(disk_elem, 'source', attrib={
            'file': volume_path
        })
        # Add target element
        ET.SubElement(disk_elem, 'target', attrib={
            'dev': 'vdb',
            'bus': 'virtio'
        })
        # Add address element
        # Use bus 0x07 with slot 0x00 to ensure NSM volume appears after OS disk (which is on bus 0x04)
        # Bus 0x05 is used by memballoon, bus 0x06 is used by rng device
        # Libvirt requires slot <= 0 for non-zero buses
        # This ensures vda = OS disk, vdb = NSM volume
        ET.SubElement(disk_elem, 'address', attrib={
            'type': 'pci',
            'domain': '0x0000',
            'bus': '0x07',
            'slot': '0x00',
            'function': '0x0'
        })
        logger.info(f"HARDWARE: Added disk configuration for vdb")
        # Log disk ordering after adding new disk
        logger.info("DISK_DEBUG: Disk configuration after adding NSM volume")
        all_disks = devices_elem.findall('./disk')
        for idx, disk in enumerate(all_disks):
            target = disk.find('./target')
            source = disk.find('./source')
            address = disk.find('./address')
            dev_name = target.get('dev') if target is not None else 'unknown'
            source_file = source.get('file') if source is not None else 'unknown'
            if address is not None:
                slot = address.get('slot', 'unknown')
                bus = address.get('bus', 'unknown')
                logger.info(f"DISK_DEBUG: Disk {idx}: dev={dev_name}, source={source_file}, slot={slot}, bus={bus}")
            else:
                logger.info(f"DISK_DEBUG: Disk {idx}: dev={dev_name}, source={source_file}, no address element")
        # Convert XML back to string
        new_xml_desc = ET.tostring(root, encoding='unicode')
        # Redefine the VM with the new XML
        conn.defineXML(new_xml_desc)
        logger.info(f"VM: VM redefined with volume attached")
    except libvirt.libvirtError as e:
        logger.error(f"VM: Failed to attach volume: {e}")
        raise VolumeAttachmentError(f"Failed to attach volume: {e}")
    except Exception as e:
        logger.error(f"VM: Failed to attach volume: {e}")
        raise VolumeAttachmentError(f"Failed to attach volume: {e}")
 def emit_status_event(vm_name, status):
    """
    Emit a deployment status event.
    Args:
        vm_name: Name of the VM
        status: Status message
    """
    try:
        subprocess.run([
            'so-salt-emit-vm-deployment-status-event',
            '-v', vm_name,
            '-H', HYPERVISOR,
            '-s', status
        ], check=True)
    except subprocess.CalledProcessError as e:
        # Don't fail the entire operation if status event fails
        pass
 def main():
    """Main function to orchestrate volume creation and attachment."""
    # Set up logging using the so_logging_utils library
    string_handler = StringIOHandler()
    string_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
    logger = setup_logging(
        logger_name='so-kvm-create-volume',
        log_file_path='/opt/so/log/hypervisor/so-kvm-create-volume.log',
        log_level=logging.INFO,
        format_str='%(asctime)s - %(levelname)s - %(message)s'
    )
    logger.addHandler(string_handler)
    vm_name = None
    try:
        # Parse arguments
        args = parse_arguments()
        vm_name = args.vm
        size_gb = args.size
        start_vm_flag = args.start
        logger.info(f"VOLUME: Starting volume creation for VM '{vm_name}' with size {size_gb} GB")
        # Emit start status event
        emit_status_event(vm_name, 'Volume Creation')
        # Ensure volume directory exists before checking disk space
        try:
            os.makedirs(VOLUME_DIR, mode=0o754, exist_ok=True)
            qemu_uid = pwd.getpwnam('qemu').pw_uid
            qemu_gid = grp.getgrnam('qemu').gr_gid
            os.chown(VOLUME_DIR, qemu_uid, qemu_gid)
            logger.debug(f"VOLUME: Ensured volume directory exists: {VOLUME_DIR}")
        except Exception as e:
            logger.error(f"VOLUME: Failed to create volume directory: {e}")
            emit_status_event(vm_name, 'Volume Configuration Failed')
            sys.exit(1)
        # Check disk space
        check_disk_space(size_gb, logger)
        # Connect to libvirt
        try:
            conn = libvirt.open(None)
            logger.info("VM: Connected to libvirt")
        except libvirt.libvirtError as e:
            logger.error(f"VM: Failed to open connection to libvirt: {e}")
            emit_status_event(vm_name, 'Volume Configuration Failed')
            sys.exit(1)
        # Stop VM if running
        dom = stop_vm(conn, vm_name, logger)
        # Create volume file
        volume_path = create_volume_file(vm_name, size_gb, logger)
        # Attach volume to VM
        attach_volume_to_vm(conn, vm_name, volume_path, logger)
        # Start VM if -S or --start argument is provided
        if start_vm_flag:
            dom = conn.lookupByName(vm_name)
            start_vm(dom, logger)
            logger.info(f"VM: VM '{vm_name}' started successfully")
        else:
            logger.info("VM: Start flag not provided; VM will remain stopped")
        # Close connection
        conn.close()
        # Emit success status event
        emit_status_event(vm_name, 'Volume Configuration')
        logger.info(f"VOLUME: Volume creation and attachment completed successfully for VM '{vm_name}'")
    except KeyboardInterrupt:
        error_msg = "Operation cancelled by user"
        logger.error(error_msg)
        if vm_name:
            emit_status_event(vm_name, 'Volume Configuration Failed')
        sys.exit(1)
    except InsufficientSpaceError as e:
        error_msg = f"SPACE: {str(e)}"
        logger.error(error_msg)
        if vm_name:
            emit_status_event(vm_name, 'Volume Configuration Failed')
        sys.exit(1)
    except VolumeCreationError as e:
        error_msg = f"VOLUME: {str(e)}"
        logger.error(error_msg)
        if vm_name:
            emit_status_event(vm_name, 'Volume Configuration Failed')
        sys.exit(1)
    except VolumeAttachmentError as e:
        error_msg = f"VM: {str(e)}"
        logger.error(error_msg)
        if vm_name:
            emit_status_event(vm_name, 'Volume Configuration Failed')
        sys.exit(1)
    except Exception as e:
        error_msg = f"An error occurred: {str(e)}"
        logger.error(error_msg)
        if vm_name:
            emit_status_event(vm_name, 'Volume Configuration Failed')
        sys.exit(1)
 if __name__ == '__main__':
    main()
 {%- else -%}
 echo "Hypervisor nodes are a feature supported only for customers with a valid license. \
      Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com \
      for more information about purchasing a license to enable this feature."
 {% endif -%}
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -54,6 +54,9 @@ so-kratos:
      - file: kratosconfig
      - file: kratoslogdir
      - file: kratosdir
    - retry:
        attempts: 10
        interval: 10
 delete_so-kratos_so-status.disabled:
  file.uncomment:
--- a/salt/libvirt/bridge.sls
+++ b/salt/libvirt/bridge.sls
@@ -4,6 +4,9 @@
 # Elastic License 2.0.
 # We do not import GLOBALS in this state because it is called during setup
 include:
  - salt.minion.service_file
  - salt.mine_functions
 down_original_mgmt_interface:
  cmd.run:
@@ -28,29 +31,14 @@ wait_for_br0_ip:
    - timeout: 95
    - onchanges:
      - cmd: down_original_mgmt_interface
-
+    - onchanges_in:
-{% if grains.role == 'so-hypervisor' %}
+      - file: salt_minion_service_unit_file
-
+      - file: mine_functions
 update_mine_functions:
  file.managed:
    - name: /etc/salt/minion.d/mine_functions.conf
    - contents: |
        mine_interval: 25
        mine_functions:
          network.ip_addrs:
            - interface: br0
        {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
          x509.get_pem_entries:
            - glob_path: '/etc/pki/ca.crt'
        {% endif %}
    - onchanges:
      - cmd: wait_for_br0_ip
 restart_salt_minion_service:
  service.running:
    - name: salt-minion
    - enable: True
    - listen:
-      - file: update_mine_functions
+      - file: salt_minion_service_unit_file
-
+      - file: mine_functions
 {% endif %}
--- a/salt/logstash/tools/sbin/so-logstash-flow-stats
+++ b/salt/logstash/tools/sbin/so-logstash-flow-stats
@@ -0,0 +1,3 @@
 #!/bin/bash
 curl -s -L http://localhost:9600/_node/stats/flow | jq
--- a/salt/logstash/tools/sbin/so-logstash-health
+++ b/salt/logstash/tools/sbin/so-logstash-health
@@ -0,0 +1,3 @@
 #!/bin/bash
 curl -s -L http://localhost:9600/_health_report | jq
--- a/salt/logstash/tools/sbin/so-logstash-jvm-stats
+++ b/salt/logstash/tools/sbin/so-logstash-jvm-stats
@@ -0,0 +1,3 @@
 #!/bin/bash
 curl -s -L http://localhost:9600/_node/stats/jvm | jq
--- a/salt/manager/tools/sbin/so-saltstack-update
+++ b/salt/manager/tools/sbin/so-saltstack-update
@@ -5,10 +5,12 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 default_salt_dir=/opt/so/saltstack/default
-clone_to_tmp() {
+VERBOSE=0
 VERY_VERBOSE=0
 TEST_MODE=0
 clone_to_tmp() {
  # TODO Need to add a air gap option
  # Make a temp location for the files
  mkdir /tmp/sogh
@@ -16,19 +18,110 @@ clone_to_tmp() {
  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion.git
  git clone https://github.com/Security-Onion-Solutions/securityonion.git
  cd /tmp
 }
 show_file_changes() {
  local source_dir="$1"
  local dest_dir="$2"
  local dir_type="$3"  # "salt" or "pillar"
  if [ $VERBOSE -eq 0 ]; then
    return
  fi
  echo "=== Changes for $dir_type directory ==="
  # Find all files in source directory
  if [ -d "$source_dir" ]; then
    find "$source_dir" -type f | while read -r source_file; do
      # Get relative path
      rel_path="${source_file#$source_dir/}"
      dest_file="$dest_dir/$rel_path"
      if [ ! -f "$dest_file" ]; then
        echo "ADDED: $dest_file"
        if [ $VERY_VERBOSE -eq 1 ]; then
          echo "  (New file - showing first 20 lines)"
          head -n 20 "$source_file" | sed 's/^/  + /'
          echo ""
        fi
      elif ! cmp -s "$source_file" "$dest_file"; then
        echo "MODIFIED: $dest_file"
        if [ $VERY_VERBOSE -eq 1 ]; then
          echo "  (Changes:)"
          diff -u "$dest_file" "$source_file" | sed 's/^/  /'
          echo ""
        fi
      fi
    done
  fi
  # Find deleted files (exist in dest but not in source)
  if [ -d "$dest_dir" ]; then
    find "$dest_dir" -type f | while read -r dest_file; do
      # Get relative path
      rel_path="${dest_file#$dest_dir/}"
      source_file="$source_dir/$rel_path"
      if [ ! -f "$source_file" ]; then
        echo "DELETED: $dest_file"
        if [ $VERY_VERBOSE -eq 1 ]; then
          echo "  (File was deleted)"
          echo ""
        fi
      fi
    done
  fi
  echo ""
 }
 copy_new_files() {
  # Copy new files over to the salt dir
  cd /tmp/sogh/securityonion
  git checkout $BRANCH
  VERSION=$(cat VERSION)
  if [ $TEST_MODE -eq 1 ]; then
    echo "=== TEST MODE: Showing what would change without making changes ==="
    echo "Branch: $BRANCH"
    echo "Version: $VERSION"
    echo ""
  fi
  # Show changes before copying if verbose mode is enabled OR if in test mode
  if [ $VERBOSE -eq 1 ] || [ $TEST_MODE -eq 1 ]; then
    if [ $TEST_MODE -eq 1 ]; then
      # In test mode, force at least basic verbose output
      local old_verbose=$VERBOSE
      if [ $VERBOSE -eq 0 ]; then
        VERBOSE=1
      fi
    fi
    echo "Analyzing file changes..."
