oracle 10 testing

2026-06-12 13:19:22 +02:00 · 2026-06-03 14:11:30 -04:00
36 changed files with 254 additions and 1108 deletions
@@ -11,7 +11,6 @@ body:
        -
        - 3.0.0
        - 3.1.0
        - 3.2.0
        - Other (please provide detail below)
    validations:
      required: true
@@ -1 +1 @@
-
+20260528
@@ -1 +1 @@
-3.2.0
+3.1.0
@@ -25,11 +25,9 @@ if [ ! -f $BACKUPFILE ]; then
  # Create empty backup file
  tar -cf $BACKUPFILE -T /dev/null
-  # Loop through all paths defined in global.sls, and append them to backup file if they exist
+  # Loop through all paths defined in global.sls, and append them to backup file
  {%- for LOCATION in BACKUPLOCATIONS %}
-  if [[ -d {{ LOCATION }} || -f {{ LOCATION }} ]]; then
+  tar -rf $BACKUPFILE "${EXCLUSIONS[@]}" {{ LOCATION }}
    tar -rf $BACKUPFILE "${EXCLUSIONS[@]}" {{ LOCATION }}
  fi
  {%- endfor %}
 fi
@@ -26,14 +26,33 @@ commonpkgs:
      - net-tools
      - nmap-ncat
      - procps-ng
 {# OL10 test path: python3-docker / python3-m2crypto are not packaged in EPEL 10 and are not
   referenced by SO code (salt uses its bundled docker module from salt/python_modules.sls).
   python3-rich is also unavailable on EL10 (its pygments dep is not packaged), so it is
   installed via pip below. Gate on the grain because GLOBALS/pillars are not available this
   early (see header note). #}
 {% if grains['osmajorrelease']|int < 10 %}
      - python3-docker
      - python3-m2crypto
      - python3-rich
 {% else %}
      - python3-pip
 {% endif %}
      - python3-packaging
      - python3-pyyaml
      - python3-rich
      - rsync
      - sqlite
      - tcpdump
      - unzip
      - wget
      - yum-utils
 {% if grains['osmajorrelease']|int >= 10 %}
 # OL10 test path: rich is not packaged for EL10; install it into the system python3 for so-status.
 commonpkgs_pip_rich:
  cmd.run:
    - name: python3 -m pip install rich
    - unless: python3 -c "import rich"
    - require:
      - pkg: commonpkgs
 {% endif %}
@@ -142,11 +142,6 @@ check_elastic_license() {
 	fi  
 }
 check_elasticsearch_responsive() {
    retry 3 15 "so-elasticsearch-query / --output /dev/null --fail" ||
        fail "Elasticsearch is not responding. Please review Elasticsearch logs /opt/so/log/elasticsearch/securityonion.log for more details. Additionally, consider running so-elasticsearch-troubleshoot."
 }
 check_salt_master_status() {
 	local count=0
    local attempts="${1:- 10}"
@@ -359,7 +354,12 @@ gpg_rpm_import() {
 	else
 		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	if [[ "$OSVER" == "10" ]]; then
 		# OL10 test path uses public repos; the public oracle-epel-release and docker repos provide their own keys
 		RPMKEYS=('RPM-GPG-KEY-oracle' 'SALT-PROJECT-GPG-PUBKEY-2023.pub')
 	else
 		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 	fi
 	for RPMKEY in "${RPMKEYS[@]}"; do
 		rpm --import $RPMKEYSLOC/$RPMKEY
 		echo "Imported $RPMKEY"
@@ -631,9 +631,9 @@ salt_minion_count() {
 }
 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then
 		OS=oracle
-		OSVER=9
+		OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+")
 		is_oracle=true
 		is_rpm=true
 	fi
@@ -112,8 +112,23 @@ update_docker_containers() {
  # does not include so-elastic-fleet since that container uses so-elastic-agent image
  local IMAGES_USING_ES_VERSION=("so-elasticsearch")
