update index template priorities + explicity add datastream config options

rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices
remove unused close/delete configs on datastream index templates
2026-03-23 13:05:31 +01:00 · 2026-03-17 13:50:15 -05:00 · 2026-03-17 13:49:20 -05:00 · 2026-03-16 17:26:45 -05:00 · 2026-03-16 16:53:22 -05:00 · 2026-03-16 16:52:42 -05:00
9 changed files with 100 additions and 135 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -550,6 +550,22 @@ retry() {
        return $exitcode
 }

+rollover_index() {
+  idx=$1
+  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
+  if [[ $exists -eq 200 ]]; then
+    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
+
+    if [[ $rollover -eq 200 ]]; then
+      echo "Successfully triggered rollover for $idx..."
+    else
+      echo "Could not trigger rollover for $idx..."
+    fi
+  else
+    echo "Could not find index $idx..."
+  fi
+}
+
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -117,7 +117,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-case*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -129,8 +129,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
-              lifecycle:
-                name: so-case-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -141,14 +139,7 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    so-common:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -212,7 +203,9 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - winlog-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-*-so*
@@ -272,7 +265,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-detection*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -284,8 +277,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
-              lifecycle:
-                name: so-detection-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -296,11 +287,6 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    sos-backup:
      index_sorting: false
      index_template:
@@ -460,7 +446,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - endgame*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -508,8 +494,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-idh:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -566,8 +550,8 @@ elasticsearch:
        - common-dynamic-mappings
        ignore_missing_component_templates: []
        index_patterns:
-        - so-idh-*
-        priority: 500
+        - logs-idh-so*
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -677,11 +661,13 @@ elasticsearch:
        - common-dynamic-mappings
        - winlog-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-import-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -736,7 +722,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-ip*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -751,19 +737,12 @@ elasticsearch:
              mapping:
                total_fields:
                  limit: 1500
-              lifecycle:
-                name: so-ip-mappings-logs
              number_of_replicas: 0
              number_of_shards: 1
              refresh_interval: 30s
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    so-items:
      index_sorting: false
      index_template:
@@ -772,7 +751,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .items-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -851,8 +830,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-kratos:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -873,7 +850,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-kratos-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -921,8 +898,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-hydra:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -983,7 +958,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-hydra-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1038,7 +1013,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .lists-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1524,6 +1499,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.cloudbeat@custom
        index_patterns:
@@ -1759,6 +1737,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.heartbeat@custom
        index_patterns:
@@ -3018,8 +2999,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-logs-soc:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -3074,11 +3053,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-soc-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3668,10 +3649,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-logstash-default*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3971,8 +3955,8 @@ elasticsearch:
        - common-dynamic-mappings
        ignore_missing_component_templates: []
        index_patterns:
-        - logs-redis-default*
-        priority: 500
+        - logs-redis.log*
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4083,11 +4067,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-strelka-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4197,11 +4183,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4311,11 +4299,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4425,11 +4415,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-syslog-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4541,11 +4533,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-zeek-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
--- a/salt/manager/tools/sbin/so-yaml.py
+++ b/salt/manager/tools/sbin/so-yaml.py
@@ -22,7 +22,7 @@ def showUsage(args):
    print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
    print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
    print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
+    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
    print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
    print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
    print('    help             - Prints this usage information.', file=sys.stderr)
@@ -332,11 +332,6 @@ def getKeyValue(content, key):


 def get(args):
-    raw = False
-    if len(args) > 0 and args[0] == '-r':
-        raw = True
-        args = args[1:]
-
    if len(args) != 2:
        print('Missing filename or key arg', file=sys.stderr)
        showUsage(None)
@@ -351,15 +346,12 @@ def get(args):
        print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
        return 2

-    if raw:
-        if isinstance(output, bool):
-            print(str(output).lower())
-        elif isinstance(output, (dict, list)):
-            print(yaml.safe_dump(output).strip())
-        else:
-            print(output)
+    if isinstance(output, bool):
+        print(str(output).lower())
+    elif isinstance(output, (dict, list)):
+        print(yaml.safe_dump(output).strip())
    else:
-        print(yaml.safe_dump(output))
+        print(output)
    return 0


--- a/salt/manager/tools/sbin/so-yaml_test.py
+++ b/salt/manager/tools/sbin/so-yaml_test.py
@@ -393,17 +393,6 @@ class TestRemove(unittest.TestCase):

            result = soyaml.get([filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
-            self.assertIn("45\n...", mock_stdout.getvalue())
-
-    def test_get_int_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
-            self.assertEqual(result, 0)
            self.assertEqual("45\n", mock_stdout.getvalue())

    def test_get_str(self):
@@ -415,17 +404,6 @@ class TestRemove(unittest.TestCase):

            result = soyaml.get([filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
-            self.assertIn("hello\n...", mock_stdout.getvalue())
-
-    def test_get_str_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
-            self.assertEqual(result, 0)
            self.assertEqual("hello\n", mock_stdout.getvalue())

    def test_get_bool(self):
@@ -437,31 +415,8 @@ class TestRemove(unittest.TestCase):

            result = soyaml.get([filename, "key2"])
            self.assertEqual(result, 0)
-            self.assertIn("false\n...", mock_stdout.getvalue())
-
-    def test_get_bool_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key2"])
-            self.assertEqual(result, 0)
            self.assertEqual("false\n", mock_stdout.getvalue())