    show_file_changes "$(pwd)/salt" "$default_salt_dir/salt" "salt"
    show_file_changes "$(pwd)/pillar" "$default_salt_dir/pillar" "pillar"
    if [ $TEST_MODE -eq 1 ] && [ $old_verbose -eq 0 ]; then
      # Restore original verbose setting
      VERBOSE=$old_verbose
    fi
  fi
  # If in test mode, don't copy files
  if [ $TEST_MODE -eq 1 ]; then
    echo "=== TEST MODE: No files were modified ==="
    echo "To apply these changes, run without --test option"
    rm -rf /tmp/sogh
    return
  fi
  # We need to overwrite if there is a repo file
  if [ -d /opt/so/repo ]; then
    tar -czf /opt/so/repo/"$VERSION".tar.gz -C "$(pwd)/.." .
  fi
  rsync -a salt $default_salt_dir/
  rsync -a pillar $default_salt_dir/
  chown -R socore:socore $default_salt_dir/salt
@@ -45,11 +138,64 @@ got_root(){
    fi
 }
-got_root
+show_usage() {
-if [ $# -ne 1 ] ; then
+    echo "Usage: $0 [-v] [-vv] [--test] [branch]"
    echo "  -v       Show verbose output (files changed/added/deleted)"
    echo "  -vv      Show very verbose output (includes file diffs)"
    echo "  --test   Test mode - show what would change without making changes"
    echo "  branch   Git branch to checkout (default: 2.4/main)"
    echo ""
    echo "Examples:"
    echo "  $0                    # Normal operation"
    echo "  $0 -v                 # Show which files change"
    echo "  $0 -vv                # Show files and their diffs"
    echo "  $0 --test             # See what would change (dry run)"
    echo "  $0 --test -vv         # Test mode with detailed diffs"
    echo "  $0 -v dev-branch      # Use specific branch with verbose output"
    exit 1
 }
 # Parse command line arguments
 while [[ $# -gt 0 ]]; do
  case $1 in
    -v)
      VERBOSE=1
      shift
      ;;
    -vv)
      VERBOSE=1
      VERY_VERBOSE=1
      shift
      ;;
    --test)
      TEST_MODE=1
      shift
      ;;
    -h|--help)
      show_usage
      ;;
    -*)
      echo "Unknown option $1"
      show_usage
      ;;
    *)
      # This should be the branch name
      if [ -z "$BRANCH" ]; then
        BRANCH="$1"
      else
        echo "Too many arguments"
        show_usage
      fi
      shift
      ;;
  esac
 done
 # Set default branch if not provided
 if [ -z "$BRANCH" ]; then
  BRANCH=2.4/main
 else
  BRANCH=$1
 fi
 got_root
 clone_to_tmp
 copy_new_files
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -387,7 +387,7 @@ function syncElastic() {
    if [[ -z "$SKIP_STATE_APPLY" ]]; then
      echo "Elastic state will be re-applied to affected minions. This will run in the background and may take several minutes to complete."
      echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1
-      salt --async -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
+      salt --async -C 'I@elasticsearch:enabled:true' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
    fi
  else
    echo "Newly generated users/roles files are incomplete; aborting."
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -169,6 +169,8 @@ airgap_update_dockers() {
      tar xf "$AGDOCKER/registry.tar" -C /nsm/docker-registry/docker
      echo "Add Registry back"
      docker load -i "$AGDOCKER/registry_image.tar"
      echo "Restart registry container"
      salt-call state.apply registry queue=True
    fi
  fi
 }
@@ -420,6 +422,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.150 ]] && up_to_2.4.160
    [[ "$INSTALLEDVERSION" == 2.4.160 ]] && up_to_2.4.170
    [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180
    [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190
    true
 }
@@ -615,6 +618,18 @@ post_to_2.4.190() {
        update_import_fleet_output
    fi
    # Check if expected default policy is logstash (global.pipeline is REDIS or "")
    pipeline=$(lookup_pillar "pipeline" "global")
    if [[ -z "$pipeline" ]] || [[ "$pipeline" == "REDIS" ]]; then
        # Check if this grid is currently affected by corrupt fleet output policy
        if elastic-agent status | grep "config: key file not configured" > /dev/null 2>&1; then
            echo "Elastic Agent shows an ssl error connecting to logstash output. Updating output policy..."
            update_default_logstash_output
        fi
    fi
    # Apply new elasticsearch.server index template
    rollover_index "logs-elasticsearch.server-default"
  POSTVERSION=2.4.190
 }
@@ -1171,6 +1186,31 @@ update_import_fleet_output() {
    fi
 }
 update_default_logstash_output() {
    echo "Updating fleet logstash output policy grid-logstash"
    if logstash_policy=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_logstash" --retry 3 --retry-delay 10 --fail 2>/dev/null); then
        # Keep already configured hosts for this update, subsequent host updates come from so-elastic-fleet-outputs-update
        HOSTS=$(echo "$logstash_policy" | jq -r '.item.hosts')
        DEFAULT_ENABLED=$(echo "$logstash_policy" | jq -r '.item.is_default')
        DEFAULT_MONITORING_ENABLED=$(echo "$logstash_policy" | jq -r '.item.is_default_monitoring')
        LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-logstash.key)
        LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
        LOGSTASHCA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
        JSON_STRING=$(jq -n \
            --argjson HOSTS "$HOSTS" \
            --arg DEFAULT_ENABLED "$DEFAULT_ENABLED" \
            --arg DEFAULT_MONITORING_ENABLED "$DEFAULT_MONITORING_ENABLED" \
            --arg LOGSTASHKEY "$LOGSTASHKEY" \
            --arg LOGSTASHCRT "$LOGSTASHCRT" \
            --arg LOGSTASHCA "$LOGSTASHCA" \
            '{"name":"grid-logstash","type":"logstash","hosts": $HOSTS,"is_default": $DEFAULT_ENABLED,"is_default_monitoring": $DEFAULT_MONITORING_ENABLED,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"certificate_authorities":[ $LOGSTASHCA ]},"secrets":{"ssl":{"key": $LOGSTASHKEY }}}')
    fi
    if curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_logstash" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --retry 3 --retry-delay 10 --fail; then
        echo "Successfully updated grid-logstash fleet output policy"
    fi
 }
 update_salt_mine() {
    echo "Populating the mine with mine_functions for each host."
    set +e
--- a/salt/manager/tools/sbin_jinja/so-salt-cloud
+++ b/salt/manager/tools/sbin_jinja/so-salt-cloud
@@ -211,7 +211,7 @@ Exit Codes:
 Logging:
- Logs are written to /opt/so/log/salt/so-salt-cloud.log.
+- Logs are written to /opt/so/log/salt/so-salt-cloud.
 - Both file and console logging are enabled for real-time monitoring.
 """
@@ -233,7 +233,7 @@ local = salt.client.LocalClient()
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.INFO)
-file_handler = logging.FileHandler('/opt/so/log/salt/so-salt-cloud.log')
+file_handler = logging.FileHandler('/opt/so/log/salt/so-salt-cloud')
 console_handler = logging.StreamHandler()
 formatter = logging.Formatter('%(asctime)s %(message)s')
@@ -516,23 +516,85 @@ def run_qcow2_modify_hardware_config(profile, vm_name, cpu=None, memory=None, pc
    target = hv_name + "_*"
    try:
-        args_list = [
+        args_list = ['vm_name=' + vm_name]
-            'vm_name=' + vm_name,
+        
-            'cpu=' + str(cpu) if cpu else '',
+        # Only add parameters that are actually specified
-            'memory=' + str(memory) if memory else '',
+        if cpu is not None:
-            'start=' + str(start)
+            args_list.append('cpu=' + str(cpu))
-        ]
+        if memory is not None:
            args_list.append('memory=' + str(memory))
        # Add PCI devices if provided
        if pci_list:
            # Pass all PCI devices as a comma-separated list
            args_list.append('pci=' + ','.join(pci_list))
        # Always add start parameter
        args_list.append('start=' + str(start))
        result = local.cmd(target, 'qcow2.modify_hardware_config', args_list)
        format_qcow2_output('Hardware configuration', result)
    except Exception as e:
        logger.error(f"An error occurred while running qcow2.modify_hardware_config: {e}")
 def run_qcow2_create_volume_config(profile, vm_name, size_gb, cpu=None, memory=None, start=False):
    """Create a volume for the VM and optionally configure CPU/memory.
    Args:
        profile (str): The cloud profile name
        vm_name (str): The name of the VM
        size_gb (int): Size of the volume in GB
        cpu (int, optional): Number of CPUs to assign
        memory (int, optional): Amount of memory in MiB
        start (bool): Whether to start the VM after configuration
    """
    hv_name = profile.split('_')[1]
    target = hv_name + "_*"
    try:
        # Step 1: Create the volume
        logger.info(f"Creating {size_gb}GB volume for VM {vm_name}")
        volume_result = local.cmd(
            target,
            'qcow2.create_volume_config',
            kwarg={
                'vm_name': vm_name,
                'size_gb': size_gb,
                'start': False  # Don't start yet if we need to configure CPU/memory
            }
        )
        format_qcow2_output('Volume creation', volume_result)
        # Step 2: Configure CPU and memory if specified
        if cpu or memory:
            logger.info(f"Configuring hardware for VM {vm_name}: CPU={cpu}, Memory={memory}MiB")
            hw_result = local.cmd(
                target,
                'qcow2.modify_hardware_config',
                kwarg={
                    'vm_name': vm_name,
                    'cpu': cpu,
                    'memory': memory,
                    'start': start
                }
            )
            format_qcow2_output('Hardware configuration', hw_result)
        elif start:
            # If no CPU/memory config needed but we need to start the VM
            logger.info(f"Starting VM {vm_name}")
            start_result = local.cmd(
                target,
                'qcow2.modify_hardware_config',
                kwarg={
                    'vm_name': vm_name,
                    'start': True
                }
            )
            format_qcow2_output('VM startup', start_result)
    except Exception as e:
        logger.error(f"An error occurred while creating volume and configuring hardware: {e}")
 def run_qcow2_modify_network_config(profile, vm_name, mode, ip=None, gateway=None, dns=None, search_domain=None):
    hv_name = profile.split('_')[1]
    target = hv_name + "_*"
@@ -586,6 +648,7 @@ def parse_arguments():
    network_group.add_argument('-c', '--cpu', type=int, help='Number of virtual CPUs to assign.')