-  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
+  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1
-  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 
+  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1
  # OL10 test path: GnuPG 2.4 enables the keybox daemon (keyboxd) by default, which deadlocks
  # under the rapid sequential gpg --verify calls below ("waiting for lock ... keydb_search
  # failed: Connection timed out ... No public key"). Editing the default homedir's common.conf
  # is unreliable (gpg re-adds use-keyboxd when it re-initializes the homedir), so run all the
  # image-signature gpg ops in a dedicated homedir whose pre-written common.conf leaves keyboxd
  # off, forcing the classic keybox. Isolated from the system keyring and deterministic.
  if [ "$OSVER" = "10" ]; then
    export GNUPGHOME="$SIGNPATH/gnupg"
    rm -rf "$GNUPGHOME" >> "$LOG_FILE" 2>&1
    mkdir -p "$GNUPGHOME" >> "$LOG_FILE" 2>&1
    chmod 700 "$GNUPGHOME"
    echo "# keyboxd disabled for SO image signature verification on EL10" > "$GNUPGHOME/common.conf"
    gpgconf --kill keyboxd gpg-agent >> "$LOG_FILE" 2>&1 || true
  fi
  # Let's make sure we have the public key
  run_check_net_err \
@@ -18,10 +18,18 @@ dockergroup:
 dockerheldpackages:
  pkg.installed:
    - pkgs:
 {% if GLOBALS.os_version|int >= 10 %}
      # OL10 test path: install latest Docker CE from the public repo (no .el9 builds available)
      - containerd.io
      - docker-ce
      - docker-ce-cli
      - docker-ce-rootless-extras
 {% else %}
      - containerd.io: 2.2.1-1.el9
      - docker-ce: 3:29.2.1-1.el9
      - docker-ce-cli: 1:29.2.1-1.el9
      - docker-ce-rootless-extras: 29.2.1-1.el9
 {% endif %}
    - hold: True
    - update_holds: True
@@ -9,6 +9,7 @@
 {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %}
 {% set ADDON_CONTENT_INTEGRATION_DEFAULTS = {} %}
 {% set DEBUG_STUFF = {} %}
 {% for pkg in ADDON_CONTENT_PACKAGE_COMPONENTS %}
 {%   if pkg.name in CORE_ESFLEET_PACKAGES %}
@@ -9,6 +9,7 @@
 {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %}
 {% set ADDON_INPUT_INTEGRATION_DEFAULTS = {} %}
 {% set DEBUG_STUFF = {} %}
 {% for pkg in ADDON_INPUT_PACKAGE_COMPONENTS %}
 {%   if pkg.name in CORE_ESFLEET_PACKAGES %}
@@ -115,6 +116,7 @@
 {%         do ADDON_INPUT_INTEGRATION_DEFAULTS.update({integration_key: integration_defaults}) %}
 {%         do DEBUG_STUFF.update({integration_key: "Generating defaults for "+ pkg.name })%}
 {%       endfor %}
 {%     endif %}
 {%   endif %}
@@ -11,15 +11,14 @@ include:
  - elasticfleet.config
 # If enabled, automatically update Fleet Logstash Outputs
-{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration %}
+{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval'] %}
 {%   if grains.role not in ['so-import', 'so-eval']%}
 so-elastic-fleet-auto-configure-logstash-outputs:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-outputs-update
    - retry:
        attempts: 4
        interval: 30
-{%   endif %}
+{% endif %}
 # If enabled, automatically update Fleet Server URLs & ES Connection
 so-elastic-fleet-auto-configure-server-urls:
@@ -28,7 +27,6 @@ so-elastic-fleet-auto-configure-server-urls:
    - retry:
        attempts: 4
        interval: 30
 {% endif %}
 # Automatically update Fleet Server Elasticsearch URLs & Agent Artifact URLs
 so-elastic-fleet-auto-configure-elasticsearch-urls:
@@ -9,12 +9,9 @@
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
 {%   from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS, SO_MANAGED_INDICES %}
 {%   if GLOBALS.role != 'so-heavynode' %}
-{%     from 'elasticsearch/template.map.jinja' import ALL_ADDON_SETTINGS, ADDON_INDICES %}
+{%     from 'elasticsearch/template.map.jinja' import ALL_ADDON_SETTINGS %}
 {%   endif %}
 include:
  - elasticsearch.enabled
 escomponenttemplates:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/templates/component
@@ -38,20 +35,6 @@ so_index_template_dir:
      {%- endfor %}
    {%- endif %}
 {%  if GLOBALS.role != "so-heavynode" %}
 # Clean up legacy and non-SO managed templates from the elasticsearch/templates/addon-index/ directory
 addon_index_template_dir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/templates/addon-index
    - clean: True
    {%- if ADDON_INDICES %}
    - require:
      {%- for index in ADDON_INDICES %}
      - file: addon_index_template_{{index}}
      {%- endfor %}
    {%- endif %}
 {%  endif %}
 # Auto-generate index templates for SO managed indices (directly defined in elasticsearch/defaults.yaml)
 #   These index templates are for the core SO datasets and are always required
 {%  for index, settings in ES_INDEX_SETTINGS.items() %}
@@ -133,18 +116,6 @@ so-elasticsearch-templates:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
 so-elasticsearch-dlm-apply:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-dlm-apply
    - cwd: /opt/so
    - require:
      - docker_container: so-elasticsearch
      - file: elasticsearch_sbin_jinja
      - cmd: so-elasticsearch-templates
    - retry:
        attempts: 3
        interval: 10
 so-elasticsearch-pipelines:
  cmd.run:
    - name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }}
@@ -2,7 +2,6 @@ elasticsearch:
  enabled: false
  version: 9.3.3
  index_clean: true
  data_retention_method: DLM
  vm:
    max_map_count: 1048576
  config:
@@ -19,18 +18,9 @@ elasticsearch:
              flood_stage: 90%
              high: 85%
              low: 80%
    # don't want to set retention here since it will make ES restart with every update +
    #   potentially case where we could unintentially fall back to retention 7d and cause data loss
    # data_streams:
    #   lifecycle:
    #     retention:
    #       default: 7d
    indices:
      id_field_data:
        enabled: false
    # index:
      # lifecycle:
        # prefer_ilm: true
    logger:
      org:
        elasticsearch:
@@ -73,9 +63,6 @@ elasticsearch:
            verification_mode: none
  index_settings:
    global_overrides:
    # Tie this into cluster setting for data_streams.lifecycle.retention.default
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        template:
          settings:
@@ -156,8 +143,6 @@ elasticsearch:
                order: desc
    so-common:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -319,8 +304,6 @@ elasticsearch:
              number_of_shards: 1
    so-assistant-chat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: ""
      index_template:
        composed_of:
        - assistant-chat-mappings
@@ -361,8 +344,6 @@ elasticsearch:
            min_age: 0ms
    so-assistant-session:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: ""