-    def test_get_dict_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1"])
-            self.assertEqual(result, 0)
-            self.assertIn("child1: 123", mock_stdout.getvalue())
-            self.assertNotIn("...", mock_stdout.getvalue())
-
    def test_get_list(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -88,7 +88,7 @@ check_err() {
        echo 'No route to host'
      ;;
      160)
-        echo 'Incompatiable Elasticsearch upgrade'
+        echo 'Incompatible Elasticsearch upgrade'
      ;;
      161)
        echo 'Required intermediate Elasticsearch upgrade not complete'
@@ -396,14 +396,22 @@ migrate_pcap_to_suricata() {

  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
    [[ -f "$pillar_file" ]] || continue
-    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
    so-yaml.py remove "$pillar_file" pcap
  done
 }

 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
+    rollover_index "$idx"
+  done
+
+  # Remove ILM for so-case and so-detection indices
+  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
+    so-elasticsearch-query $idx/_ilm/remove -XPOST
+  done
+
  POSTVERSION=3.0.0
 }

--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -387,15 +387,13 @@ http {
 		error_page 429 = @error429;

 		location @error401 {
-			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}

-			if ($request_uri ~* ^/(?!(^/api/.*))) {
-				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
-			}
+			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";

-			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,6 +1,7 @@
 suricata:
  enabled: False
  pcap:
+    enabled: "no"
    filesize: 1000mb
    maxsize: 25
    compression: "none"
@@ -141,8 +142,6 @@ suricata:
        enabled: "no"
      tls-store:
        enabled: "no"
-      pcap-log:
-        enabled: "no"
      alert-debug:
        enabled: "no"
      alert-prelude:
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -11,13 +11,18 @@
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA"] %}

+{# initialize pcap-log in config.outputs since we dont put it in defaults #}
+{%   if 'pcap-log' not in SURICATAMERGED.config.outputs %}
+{%     do SURICATAMERGED.config.outputs.update({'pcap-log': {}}) %}
+{%   endif %}
+
 {%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
 {%   if PCAPBPF and PCAP_BPF_STATUS %}
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}

-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -22,6 +22,10 @@ suricata:
      title: Classifications
      helpLink: suricata.html
  pcap:
+    enabled:
+      description: Enables or disables the Suricata packet recording process.
+      forcedType: bool
+      helpLink: suricata.html
    filesize: 
      description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
      advanced: True
@@ -209,12 +213,6 @@ suricata:
              header:
                description: Header name where the actual IP address will be reported.
                helpLink: suricata.html
-      pcap-log:
-        enabled:
-          description: This value is ignored by SO. pcapengine in globals takes precedence.
-          readonly: True
-          helpLink: suricata.html
-          advanced: True        
    asn1-max-frames:
      description: Maximum nuber of asn1 frames to decode.
      helpLink: suricata.html
Author	SHA1	Message	Date
reyesj2	a52e5d0474	update index template priorities + explicity add datastream config options	2026-03-17 13:50:15 -05:00
reyesj2	1a943aefc5	rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices	2026-03-17 13:49:20 -05:00
reyesj2	eaf3f10adc	remove unused close/delete configs on datastream index templates	2026-03-16 17:26:45 -05:00
reyesj2	84f4e460f6	update index patterns	2026-03-16 16:53:22 -05:00
reyesj2	88841c9814	remove ilm configs from non-datastream indices	2026-03-16 16:52:42 -05:00
Josh Patterson	5b2def6fdd	Merge pull request #15618 from Security-Onion-Solutions/delta forcedType bool	2026-03-16 12:50:06 -04:00
Josh Patterson	9b6d29212d	forcedType bool	2026-03-16 12:46:25 -04:00
Josh Patterson	c1bff03b1c	Merge pull request #15615 from Security-Onion-Solutions/delta initialize pcap-log	2026-03-14 20:33:28 -04:00
Josh Patterson	b00f113658	initialize pcap-log	2026-03-14 19:45:50 -04:00
Jason Ertel	7dcd923ebf	Merge pull request #15612 from Security-Onion-Solutions/jertel/wip API errors will no longer redirect	2026-03-13 17:04:51 -04:00
Jason Ertel	1fcd8a7c1a	API errors will no longer redirect	2026-03-13 16:53:38 -04:00
Mike Reeves	a9196348ab	Merge pull request #15609 from Security-Onion-Solutions/moresoup Moresoup	2026-03-13 16:16:35 -04:00
Mike Reeves	d1156ee3fd	Merge pull request #15608 from Security-Onion-Solutions/moresoup Improve soup version checks and migrate pcap to suricata	2026-03-13 14:59:57 -04:00
Josh Patterson	e55ac7062c	Merge pull request #15574 from Security-Onion-Solutions/delta pcap cleanup state. enable/disable pcap for suricata in soc	2026-03-13 14:54:06 -04:00
Josh Patterson	0360d4145c	sensors run pcap.cleanup state	2026-03-10 15:58:26 -04:00
Josh Patterson	398bd0c1da	Update VERSION	2026-03-10 15:00:19 -04:00
Josh Patterson	32241faf55	cleanup steno	2026-03-10 14:02:28 -04:00
Josh Patterson	88de779ff7	revert to salt 3006.19	2026-03-10 11:31:56 -04:00
Josh Patterson	d452694c55	enable/disable suricata pcap	2026-03-10 11:30:24 -04:00
Josh Patterson	7fba8ac2b4	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-10 11:24:44 -04:00
Josh Patterson	6809a40257	Merge remote-tracking branch 'origin/delta' into delta	2026-03-05 16:40:02 -05:00
Josh Patterson	cea55a72c3	upgrade salt 3006.23	2026-03-05 16:35:15 -05:00
Jason Ertel	e38a4a21ee	version for delta	2026-03-05 11:52:51 -05:00