    network_group.add_argument('-m', '--memory', type=int, help='Amount of memory to assign in MiB.')
    network_group.add_argument('-P', '--pci', action='append', help='PCI hardware ID(s) to passthrough to the VM (e.g., 0000:c7:00.0). Can be specified multiple times.')
    network_group.add_argument('--nsm-size', type=int, help='Size in GB for NSM volume creation. Can be used with copper/sfp NICs (--pci). Only disk passthrough (without --nsm-size) prevents volume creation.')
    args = parser.parse_args()
@@ -621,6 +684,8 @@ def main():
                hw_config.append(f"{args.memory}MB RAM")
            if args.pci:
                hw_config.append(f"PCI devices: {', '.join(args.pci)}")
            if args.nsm_size:
                hw_config.append(f"NSM volume: {args.nsm_size}GB")
            hw_string = f" and hardware config: {', '.join(hw_config)}" if hw_config else ""
            logger.info(f"Received request to create VM '{args.vm_name}' using profile '{args.profile}' {network_config}{hw_string}")
@@ -643,8 +708,58 @@ def main():
            # Step 2: Provision the VM (without starting it)
            call_salt_cloud(args.profile, args.vm_name)
-            # Step 3: Modify hardware configuration
+            # Step 3: Determine storage configuration approach
-            run_qcow2_modify_hardware_config(args.profile, args.vm_name, cpu=args.cpu, memory=args.memory, pci_list=args.pci, start=True)
+            # Priority: disk passthrough > volume creation (but volume can coexist with copper/sfp NICs)
            # Note: virtual_node_manager.py already filters out --nsm-size when disk is present,
            # so if both --pci and --nsm-size are present here, the PCI devices are copper/sfp NICs
            use_passthrough = False
            use_volume_creation = False
            has_nic_passthrough = False
            if args.nsm_size:
                # Validate nsm_size
                if args.nsm_size <= 0:
                    logger.error(f"Invalid nsm_size value: {args.nsm_size}. Must be a positive integer.")
                    sys.exit(1)
                use_volume_creation = True
                logger.info(f"Using volume creation with size {args.nsm_size}GB (--nsm-size parameter specified)")
                if args.pci:
                    # If both nsm_size and PCI are present, PCI devices are copper/sfp NICs
                    # (virtual_node_manager.py filters out nsm_size when disk is present)
                    has_nic_passthrough = True
                    logger.info(f"PCI devices (copper/sfp NICs) will be passed through along with volume: {', '.join(args.pci)}")
            elif args.pci:
                # Only PCI devices, no nsm_size - could be disk or NICs
                # this script is called by virtual_node_manager and that strips any possibility that nsm_size and the disk pci slot is sent to this script
                # we might have not specified a disk passthrough or nsm_size, but pass another pci slot and we end up here
                use_passthrough = True
                logger.info(f"Configuring PCI device passthrough.(--pci parameter specified without --nsm-size)")
            # Step 4: Configure hardware based on storage approach
            if use_volume_creation:
                # Create volume first
                run_qcow2_create_volume_config(args.profile, args.vm_name, size_gb=args.nsm_size, cpu=args.cpu, memory=args.memory, start=False)
                # Then configure NICs if present
                if has_nic_passthrough:
                    logger.info(f"Configuring NIC passthrough for VM {args.vm_name}")
                    run_qcow2_modify_hardware_config(args.profile, args.vm_name, cpu=None, memory=None, pci_list=args.pci, start=True)
                else:
                    # No NICs, just start the VM
                    logger.info(f"Starting VM {args.vm_name}")
                    run_qcow2_modify_hardware_config(args.profile, args.vm_name, cpu=None, memory=None, pci_list=None, start=True)
            elif use_passthrough:
                # Use existing passthrough logic via modify_hardware_config
                run_qcow2_modify_hardware_config(args.profile, args.vm_name, cpu=args.cpu, memory=args.memory, pci_list=args.pci, start=True)
            else:
                # No storage configuration, just configure CPU/memory if specified
                if args.cpu or args.memory:
                    run_qcow2_modify_hardware_config(args.profile, args.vm_name, cpu=args.cpu, memory=args.memory, pci_list=None, start=True)
                else:
                    # No hardware configuration needed, just start the VM
                    logger.info(f"No hardware configuration specified, starting VM {args.vm_name}")
                    run_qcow2_modify_hardware_config(args.profile, args.vm_name, cpu=None, memory=None, pci_list=None, start=True)
    except KeyboardInterrupt:
        logger.error("so-salt-cloud: Operation cancelled by user.")
--- a/salt/salt/engines/master/virtual_node_manager.py
+++ b/salt/salt/engines/master/virtual_node_manager.py
@@ -117,7 +117,7 @@ Exit Codes:
    4: VM provisioning failure (so-salt-cloud execution failed)
 Logging:
-    Log files are written to /opt/so/log/salt/engines/virtual_node_manager.log
+    Log files are written to /opt/so/log/salt/engines/virtual_node_manager
    Comprehensive logging includes:
    - Hardware validation details
    - PCI ID conversion process
@@ -138,29 +138,56 @@ import pwd
 import grp
 import salt.config
 import salt.runner
 import salt.client
 from typing import Dict, List, Optional, Tuple, Any
 from datetime import datetime, timedelta
 from threading import Lock
-# Get socore uid/gid
+# Initialize Salt runner and local client once
 SOCORE_UID = pwd.getpwnam('socore').pw_uid
 SOCORE_GID = grp.getgrnam('socore').gr_gid
 # Initialize Salt runner once
 opts = salt.config.master_config('/etc/salt/master')
 opts['output'] = 'json'
 runner = salt.runner.RunnerClient(opts)
 local = salt.client.LocalClient()
 # Get socore uid/gid for file ownership
 SOCORE_UID = pwd.getpwnam('socore').pw_uid
 SOCORE_GID = grp.getgrnam('socore').gr_gid
 # Configure logging
 log = logging.getLogger(__name__)
 log.setLevel(logging.DEBUG)
 # Prevent propagation to parent loggers to avoid duplicate log entries
 log.propagate = False
 # Add file handler for dedicated log file
 log_dir = '/opt/so/log/salt'
 log_file = os.path.join(log_dir, 'virtual_node_manager')
 # Create log directory if it doesn't exist
 os.makedirs(log_dir, exist_ok=True)
 # Create file handler
 file_handler = logging.FileHandler(log_file)
 file_handler.setLevel(logging.DEBUG)
 # Create formatter
 formatter = logging.Formatter(
    '%(asctime)s [%(name)s:%(lineno)d][%(levelname)-8s][%(process)d] %(message)s',
    datefmt='%Y-%m-%d %H:%M:%S'
 )
 file_handler.setFormatter(formatter)
 # Add handler to logger
 log.addHandler(file_handler)
 # Constants
 DEFAULT_INTERVAL = 30
 DEFAULT_BASE_PATH = '/opt/so/saltstack/local/salt/hypervisor/hosts'
 VALID_ROLES = ['sensor', 'searchnode', 'idh', 'receiver', 'heavynode', 'fleet']
 LICENSE_PATH = '/opt/so/saltstack/local/pillar/soc/license.sls'
 DEFAULTS_PATH = '/opt/so/saltstack/default/salt/hypervisor/defaults.yaml'
 HYPERVISOR_PILLAR_PATH = '/opt/so/saltstack/local/pillar/hypervisor/soc_hypervisor.sls'
 # Define the retention period for destroyed VMs (in hours)
 DESTROYED_VM_RETENTION_HOURS = 48
@@ -202,6 +229,39 @@ def write_json_file(file_path: str, data: Any) -> None:
    except Exception as e:
        log.error("Failed to write JSON file %s: %s", file_path, str(e))
        raise
 def remove_vm_from_vms_file(vms_file_path: str, vm_hostname: str, vm_role: str) -> bool:
    """
    Remove a VM entry from the hypervisorVMs file.
    Args:
        vms_file_path: Path to the hypervisorVMs file
        vm_hostname: Hostname of the VM to remove (without role suffix)
        vm_role: Role of the VM
    Returns:
        bool: True if VM was removed, False otherwise
    """
    try:
        # Read current VMs
        vms = read_json_file(vms_file_path)
        # Find and remove the VM entry
        original_count = len(vms)
        vms = [vm for vm in vms if not (vm.get('hostname') == vm_hostname and vm.get('role') == vm_role)]
        if len(vms) < original_count:
            # VM was found and removed, write back to file
            write_json_file(vms_file_path, vms)
            log.info("Removed VM %s_%s from %s", vm_hostname, vm_role, vms_file_path)
            return True
        else:
            log.warning("VM %s_%s not found in %s", vm_hostname, vm_role, vms_file_path)
            return False
    except Exception as e:
        log.error("Failed to remove VM %s_%s from %s: %s", vm_hostname, vm_role, vms_file_path, str(e))
        return False
 def read_yaml_file(file_path: str) -> dict:
    """Read and parse a YAML file."""
@@ -271,7 +331,7 @@ def parse_hardware_indices(hw_value: Any) -> List[int]:
    return indices
 def get_hypervisor_model(hypervisor: str) -> str:
-    """Get sosmodel from hypervisor grains."""
+    """Get sosmodel or byodmodel from hypervisor grains."""
    try:
        # Get cached grains using Salt runner
        grains = runner.cmd(
@@ -283,9 +343,9 @@ def get_hypervisor_model(hypervisor: str) -> str:
        # Get the first minion ID that matches our hypervisor
        minion_id = next(iter(grains.keys()))
-        model = grains[minion_id].get('sosmodel')
+        model = grains[minion_id].get('sosmodel', grains[minion_id].get('byodmodel', ''))
        if not model:
-            raise ValueError(f"No sosmodel grain found for hypervisor {hypervisor}")
+            raise ValueError(f"No sosmodel or byodmodel grain found for hypervisor {hypervisor}")
        log.debug("Found model %s for hypervisor %s", model, hypervisor)
        return model
@@ -295,16 +355,48 @@ def get_hypervisor_model(hypervisor: str) -> str:
        raise
 def load_hardware_defaults(model: str) -> dict:
-    """Load hardware configuration from defaults.yaml."""
+    """Load hardware configuration from defaults.yaml and optionally override with pillar configuration."""
    config = None
    config_source = None
    try:
        # First, try to load from defaults.yaml
        log.debug("Checking for model %s in %s", model, DEFAULTS_PATH)
        defaults = read_yaml_file(DEFAULTS_PATH)
        if not defaults or 'hypervisor' not in defaults:
            raise ValueError("Invalid defaults.yaml structure")
        if 'model' not in defaults['hypervisor']:
            raise ValueError("No model configurations found in defaults.yaml")
-        if model not in defaults['hypervisor']['model']:
+        
-            raise ValueError(f"Model {model} not found in defaults.yaml")
+        # Check if model exists in defaults
-        return defaults['hypervisor']['model'][model]
+        if model in defaults['hypervisor']['model']:
            config = defaults['hypervisor']['model'][model]
            config_source = DEFAULTS_PATH
            log.debug("Found model %s in %s", model, DEFAULTS_PATH)
        # Then, try to load from pillar file (if it exists)
        try:
            log.debug("Checking for model %s in %s", model, HYPERVISOR_PILLAR_PATH)
            pillar_config = read_yaml_file(HYPERVISOR_PILLAR_PATH)
            if pillar_config and 'hypervisor' in pillar_config:
                if 'model' in pillar_config['hypervisor']:
                    if model in pillar_config['hypervisor']['model']:
                        # Override with pillar configuration
                        config = pillar_config['hypervisor']['model'][model]
                        config_source = HYPERVISOR_PILLAR_PATH
                        log.debug("Found model %s in %s (overriding defaults)", model, HYPERVISOR_PILLAR_PATH)
        except FileNotFoundError:
            log.debug("Pillar file %s not found, using defaults only", HYPERVISOR_PILLAR_PATH)
        except Exception as e:
            log.warning("Failed to read pillar file %s: %s (using defaults)", HYPERVISOR_PILLAR_PATH, str(e))
        # If model was not found in either file, raise an error
        if config is None:
            raise ValueError(f"Model {model} not found in {DEFAULTS_PATH} or {HYPERVISOR_PILLAR_PATH}")
        log.debug("Using hardware configuration for model %s from %s", model, config_source)
        return config
    except Exception as e:
        log.error("Failed to load hardware defaults: %s", str(e))
        raise
@@ -525,6 +617,13 @@ def mark_vm_failed(vm_file: str, error_code: int, message: str) -> None:
            # Remove the original file since we'll create an error file
            os.remove(vm_file)
        # Clear hardware resource claims so failed VMs don't consume resources
        # Keep nsm_size for reference but clear cpu, memory, sfp, copper
        config.pop('cpu', None)
        config.pop('memory', None)
        config.pop('sfp', None)
        config.pop('copper', None)
        # Create error file
        error_file = f"{vm_file}.error"
        data = {
@@ -553,8 +652,16 @@ def mark_invalid_hardware(hypervisor_path: str, vm_name: str, config: dict, erro
        # Join all messages with proper sentence structure
        full_message = "Hardware validation failure: " + " ".join(error_messages)
        # Clear hardware resource claims so failed VMs don't consume resources
        # Keep nsm_size for reference but clear cpu, memory, sfp, copper
        config_copy = config.copy()
        config_copy.pop('cpu', None)
        config_copy.pop('memory', None)
        config_copy.pop('sfp', None)
        config_copy.pop('copper', None)
        data = {
-            'config': config,
+            'config': config_copy,
            'status': 'error',
            'timestamp': datetime.now().isoformat(),
            'error_details': {
@@ -601,6 +708,61 @@ def validate_vrt_license() -> bool:
        log.error("Error reading license file: %s", str(e))
        return False
 def check_hypervisor_disk_space(hypervisor: str, size_gb: int) -> Tuple[bool, Optional[str]]:
    """
    Check if hypervisor has sufficient disk space for volume creation.
    Args:
        hypervisor: Hypervisor hostname
        size_gb: Required size in GB
    Returns:
        Tuple of (has_space, error_message)
    """
    try:
        # Get hypervisor minion ID
        hypervisor_minion = f"{hypervisor}_hypervisor"
        # Check disk space on /nsm/libvirt/volumes using LocalClient
        result = local.cmd(
            hypervisor_minion,
            'cmd.run',
            ["df -BG /nsm/libvirt/volumes | tail -1 | awk '{print $4}' | sed 's/G//'"]
        )
        if not result or hypervisor_minion not in result:
            log.error("Failed to check disk space on hypervisor %s", hypervisor)
            return False, "Failed to check disk space on hypervisor"
        available_gb_str = result[hypervisor_minion].strip()
        if not available_gb_str:
            log.error("Empty disk space response from hypervisor %s", hypervisor)
            return False, "Failed to get disk space information"
        try:
            available_gb = float(available_gb_str)
        except ValueError:
            log.error("Invalid disk space value from hypervisor %s: %s", hypervisor, available_gb_str)
            return False, f"Invalid disk space value: {available_gb_str}"
        # Add 10% buffer for filesystem overhead
        required_gb = size_gb * 1.1
        log.debug("Hypervisor %s disk space check: Available=%.2fGB, Required=%.2fGB",
                 hypervisor, available_gb, required_gb)
        if available_gb < required_gb:
            error_msg = f"Insufficient disk space on hypervisor {hypervisor}. Available: {available_gb:.2f}GB, Required: {required_gb:.2f}GB (including 10% overhead)"
            log.error(error_msg)
            return False, error_msg
        log.info("Hypervisor %s has sufficient disk space for %dGB volume", hypervisor, size_gb)
        return True, None
    except Exception as e:
        log.error("Error checking disk space on hypervisor %s: %s", hypervisor, str(e))
        return False, f"Error checking disk space: {str(e)}"
 def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
    """
    Process a single VM creation request.
@@ -633,6 +795,62 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
        except subprocess.CalledProcessError as e:
            logger.error(f"Failed to emit success status event: {e}")
        # Validate nsm_size if present
        if 'nsm_size' in vm_config:
            try:
                size = int(vm_config['nsm_size'])
                if size <= 0:
                    log.error("VM: %s - nsm_size must be a positive integer, got: %d", vm_name, size)
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                    return
                if size > 10000:  # 10TB reasonable maximum
                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
                    return
                log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
            except (ValueError, TypeError) as e:
                log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))
                mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                    {'nsm_size': 'Invalid nsm_size: must be valid integer'})
                return
        # Check for conflicting storage configurations
        has_disk = 'disk' in vm_config and vm_config['disk']
        has_nsm_size = 'nsm_size' in vm_config and vm_config['nsm_size']
        if has_disk and has_nsm_size:
            log.warning("VM: %s - Both disk and nsm_size specified. disk takes precedence, nsm_size will be ignored.",
                       vm_name)
        # Check disk space BEFORE creating VM if nsm_size is specified
        if has_nsm_size and not has_disk:
            size_gb = int(vm_config['nsm_size'])
            has_space, space_error = check_hypervisor_disk_space(hypervisor, size_gb)
            if not has_space:
                log.error("VM: %s - %s", vm_name, space_error)
                # Send Hypervisor NSM Disk Full status event
                try:
                    subprocess.run([
                        'so-salt-emit-vm-deployment-status-event',
                        '-v', vm_name,
                        '-H', hypervisor,
                        '-s', 'Hypervisor NSM Disk Full'
                    ], check=True)
                except subprocess.CalledProcessError as e:
                    log.error("Failed to emit volume create failed event for %s: %s", vm_name, str(e))
                mark_invalid_hardware(
                    hypervisor_path,
                    vm_name,
                    vm_config,
                    {'disk_space': f"Insufficient disk space for {size_gb}GB volume: {space_error}"}
                )
                return
            log.debug("VM: %s - Hypervisor has sufficient space for %dGB volume", vm_name, size_gb)
        # Initial hardware validation against model
        is_valid, errors = validate_hardware_request(model_config, vm_config)
        if not is_valid:
@@ -669,6 +887,11 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
            memory_mib = int(vm_config['memory']) * 1024
            cmd.extend(['-m', str(memory_mib)])
        # Add nsm_size if specified and disk is not specified
        if 'nsm_size' in vm_config and vm_config['nsm_size'] and not ('disk' in vm_config and vm_config['disk']):
            cmd.extend(['--nsm-size', str(vm_config['nsm_size'])])
            log.debug("VM: %s - Adding nsm_size parameter: %s", vm_name, vm_config['nsm_size'])
        # Add PCI devices
        for hw_type in ['disk', 'copper', 'sfp']:
            if hw_type in vm_config and vm_config[hw_type]:
@@ -900,12 +1123,21 @@ def process_hypervisor(hypervisor_path: str) -> None:
        if not nodes_config:
            log.debug("Empty VMs configuration in %s", vms_file)
-        # Get existing VMs
+        # Get existing VMs and track failed VMs separately
        existing_vms = set()
        failed_vms = set()  # VMs with .error files
        for file_path in glob.glob(os.path.join(hypervisor_path, '*_*')):
            basename = os.path.basename(file_path)
-            # Skip error and status files
+            # Skip status files
-            if not basename.endswith('.error') and not basename.endswith('.status'):
+            if basename.endswith('.status'):
                continue
            # Track VMs with .error files separately
            if basename.endswith('.error'):
                vm_name = basename[:-6]  # Remove '.error' suffix
                failed_vms.add(vm_name)
                existing_vms.add(vm_name)  # Also add to existing to prevent recreation
                log.debug(f"Found failed VM with .error file: {vm_name}")
            else:
                existing_vms.add(basename)
        # Process new VMs
@@ -922,12 +1154,37 @@ def process_hypervisor(hypervisor_path: str) -> None:
                # process_vm_creation handles its own locking
                process_vm_creation(hypervisor_path, vm_config)
-        # Process VM deletions
+        # Process VM deletions (but skip failed VMs that only have .error files)
        vms_to_delete = existing_vms - configured_vms
        log.debug(f"Existing VMs: {existing_vms}")
        log.debug(f"Configured VMs: {configured_vms}")
        log.debug(f"Failed VMs: {failed_vms}")
        log.debug(f"VMs to delete: {vms_to_delete}")
        for vm_name in vms_to_delete:
            # Skip deletion if VM only has .error file (no actual VM to delete)
            if vm_name in failed_vms:
                error_file = os.path.join(hypervisor_path, f"{vm_name}.error")
                base_file = os.path.join(hypervisor_path, vm_name)
                # Only skip if there's no base file (VM never successfully created)
                if not os.path.exists(base_file):
                    log.info(f"Skipping deletion of failed VM {vm_name} (VM never successfully created)")
                    # Clean up the .error and .status files since VM is no longer configured
                    if os.path.exists(error_file):
                        os.remove(error_file)
                        log.info(f"Removed .error file for unconfigured VM: {vm_name}")
                    status_file = os.path.join(hypervisor_path, f"{vm_name}.status")
                    if os.path.exists(status_file):
                        os.remove(status_file)
                        log.info(f"Removed .status file for unconfigured VM: {vm_name}")
                    # Trigger hypervisor annotation update to reflect the removal
                    try:
                        log.info(f"Triggering hypervisor annotation update after removing failed VM: {vm_name}")
                        runner.cmd('state.orch', ['orch.dyanno_hypervisor'])
                    except Exception as e:
                        log.error(f"Failed to trigger hypervisor annotation update for {vm_name}: {str(e)}")
                    continue
            log.info(f"Initiating deletion process for VM: {vm_name}")
            process_vm_deletion(hypervisor_path, vm_name)
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -4,7 +4,10 @@
   Elastic License 2.0. #}
 {% set role = salt['grains.get']('role', '') %}
-{% if role in ['so-hypervisor','so-managerhype'] and salt['network.ip_addrs']('br0')|length > 0 %}
+{# We are using usebr0 mostly for setup of the so-managerhype node and controlling when we use br0 vs the physical interface #}
 {% set usebr0 = salt['pillar.get']('usebr0', True) %}
 {% if role in ['so-hypervisor','so-managerhype'] and usebr0 %}
 {%   set interface = 'br0' %}
 {% else %}
 {%   set interface = pillar.host.mainint %}
--- a/salt/salt/mine_functions.sls
+++ b/salt/salt/mine_functions.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-# this state was seperated from salt.minion state since it is called during setup
+# this state was separated from salt.minion state since it is called during setup
 # GLOBALS are imported in the salt.minion state and that is not available at that point in setup
 # this state is included in the salt.minion state
--- a/salt/salt/minion/init.sls
+++ b/salt/salt/minion/init.sls
@@ -1,18 +1,22 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
 {% from 'salt/map.jinja' import SALTPACKAGES %}
 {% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
 {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
 include:
  - salt.python_modules
  - salt.patch.x509_v2
  - salt
  - systemd.reload
  - repo.client
  - salt.mine_functions
  - salt.minion.service_file
 {% if GLOBALS.role in GLOBALS.manager_roles %}
  - ca
 {% endif %}
@@ -94,17 +98,6 @@ enable_startup_states:
    - regex: '^startup_states: highstate$'
    - unless: pgrep so-setup
 # prior to 2.4.30 this managed file would restart the salt-minion service when updated
 # since this file is currently only adding a delay service start
 # it is not required to restart the service
 salt_minion_service_unit_file:
  file.managed:
    - name: {{ SYSTEMD_UNIT_FILE }}
    - source: salt://salt/service/salt-minion.service.jinja
    - template: jinja
    - onchanges_in:
      - module: systemd_reload
 {% endif %}
 # this has to be outside the if statement above since there are <requisite>_in calls to this state
--- a/salt/salt/minion/service_file.sls
+++ b/salt/salt/minion/service_file.sls
@@ -0,0 +1,26 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
 {% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
 include:
  - systemd.reload
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
 # prior to 2.4.30 this managed file would restart the salt-minion service when updated
 # since this file is currently only adding a delay service start
 # it is not required to restart the service
 salt_minion_service_unit_file:
  file.managed:
    - name: {{ SYSTEMD_UNIT_FILE }}
    - source: salt://salt/service/salt-minion.service.jinja
    - template: jinja
    - onchanges_in:
      - module: systemd_reload
 {% endif %}
--- a/salt/sensoroni/defaults.yaml
+++ b/salt/sensoroni/defaults.yaml
@@ -5,6 +5,12 @@ sensoroni:
      enabled: False
      timeout_ms: 900000
      parallel_limit: 5
    export:
      timeout_ms: 1200000
      cache_refresh_interval_ms: 10000
      export_metric_limit: 10000
      export_event_limit: 10000
      csv_separator: ','
    node_checkin_interval_ms: 10000
    sensoronikey:
    soc_host:
--- a/salt/sensoroni/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -21,7 +21,13 @@
      },
 {%- endif %}
      "importer": {},
-      "export": {},
+      "export": {
        "timeoutMs": {{ SENSORONIMERGED.config.export.timeout_ms }},
        "cacheRefreshIntervalMs": {{ SENSORONIMERGED.config.export.cache_refresh_interval_ms }},
        "exportMetricLimit": {{ SENSORONIMERGED.config.export.export_metric_limit }},
        "exportEventLimit": {{ SENSORONIMERGED.config.export.export_event_limit }},
        "csvSeparator": "{{ SENSORONIMERGED.config.export.csv_separator }}"
      },
      "statickeyauth": {
        "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%  if GLOBALS.is_sensor %}
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -17,6 +17,27 @@ sensoroni:
        description: Parallel limit for the analyzer.
        advanced: True
        helpLink: cases.html
    export:
      timeout_ms:
        description: Timeout period for the exporter to finish export-related tasks.
        advanced: True
        helpLink: reports.html
      cache_refresh_interval_ms:
        description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports.
        advanced: True
        helpLink: reports.html
      export_metric_limit:
        description: Maximum number of metric values to include in each metric aggregation group.
        advanced: True
        helpLink: reports.html
      export_event_limit:
        description: Maximum number of events to include per event list.
        advanced: True
        helpLink: reports.html
      csv_separator:
        description: Separator character to use for CSV exports.
        advanced: False
        helpLink: reports.html
    node_checkin_interval_ms:
      description: Interval in ms to checkin to the soc_host.
      advanced: True
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1493,6 +1493,9 @@ soc:
                folder: securityonion-normalized
        assistant:
          apiUrl: https://onionai.securityonion.net
          healthTimeoutSeconds: 3
          systemPromptAddendum: ""
          systemPromptAddendumMaxLength: 50000
        salt:
          queueDir: /opt/sensoroni/queue
          timeoutMs: 45000
@@ -1635,6 +1638,9 @@ soc:
            - name: socExcludeToggle
              filter: 'NOT event.module:"soc"'
              enabled: true
            - name: onionaiExcludeToggle
              filter: 'NOT _index:"*:so-assistant-*"'
              enabled: true
          queries:
            - name: Default Query
              description: Show all events grouped by the observer host
@@ -2545,7 +2551,7 @@ soc:
              level: 'high'  # info | low | medium | high | critical
        assistant:
          enabled: false
-          investigationPrompt: Investigate Alert ID {socid}
+          investigationPrompt: Investigate Alert ID {socId}
          contextLimitSmall: 200000
          contextLimitLarge: 1000000
          thresholdColorRatioLow: 0.5
--- a/salt/soc/dyanno/hypervisor/hypervisor.yaml
+++ b/salt/soc/dyanno/hypervisor/hypervisor.yaml
@@ -63,18 +63,22 @@ hypervisor:
        required: true
        readonly: true
        forcedType: int
      - field: nsm_size
        label: "Size of virtual disk to create and use for /nsm, in GB. Only applicable if no pass-through disk."
        forcedType: int
        readonly: true
      - field: disk
-        label: "Disk(s) for passthrough. Free: FREE | Total: TOTAL"
+        label: "Disk(s) to pass through for /nsm. Free: FREE | Total: TOTAL"
        readonly: true
        options: []
        forcedType: '[]int'
      - field: copper
-        label: "Copper port(s) for passthrough. Free: FREE | Total: TOTAL"
+        label: "Copper port(s) to pass through. Free: FREE | Total: TOTAL"
        readonly: true
        options: []
        forcedType: '[]int'
      - field: sfp
-        label: "SFP port(s) for passthrough. Free: FREE | Total: TOTAL"
+        label: "SFP port(s) to pass through. Free: FREE | Total: TOTAL"
        readonly: true
        options: []
        forcedType: '[]int'
--- a/salt/soc/dyanno/hypervisor/map.jinja
+++ b/salt/soc/dyanno/hypervisor/map.jinja
@@ -3,11 +3,14 @@
 {# Define the list of process steps in order (case-sensitive) #}
 {% set PROCESS_STEPS = [
    'Processing',
    'Hypervisor NSM Disk Full',
    'IP Configuration',
    'Starting Create',
    'Executing Deploy Script',
    'Initialize Minion Pillars',
    'Created Instance',
    'Volume Creation',
    'Volume Configuration',
    'Hardware Configuration',
    'Highstate Initiated',
    'Destroyed Instance'
--- a/salt/soc/dyanno/hypervisor/remove_failed_vm.sls
+++ b/salt/soc/dyanno/hypervisor/remove_failed_vm.sls
@@ -0,0 +1,51 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 #
 # Note: Per the Elastic License 2.0, the second limitation states:
 #
 #   "You may not move, change, disable, or circumvent the license key functionality
 #    in the software, and you may not remove or obscure any functionality in the
 #    software that is protected by the license key."
 {% if 'vrt' in salt['pillar.get']('features', []) %}
 {% do salt.log.info('soc/dyanno/hypervisor/remove_failed_vm: Running') %}
 {% set vm_name = pillar.get('vm_name') %}
 {% set hypervisor = pillar.get('hypervisor') %}
 {% if vm_name and hypervisor %}
 {%   set vm_parts = vm_name.split('_') %}
 {%   if vm_parts | length >= 2 %}
 {%     set vm_role = vm_parts[-1] %}
 {%     set vm_hostname = '_'.join(vm_parts[:-1]) %}
 {%     set vms_file = '/opt/so/saltstack/local/salt/hypervisor/hosts/' ~ hypervisor ~ 'VMs' %}
 {%     do salt.log.info('soc/dyanno/hypervisor/remove_failed_vm: Removing VM ' ~ vm_name ~ ' from ' ~ vms_file) %}
 remove_vm_{{ vm_name }}_from_vms_file:
  module.run:
    - name: hypervisor.remove_vm_from_vms_file
    - vms_file_path: {{ vms_file }}
    - vm_hostname: {{ vm_hostname }}
    - vm_role: {{ vm_role }}
 {%   else %}
 {%     do salt.log.error('soc/dyanno/hypervisor/remove_failed_vm: Invalid vm_name format: ' ~ vm_name) %}
 {%   endif %}
 {% else %}
 {%   do salt.log.error('soc/dyanno/hypervisor/remove_failed_vm: Missing required pillar data (vm_name or hypervisor)') %}
 {% endif %}
 {% do salt.log.info('soc/dyanno/hypervisor/remove_failed_vm: Completed') %}
 {% else %}
 {% do salt.log.error(
  'Hypervisor nodes are a feature supported only for customers with a valid license. '
  'Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com '
  'for more information about purchasing a license to enable this feature.'
 ) %}
 {% endif %}
--- a/salt/soc/dyanno/hypervisor/soc_hypervisor.yaml.jinja
+++ b/salt/soc/dyanno/hypervisor/soc_hypervisor.yaml.jinja
@@ -13,7 +13,6 @@
 {%- import_yaml 'soc/dyanno/hypervisor/hypervisor.yaml' as ANNOTATION -%}
 {%- from 'hypervisor/map.jinja' import HYPERVISORS -%}
 {%- from 'soc/dyanno/hypervisor/map.jinja' import PROCESS_STEPS -%}
 {%- set TEMPLATE = ANNOTATION.hypervisor.hosts.pop('defaultHost') -%}
@@ -27,7 +26,6 @@
 {%- if baseDomainStatus == 'Initialized' %}
 {%-   if vm_list %}
 #### Virtual Machines
 Status values: {% for step in PROCESS_STEPS %}{{ step }}{% if not loop.last %}, {% endif %}{% endfor %}. "Last Updated" shows when status changed. After "Highstate Initiated", only "Destroyed Instance" updates the timestamp.
 | Name               | Status             | CPU Cores | Memory (GB)| Disk | Copper | SFP  | Last Updated        |
 |--------------------|--------------------|-----------|------------|------|--------|------|---------------------|
@@ -42,7 +40,6 @@ Status values: {% for step in PROCESS_STEPS %}{{ step }}{% if not loop.last %},
 {%-     endfor %}
 {%-   else %}
 #### Virtual Machines
 Status values: {% for step in PROCESS_STEPS %}{{ step }}{% if not loop.last %}, {% endif %}{% endfor %}. "Last Updated" shows when status changed. After "Highstate Initiated", only "Destroyed Instance" updates the timestamp.
 No Virtual Machines Found
 {%-   endif %}
@@ -96,9 +93,21 @@ Base domain has not been initialized.
 {%-       endif -%}
 {%-     endfor -%}
-{# Calculate available resources #}
+{# Determine host OS overhead based on role #}
-{%-     set cpu_free = hw_config.cpu - ns.used_cpu -%}
+{%-     if role == 'hypervisor' -%}
-{%-     set mem_free = hw_config.memory - ns.used_memory -%}
+{%-       set host_os_cpu = 8 -%}
 {%-       set host_os_memory = 16 -%}
 {%-     elif role == 'managerhype' -%}
 {%-       set host_os_cpu = 16 -%}
 {%-       set host_os_memory = 32 -%}
 {%-     else -%}
 {%-       set host_os_cpu = 0 -%}
 {%-       set host_os_memory = 0 -%}
 {%-     endif -%}
 {# Calculate available resources (subtract both VM usage and host OS overhead) #}
 {%-     set cpu_free = hw_config.cpu - ns.used_cpu - host_os_cpu -%}
 {%-     set mem_free = hw_config.memory - ns.used_memory - host_os_memory -%}
 {# Get used PCI indices #}
 {%-     set used_disk = [] -%}
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -237,10 +237,22 @@ function manage_salt() {
  case "$op" in
    state)
      log "Performing '$op' for '$state' on minion '$minion'"
      state=$(echo "$request" | jq -r .state)
-      response=$(salt --async "$minion" state.apply "$state" queue=2)
+      async=$(echo "$request" | jq -r .async)
      if [[ $async == "true" ]]; then
        log "Performing async '$op' on minion $minion with state '$state'"
        response=$(salt --async "$minion" state.apply "$state" queue=2)
      else
        log "Performing '$op' on minion $minion with state '$state'"
        response=$(salt "$minion" state.apply "$state")
      fi
      exit_code=$?
      if [[ $exit_code -ne 0 && "$response" =~ "is running as PID" ]]; then
        log "Salt already running: $response ($exit_code)"
        respond "$id" "ERROR_SALT_ALREADY_RUNNING"
        return
      fi
      ;;
    highstate)
      log "Performing '$op' on minion $minion"
@@ -259,7 +271,7 @@ function manage_salt() {
      ;;
  esac
-  if [[ exit_code -eq 0 ]]; then
+  if [[ $exit_code -eq 0 ]]; then
    log "Successful command execution: $response"
    respond "$id" "true"
  else
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -585,6 +585,19 @@ soc:
            description: The URL of the AI gateway.
            advanced: True
            global: True
          healthTimeoutSeconds:
            description: Timeout in seconds for the Onion AI health check.
            global: True
            advanced: True
          systemPromptAddendum:
            description: Additional context to provide to the AI assistant about this SOC deployment. This can include information about your environment, policies, or any other relevant details that can help the AI provide more accurate and tailored assistance. Long prompts may be shortened.
            global: True
            advanced: False
            multiline: True
          systemPromptAddendumMaxLength:
            description: Maximum length of the system prompt addendum. Longer prompts will be truncated.
            global: True
            advanced: True
      client:
        assistant:
          enabled:
@@ -615,6 +628,7 @@ soc:
            advanced: True 
          lowBalanceColorAlert:
            description: Onion AI credit amount at which balance turns red.
            global: True
            advanced: True
        apiTimeoutMs:
          description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
--- a/salt/storage/init.sls
+++ b/salt/storage/init.sls
@@ -4,10 +4,17 @@
 # Elastic License 2.0.
-{% set nvme_devices = salt['cmd.shell']("find /dev -name 'nvme*n1' 2>/dev/null") %}
+{% set nvme_devices = salt['cmd.shell']("ls /dev/nvme*n1 2>/dev/null || echo ''") %}
 {% set virtio_devices = salt['cmd.shell']("test -b /dev/vdb && echo '/dev/vdb' || echo ''") %}
 {% if nvme_devices %}
 include:
-  - storage.nsm_mount
+  - storage.nsm_mount_nvme
 {% elif virtio_devices %}
 include:
  - storage.nsm_mount_virtio
 {% endif %}
--- a/salt/storage/nsm_mount_nvme.sls
+++ b/salt/storage/nsm_mount_nvme.sls
@@ -22,8 +22,8 @@ storage_nsm_mount_logdir:
 # Install the NSM mount script
 storage_nsm_mount_script:
  file.managed:
-    - name: /usr/sbin/so-nsm-mount
+    - name: /usr/sbin/so-nsm-mount-nvme
-    - source: salt://storage/tools/sbin/so-nsm-mount
+    - source: salt://storage/tools/sbin/so-nsm-mount-nvme
    - mode: 755
    - user: root
    - group: root
@@ -34,7 +34,7 @@ storage_nsm_mount_script:
 # Execute the mount script if not already mounted
 storage_nsm_mount_execute:
  cmd.run:
-    - name: /usr/sbin/so-nsm-mount
+    - name: /usr/sbin/so-nsm-mount-nvme
    - unless: mountpoint -q /nsm
    - require:
      - file: storage_nsm_mount_script
--- a/salt/storage/nsm_mount_virtio.sls
+++ b/salt/storage/nsm_mount_virtio.sls
@@ -0,0 +1,39 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 # Install required packages
 storage_nsm_mount_virtio_packages:
  pkg.installed:
    - pkgs:
      - xfsprogs
 # Ensure log directory exists
 storage_nsm_mount_virtio_logdir:
  file.directory:
    - name: /opt/so/log
    - makedirs: True
    - user: root
    - group: root
    - mode: 755
 # Install the NSM mount script
 storage_nsm_mount_virtio_script:
  file.managed:
    - name: /usr/sbin/so-nsm-mount-virtio
    - source: salt://storage/tools/sbin/so-nsm-mount-virtio
    - mode: 755
    - user: root
    - group: root
    - require:
      - pkg: storage_nsm_mount_virtio_packages
      - file: storage_nsm_mount_virtio_logdir
 # Execute the mount script if not already mounted
 storage_nsm_mount_virtio_execute:
  cmd.run:
    - name: /usr/sbin/so-nsm-mount-virtio
    - unless: mountpoint -q /nsm
    - require:
      - file: storage_nsm_mount_virtio_script
--- a/salt/storage/tools/sbin/so-nsm-mount-nvme
+++ b/salt/storage/tools/sbin/so-nsm-mount-nvme
@@ -81,7 +81,7 @@
 set -e
-LOG_FILE="/opt/so/log/so-nsm-mount.log"
+LOG_FILE="/opt/so/log/so-nsm-mount-nvme"
 VG_NAME=""
 LV_NAME="nsm"
 MOUNT_POINT="/nsm"
--- a/salt/storage/tools/sbin/so-nsm-mount-virtio
+++ b/salt/storage/tools/sbin/so-nsm-mount-virtio
@@ -0,0 +1,171 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 # Usage:
 #     so-nsm-mount-virtio
 #
 # Options:
 #     None - script automatically configures /dev/vdb
 #
 # Examples:
 #     1. Configure and mount virtio-blk device:
 #         ```bash
 #         sudo so-nsm-mount-virtio
 #         ```
 #
 # Notes:
 #     - Requires root privileges
 #     - Mounts /dev/vdb as /nsm
 #     - Creates XFS filesystem if needed
 #     - Configures persistent mount via /etc/fstab
 #     - Safe to run multiple times
 #
 # Description:
 #     This script automates the configuration and mounting of virtio-blk devices
 #     as /nsm in Security Onion virtual machines. It performs these steps:
 #
 # Dependencies:
 #     - xfsprogs: Required for XFS filesystem operations
 #
 #     1. Safety Checks:
 #        - Verifies root privileges
 #        - Checks if /nsm is already mounted
 #        - Verifies /dev/vdb exists
 #
 #     2. Filesystem Creation:
 #        - Creates XFS filesystem on /dev/vdb if not already formatted
 #
 #     3. Mount Configuration:
 #        - Creates /nsm directory if needed
 #        - Adds entry to /etc/fstab for persistence
 #        - Mounts the filesystem as /nsm
 #
 # Exit Codes:
 #     0: Success conditions:
 #        - Device configured and mounted
 #        - Already properly mounted
 #     1: Error conditions:
 #        - Must be run as root
 #        - Device /dev/vdb not found
 #        - Filesystem creation failed
 #        - Mount operation failed
 #
 # Logging:
 #     - All operations logged to /opt/so/log/so-nsm-mount-virtio
 set -e
 LOG_FILE="/opt/so/log/so-nsm-mount-virtio"
 DEVICE="/dev/vdb"
 MOUNT_POINT="/nsm"
 # Function to log messages
 log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') $1" | tee -a "$LOG_FILE"
 }
 # Function to log errors
 log_error() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') ERROR: $1" | tee -a "$LOG_FILE" >&2
 }
 # Function to check if running as root
 check_root() {
    if [ "$EUID" -ne 0 ]; then
        log_error "Must be run as root"
        exit 1
    fi
 }
 # Main execution
 main() {
    log "=========================================="
    log "Starting virtio-blk NSM mount process"
    log "=========================================="
    # Check root privileges
    check_root
    # Check if already mounted
    if mountpoint -q "$MOUNT_POINT"; then
        log "$MOUNT_POINT is already mounted"
        log "=========================================="
        exit 0
    fi
    # Check if device exists
    if [ ! -b "$DEVICE" ]; then
        log_error "Device $DEVICE not found"
        log "=========================================="
        exit 1
    fi
    log "Found device: $DEVICE"
    # Get device size
    local size=$(lsblk -dbn -o SIZE "$DEVICE" 2>/dev/null | numfmt --to=iec)
    log "Device size: $size"
    # Check if device has filesystem
    if ! blkid "$DEVICE" | grep -q 'TYPE="xfs"'; then
        log "Creating XFS filesystem on $DEVICE"
        if ! mkfs.xfs -f "$DEVICE" 2>&1 | tee -a "$LOG_FILE"; then
            log_error "Failed to create filesystem"
            log "=========================================="
            exit 1
        fi
        log "Filesystem created successfully"
    else
        log "Device already has XFS filesystem"
    fi
    # Create mount point
    if [ ! -d "$MOUNT_POINT" ]; then
        log "Creating mount point $MOUNT_POINT"
        mkdir -p "$MOUNT_POINT"
    fi
    # Add to fstab if not present
    if ! grep -q "$DEVICE.*$MOUNT_POINT" /etc/fstab; then
        log "Adding entry to /etc/fstab"
        echo "$DEVICE $MOUNT_POINT xfs defaults 0 0" >> /etc/fstab
        log "Entry added to /etc/fstab"
    else
        log "Entry already exists in /etc/fstab"
    fi
    # Mount the filesystem
    log "Mounting $DEVICE to $MOUNT_POINT"
    if mount "$MOUNT_POINT" 2>&1 | tee -a "$LOG_FILE"; then
        log "Successfully mounted $DEVICE to $MOUNT_POINT"
        # Verify mount
        if mountpoint -q "$MOUNT_POINT"; then
            log "Mount verified successfully"
            # Display mount information
            log "Mount details:"
            df -h "$MOUNT_POINT" | tail -n 1 | tee -a "$LOG_FILE"
        else
            log_error "Mount verification failed"
            log "=========================================="
            exit 1
        fi
    else
        log_error "Failed to mount $DEVICE"
        log "=========================================="
        exit 1
    fi
    log "=========================================="
    log "Virtio-blk NSM mount process completed successfully"
    log "=========================================="
    exit 0
 }
 # Run main function
 main
--- a/salt/zeek/policy/custom/filters/dns
+++ b/salt/zeek/policy/custom/filters/dns
@@ -0,0 +1,30 @@
 hook DNS::log_policy(rec: DNS::Info, id: Log::ID, filter: Log::Filter)
    {
       # Only put a single name per line otherwise there will be memory issues!
       # If the query comes back blank don't log
       if (!rec?$query)
          break;
       # If the query comes back with one of these don't log
       if (rec?$query && /google.com$/ in rec$query)
           break;
       # If the query comes back with one of these don't log
       if (rec?$query && /.apple.com$/ in rec$query)
           break;
       # Don't log reverse lookups
       if (rec?$query && /.in-addr.arpa/ in to_lower(rec$query))
           break;
       # Don't log netbios lookups. This generates a cray amount of logs
       if (rec?$qtype_name && /NB/ in rec$qtype_name)
           break;
    }
 event zeek_init()
 {
    Log::remove_default_filter(DNS::LOG);
    local filter: Log::Filter = [$name="dns-filter"];
    Log::add_filter(DNS::LOG, filter);
 }
--- a/salt/zeek/policy/custom/filters/files
+++ b/salt/zeek/policy/custom/filters/files
@@ -0,0 +1,13 @@
 hook Files::log_policy(rec: Files::Info, id: Log::ID, filter: Log::Filter)
    {
       # Turn off a specific mimetype
           if (rec?$mime_type && ( /soap+xml/ | /json/ | /xml/ | /x509/ )in rec$mime_type)
               break;
    }
 event zeek_init()
 {
    Log::remove_default_filter(Files::LOG);
    local filter: Log::Filter = [$name="files-filter"];
    Log::add_filter(Files::LOG, filter);
 }
--- a/salt/zeek/policy/custom/filters/httphost
+++ b/salt/zeek/policy/custom/filters/httphost
@@ -0,0 +1,20 @@
 ### HTTP filter by host entries by string #####
 module Filterhttp;
 export {
    global remove_host_entries: set[string] = {"www.genevalab.com", "www.google.com"};
 }
 hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
   {
   # Remove HTTP host entries
 if ( ! rec?$host || rec$host in remove_host_entries )
       break;
   }
 event zeek_init()
 {
   Log::remove_default_filter(HTTP::LOG);
   local filter: Log::Filter = [$name="http-filter"];
   Log::add_filter(HTTP::LOG, filter);
 }
--- a/salt/zeek/policy/custom/filters/httpuri
+++ b/salt/zeek/policy/custom/filters/httpuri
@@ -0,0 +1,14 @@
 ### HTTP filter by uri using pattern ####
 hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
   {
   # Remove HTTP uri entries by regex
 if ( rec?$uri && /^\/kratos\// in rec$uri )
       break;
   }
 event zeek_init()
 {
   Log::remove_default_filter(HTTP::LOG);
   local filter: Log::Filter = [$name="http-filter"];
   Log::add_filter(HTTP::LOG, filter);
 }
--- a/salt/zeek/policy/custom/filters/ssl
+++ b/salt/zeek/policy/custom/filters/ssl
@@ -0,0 +1,29 @@
 ### Log filter by JA3S md5 hash:
 hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter)
    {
       # SSL log filter Ja3s by md5           
           if (rec?c$ssl$ja3s_cipher && ( /623de93db17d313345d7ea481e7443cf/ )in rec$c$ssl$ja3s_cipher)
               break;
    }
 event zeek_init()
 {
    Log::remove_default_filter(SSL::LOG);
    local filter: Log::Filter = [$name="ssl-filter"];
    Log::add_filter(SSL::LOG, filter);
 }
 ### Log filter by server name:
 hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter)
  {
    # SSL log filter by server name
    if (rec?$server_name && ( /api.github.com$/ ) in rec$server_name)
       break;
  }
 event zeek_init()
 {
   Log::remove_default_filter(SSL::LOG);
   local filter: Log::Filter = [$name="ssl-filter"];
   Log::add_filter(SSL::LOG, filter);
 }
--- a/salt/zeek/policy/custom/filters/tunnel
+++ b/salt/zeek/policy/custom/filters/tunnel
@@ -0,0 +1,17 @@
 global tunnel_subnet: set[subnet]={
 	10.19.0.0/24
 };
 hook Tunnel::log_policy(rec: Tunnel::Info, id: Log::ID, Filter: Log::Filter)
 	{
 	if (rec$id$orig_h in tunnel_subnet || rec$id$resp_h in tunnel_subnet)
 		break;
 	}
 event zeek_init()
 {
    Log::remove_default_filter(Tunnel::LOG);
    local filter: Log::Filter = [$name="tunnel-filter"];
    Log::add_filter(Tunnel::LOG, filter);
 }
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -61,6 +61,48 @@ zeek:
          global: True
          advanced: True
          duplicates: True
        dns:
          description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
          duplicates: True
        files:
          description: Files Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
          duplicates: True
        httphost:
          description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
          duplicates: True
        httpuri:
          description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
          duplicates: True
        ssl:
          description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
          duplicates: True
        tunnel:
          description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable.
          helpLink: zeek.html
          file: True
          global: True
          advanced: True
          duplicates: True
  file_extraction:
    description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"}
    forcedType: "[]{}"
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -541,8 +541,15 @@ configure_minion() {
 		"log_file: /opt/so/log/salt/minion"\
 		"#startup_states: highstate" >> "$minion_config"
-	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'"
+	# At the time the so-managerhype node does not yet have the bridge configured.
-	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}"
+	# The so-hypervisor node doesn't either, but it doesn't cause issues here.
 	local usebr0=false
 	if [ "$minion_type" == 'hypervisor' ]; then
    	usebr0=true
 	fi
 	local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}"
 	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'"
 	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json"
 	{
 		logCmd "systemctl enable salt-minion";
@@ -1194,10 +1201,7 @@ hypervisor_local_states() {
        info "Running libvirt states for hypervisor"
        logCmd "salt-call state.apply libvirt.64962 --local --file-root=../salt/ -l info queue=True"
        info "Setting up bridge for $MNIC"
-		    salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "'$MNIC'"}}' queue=True
+		salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "'$MNIC'"}}' queue=True
 		    if [ $is_managerhype ]; then
 			    logCmd "salt-call state.apply salt.minion queue=True"
 		    fi
    fi
 }
@@ -2301,7 +2305,7 @@ set_redirect() {
 set_timezone() {
-	logCmd "timedatectl set-timezone Etc/UTC"
+	timedatectl set-timezone Etc/UTC
 }
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -762,6 +762,7 @@ if ! [[ -f $install_opt_file ]]; then
 		fi
 		logCmd "salt-call state.apply common.packages"
 		logCmd "salt-call state.apply common"
 		hypervisor_local_states
 		# this will apply the salt.minion state first since salt.master includes salt.minion
 		logCmd "salt-call state.apply salt.master"
 		# wait here until we get a response from the salt-master since it may have just restarted
@@ -826,7 +827,6 @@ if ! [[ -f $install_opt_file ]]; then
 		checkin_at_boot
 		set_initial_firewall_access
 		logCmd "salt-call schedule.enable -linfo --local"
 		hypervisor_local_states
 		verify_setup
 	else
 		touch /root/accept_changes
--- a/setup/so-verify
+++ b/setup/so-verify
@@ -68,6 +68,7 @@ log_has_errors() {
        grep -vE "Command failed with exit code" | \
        grep -vE "Running scope as unit" | \
        grep -vE "securityonion-resources/sigma/stable" | \
        grep -vE "remove_failed_vm.sls" | \
        grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log"
    if [[ $? -eq 0 ]]; then
--- a/sigs/securityonion-2.4.190-20251024.iso.sig
+++ b/sigs/securityonion-2.4.190-20251024.iso.sig
Author	SHA1	Message	Date
Jason Ertel	33ada95bbc	Merge pull request #15167 from Security-Onion-Solutions/2.4/dev 2.4.190	2025-10-24 16:01:05 -04:00
Mike Reeves	de9d3c9726	Merge pull request #15166 from Security-Onion-Solutions/2.4.190 2.4.190	2025-10-23 14:09:13 -04:00
Mike Reeves	39572f36f4	2.4.190	2025-10-23 14:07:05 -04:00
Jason Ertel	0994cd515a	Merge pull request #15161 from Security-Onion-Solutions/jertel/wip add exclusion toggle	2025-10-21 09:36:45 -04:00
Jason Ertel	bdcd1e099d	add exclusion toggle	2025-10-21 09:33:41 -04:00
Jorge Reyes	c64760b5f4	Merge pull request #15153 from Security-Onion-Solutions/reyesj2-patch-1	2025-10-17 07:50:36 -05:00
Jorge Reyes	d2aa60b961	log4j2 settings	2025-10-17 07:40:44 -05:00
Jorge Reyes	83d615d236	Merge pull request #15151 from Security-Onion-Solutions/reyesj2-patch-9 update log4j2 policy for ES json output	2025-10-16 16:25:47 -05:00
reyesj2	e910de0a06	update log4j2 policy for ES json output Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>	2025-10-16 16:19:55 -05:00
Josh Patterson	26b80aba38	Merge pull request #15148 from Security-Onion-Solutions/m0duspwnens-patch-1 do not log set_timezone in setup	2025-10-15 16:58:34 -04:00
Josh Patterson	ee617eeff4	do not log set_timezone in setup creates additional sosetup.log file	2025-10-15 16:44:24 -04:00
Josh Patterson	463766782c	Merge pull request #15147 from Security-Onion-Solutions/amv omit new hypervisor state name fp	2025-10-15 15:03:31 -04:00
Josh Patterson	d9f70898dd	omit new hypervisor state name fp	2025-10-15 14:59:37 -04:00
Mike Reeves	7e15c89510	Merge pull request #15145 from Security-Onion-Solutions/cogburn/add-multiline Should be multiline	2025-10-15 13:20:26 -04:00
Corey Ogburn	ed5bd19f0e	Should be multiline	2025-10-15 09:00:27 -06:00
Josh Patterson	feba97738f	Merge pull request #15144 from Security-Onion-Solutions/amv implement host os overhead based on role	2025-10-15 10:36:24 -04:00
Josh Patterson	348809bdbb	implement host os overhead based on role	2025-10-15 10:30:14 -04:00
Jorge Reyes	ca0edb1cab	Merge pull request #15141 from Security-Onion-Solutions/reyesj2-logstash	2025-10-14 16:01:01 -05:00
reyesj2	0172f64f15	Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into reyesj2-logstash	2025-10-14 15:58:38 -05:00
Jorge Reyes	48f8944e3b	Merge pull request #15139 from Security-Onion-Solutions/reyesj2-patch-4 event.module elasticsearch	2025-10-14 15:58:00 -05:00
reyesj2	3e22043ea6	es logging retention	2025-10-14 15:08:51 -05:00
coreyogburn	e572b854b9	Merge pull request #15142 from Security-Onion-Solutions/cogburn/append-prompt New Config Entries	2025-10-14 13:46:15 -06:00
Corey Ogburn	c8aad2b03b	New Config Entries	2025-10-14 13:24:43 -06:00
reyesj2	8773ebc3dc	logstash wrappers for troubleshooting	2025-10-14 13:34:33 -05:00
reyesj2	2baf2478da	add additional elasticsearch log output in json format for elasticsearch log integration to parse	2025-10-14 12:47:03 -05:00
reyesj2	378d37d74e	add event.module to elasticsearch server logs	2025-10-14 12:44:51 -05:00
Josh Patterson	f8c8e5d8e5	Merge pull request #15063 from Security-Onion-Solutions/impssu Update so-saltstack-update	2025-10-14 11:27:29 -04:00
Josh Patterson	dca38c286a	Merge pull request #15137 from Security-Onion-Solutions/amv allow user to create VMs that mount virtual disk for /nsm. new nsm_total grain	2025-10-14 11:25:57 -04:00
Josh Patterson	860710f5f9	remove .log extension	2025-10-14 11:03:00 -04:00
Josh Patterson	d56af4acab	remove .log extension	2025-10-14 10:58:57 -04:00
Josh Patterson	793e98f75c	update annotation after failed vm removal from VMs file	2025-10-14 10:37:16 -04:00
Josh Patterson	f9c5aa3fef	remove PROCESS_STEPS from hypervisor annotation	2025-10-14 09:36:05 -04:00
Josh Patterson	254e782da6	add volume creation and configuration process steps	2025-10-10 22:15:20 -04:00
Josh Patterson	fe3caf66a1	update failure description	2025-10-10 17:21:09 -04:00
Josh Patterson	09d699432a	ui notification of nsm volume creation failure and cleanup of vm inventory in soc grid config for hypervisor	2025-10-10 17:07:02 -04:00
Jason Ertel	79b44586ce	Merge pull request #15130 from Security-Onion-Solutions/jertel/wip missed commit	2025-10-09 20:55:20 -04:00
Jason Ertel	feddd90e41	missed commit	2025-10-09 20:50:09 -04:00
Jason Ertel	ca935e4272	Merge pull request #15127 from Security-Onion-Solutions/jertel/wip csv delimiter and query name	2025-10-09 15:48:37 -04:00
Jason Ertel	8f75bfb0a4	csv delimiter	2025-10-09 13:02:02 -04:00
Josh Patterson	e551c6e037	owner and perms of volumes	2025-10-09 10:19:25 -04:00
Jorge Reyes	1c5a72ee85	Merge pull request #15124 from Security-Onion-Solutions/reyesj2/es-8188 ignore error for elastic-fleet agent	2025-10-08 14:13:46 -05:00
reyesj2	8a8ea04088	ignore error for elastic-fleet agent	2025-10-08 14:01:18 -05:00
Josh Patterson	f730e23e30	Merge remote-tracking branch 'origin/2.4/dev' into amv	2025-10-08 14:06:48 -04:00
Josh Patterson	a3e7649a3c	minor hypervisor annotation	2025-10-08 13:52:34 -04:00
Josh Patterson	af42c31740	update yaml for annotation	2025-10-08 13:24:54 -04:00
Jason Ertel	a22c9f6bcf	Merge pull request #15118 from Security-Onion-Solutions/jertel/wip support non-async state apply	2025-10-08 13:15:05 -04:00
Jason Ertel	bad9a16ebb	support non-async state apply	2025-10-08 13:02:44 -04:00
Josh Patterson	7827e05c24	handle mounting vdb as nsm when nsm set in soc grid config	2025-10-08 12:18:34 -04:00
Josh Patterson	e45b0bf871	var and comment update	2025-10-08 11:51:35 -04:00
Josh Patterson	659c039ba8	handle nsm volume size and non disk passthrough	2025-10-08 10:51:04 -04:00
Josh Patterson	c7edaac42a	nsm volume as vdb, os vda by ordering pci slots	2025-10-07 17:20:11 -04:00
Josh Patterson	a1a8f75409	create and mount volume. being mounted as vda	2025-10-07 16:36:23 -04:00
Jorge Reyes	23e25fa2d7	Merge pull request #15111 from Security-Onion-Solutions/reyesj2/es-8188 UPGRADE: ES 8.18.8	2025-10-07 14:03:45 -05:00
Mike Reeves	f077484121	Merge pull request #15114 from Security-Onion-Solutions/filters Filters	2025-10-07 14:35:00 -04:00
Mike Reeves	c16bf50493	Update files	2025-10-07 14:20:25 -04:00
Josh Patterson	4ab4264f77	merge	2025-10-07 12:26:58 -04:00
Josh Patterson	60cccb21b4	create volume	2025-10-07 12:20:42 -04:00
Josh Patterson	ac0d6c57e1	create common.grains state and nsm_total grain	2025-10-06 11:52:35 -04:00
Jorge Reyes	3db6542398	Merge pull request #15105 from Security-Onion-Solutions/reyesj2/logstashout update logstash fleet output policy	2025-10-03 12:07:36 -05:00
reyesj2	9fd1b9aec1	make sure to pass in variables to json_string..	2025-10-02 16:38:47 -05:00
reyesj2	e5563eb9b8	send full new ssl config	2025-10-02 15:29:55 -05:00
Josh Patterson	e8de9e3c26	Merge pull request #15103 from Security-Onion-Solutions/byoh byoh	2025-10-02 15:50:34 -04:00
reyesj2	c8a3603577	update logstash fleet output policy	2025-10-02 14:47:38 -05:00
Josh Patterson	05321cf1ed	add --force-cleanup to nvme raid script	2025-10-02 15:03:11 -04:00
Josh Patterson	7deef44ff6	check defaults or pillar file	2025-10-02 11:55:50 -04:00
Mike Reeves	9752d61699	Add Filters	2025-10-01 19:59:28 -04:00
Mike Reeves	6b8e2e2643	Add Filters	2025-10-01 19:58:07 -04:00
Josh Patterson	e3ac1dd1b4	Merge remote-tracking branch 'origin/2.4/dev' into byoh	2025-10-01 14:57:51 -04:00
Josh Patterson	86eca53d4b	support for byodmodel	2025-10-01 14:57:25 -04:00
Jason Ertel	bfd3d822b1	Merge pull request #15092 from Security-Onion-Solutions/jertel/wip updates for wiretap lib	2025-10-01 12:20:06 -04:00
Jason Ertel	030e4961d7	updates for wiretap lib	2025-10-01 12:13:56 -04:00
Matthew Wright	14bd92067b	Merge pull request #15091 from Security-Onion-Solutions/mwright/soc_soc-fix Made lowBalanceColorAlert global	2025-10-01 11:03:50 -04:00
Matthew Wright	066e227325	made lowBalanceColorAlert global	2025-10-01 11:01:10 -04:00
coreyogburn	f1cfb9cd91	Merge pull request #15087 from Security-Onion-Solutions/cogburn/health-timeout New field for assistant health check	2025-09-30 15:49:52 -06:00
Corey Ogburn	5a2e704909	New field for assistant health check The health check has a smaller, configurable timeout.	2025-09-30 15:33:20 -06:00
Jorge Reyes	f04e54d1d5	Merge pull request #15086 from Security-Onion-Solutions/reyesj2/fltpatch less strict exits for fleet configuration	2025-09-30 15:26:50 -05:00
reyesj2	e9af46a8cb	less strict exits for fleet configuration	2025-09-30 14:28:42 -05:00
Josh Patterson	b4b051908b	Merge pull request #15082 from Security-Onion-Solutions/vlb2 fix hypervisor bridge setup	2025-09-29 17:19:22 -04:00
Jason Ertel	0148e5638c	Merge pull request #15080 from Security-Onion-Solutions/jertel/wip restart registry after upgrading images (in airgap mode)	2025-09-29 17:02:47 -04:00
Josh Patterson	c8814d0632	removed commented code	2025-09-29 16:58:45 -04:00
Jason Ertel	6c892fed78	restart registry after upgrading images (in airgap mode)	2025-09-29 16:47:05 -04:00
Josh Patterson	e775299480	so-user target minions with pillar elasticsearch:enabled:true	2025-09-26 15:43:49 -04:00
Josh Patterson	c4ca9c62aa	Merge remote-tracking branch 'origin/2.4/dev' into vlb2	2025-09-26 12:52:37 -04:00
Jorge Reyes	c37aeff364	Merge pull request #15075 from Security-Onion-Solutions/reyesj2/esfleetpatch update so-elastic-fleet-setup	2025-09-26 11:36:35 -05:00
reyesj2	cdac49052f	Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into reyesj2/esfleetpatch	2025-09-26 11:32:44 -05:00
reyesj2	8e5fa9576c	create disabled so-manager_elasticsearch output policy first, update it then verify it is the only active output	2025-09-26 11:32:25 -05:00
Josh Patterson	cd04d1e5a7	Merge remote-tracking branch 'origin/2.4/dev' into vlb2	2025-09-25 16:06:36 -04:00
Josh Patterson	1fb558cc77	managerhype br0 setup	2025-09-25 16:06:25 -04:00
Jason Ertel	7f1b76912c	Merge pull request #15072 from Security-Onion-Solutions/jertel/wip retry kratos pulls since this is the first image to install during setup	2025-09-25 15:45:02 -04:00
Jason Ertel	3a2ceb0b6f	retry kratos pulls since this is the first image to install during setup	2025-09-25 15:40:00 -04:00
Matthew Wright	1345756fce	Merge pull request #15071 from Security-Onion-Solutions/mwright/temp Updated default investigation prompt	2025-09-25 15:18:20 -04:00
Matthew Wright	d81d9a0722	small tweak to investigation prompt	2025-09-25 14:45:06 -04:00
Josh Patterson	5d1edf6d86	Merge remote-tracking branch 'origin/2.4/dev' into vlb2	2025-09-24 17:32:08 -04:00
Josh Patterson	c836dd2acd	set interface for network.ip_addrs for hypervisors	2025-09-24 16:50:29 -04:00
Josh Patterson	3a87af805f	update service file, use salt.minion state to update mine_functions	2025-09-24 15:19:46 -04:00
Josh Patterson	5a67b89a80	Update so-saltstack-update add -v -vv and test / dry run mode	2025-09-24 09:49:02 -04:00
Josh Patterson	4587301cca	only update mine for managerhype during setup	2025-09-23 15:56:00 -04:00
Josh Patterson	14ddbd32ad	salt-minion service file changes for hypervisor and managerhype	2025-09-22 16:38:40 -04:00
Josh Patterson	4599b95ae7	separate salt-minion service file	2025-09-22 16:37:16 -04:00
Josh Patterson	58ffe576d7	add pci mappings for sos hw	2025-07-16 12:09:39 -04:00
Josh Patterson	b0a515f2c3	update base cloud image location	2025-07-16 12:09:01 -04:00
		`@@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`curl -s -L http://localhost:9600/_node/stats/flow \| jq`
		`@@ -0,0 +1,3 @@`
							`#!/bin/bash`

							`curl -s -L http://localhost:9600/_health_report \| jq`