      index_template:
        composed_of:
        - assistant-session-mappings
@@ -516,8 +497,6 @@ elasticsearch:
            min_age: 30d
    so-idh:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -626,8 +605,6 @@ elasticsearch:
            min_age: 30d
    so-import:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -810,8 +787,6 @@ elasticsearch:
            min_age: 0ms
    so-kismet:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - kismet-mappings
@@ -861,8 +836,6 @@ elasticsearch:
            min_age: 30d
    so-kratos:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -931,8 +904,6 @@ elasticsearch:
            min_age: 30d
    so-hydra:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -1078,8 +1049,6 @@ elasticsearch:
            min_age: 0ms
    so-logs:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - so-data-streams-mappings
@@ -1160,8 +1129,6 @@ elasticsearch:
            min_age: 30d
    so-logs-detections_x_alerts:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - so-data-streams-mappings
@@ -1225,8 +1192,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1342,8 +1307,6 @@ elasticsearch:
            min_age: 30d
    so-elastic-agent-monitor:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1406,8 +1369,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_apm_server:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-elastic_agent.apm_server@package
@@ -1472,8 +1433,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_auditbeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-elastic_agent.auditbeat@package
@@ -1538,8 +1497,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_cloudbeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-elastic_agent.cloudbeat@package
@@ -1604,8 +1561,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_endpoint_security:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1665,8 +1620,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_filebeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1726,8 +1679,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_fleet_server:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1784,8 +1735,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_heartbeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-elastic_agent.heartbeat@package
@@ -1850,8 +1799,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_metricbeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1911,8 +1858,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_osquerybeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -1972,8 +1917,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elastic_agent_x_packetbeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-elastic_agent.packetbeat@package
@@ -2038,8 +1981,6 @@ elasticsearch:
            min_age: 30d
    so-logs-elasticsearch_x_server:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-elasticsearch.server@package
@@ -2104,8 +2045,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_actions:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - .logs-endpoint.actions@package
@@ -2165,8 +2104,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_action_x_responses:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - .logs-endpoint.action.responses@package
@@ -2226,8 +2163,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_alerts:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.alerts@package
@@ -2287,8 +2222,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_diagnostic_x_collection:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - .logs-endpoint.diagnostic.collection@package
@@ -2364,8 +2297,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_api:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.api@package
@@ -2425,8 +2356,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_file:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.file@package
@@ -2486,8 +2415,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_library:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.library@package
@@ -2547,8 +2474,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_network:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.network@package
@@ -2608,8 +2533,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_process:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.process@package
@@ -2669,8 +2592,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_registry:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.registry@package
@@ -2730,8 +2651,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_events_x_security:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-endpoint.events.security@package
@@ -2791,8 +2710,6 @@ elasticsearch:
            min_age: 30d
    so-logs-endpoint_x_heartbeat:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - .logs-endpoint.heartbeat@package
@@ -2852,8 +2769,6 @@ elasticsearch:
            min_age: 30d
    so-logs-http_endpoint_x_generic:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-http_endpoint.generic@package
@@ -2902,8 +2817,6 @@ elasticsearch:
            min_age: 30d
    so-logs-httpjson_x_generic:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-httpjson.generic@package
@@ -2969,8 +2882,6 @@ elasticsearch:
              number_of_replicas: 0
    so-logs-osquery-manager_x_action_x_responses:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        _meta:
          managed: true
@@ -3042,8 +2953,6 @@ elasticsearch:
              number_of_replicas: 0
    so-logs-osquery-manager_x_result:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        _meta:
          managed: true
@@ -3096,8 +3005,6 @@ elasticsearch:
            min_age: 30d
    so-logs-soc:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -3206,8 +3113,6 @@ elasticsearch:
            min_age: 30d
    so-logs-system_x_application:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -3257,8 +3162,6 @@ elasticsearch:
            min_age: 30d
    so-logs-system_x_auth:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -3308,8 +3211,6 @@ elasticsearch:
            min_age: 30d
    so-logs-system_x_security:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -3359,8 +3260,6 @@ elasticsearch:
            min_age: 30d
    so-logs-system_x_syslog:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -3410,8 +3309,6 @@ elasticsearch:
            min_age: 30d
    so-logs-system_x_system:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - event-mappings
@@ -3461,8 +3358,6 @@ elasticsearch:
            min_age: 30d
    so-logs-windows_x_forwarded:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-windows.forwarded@package
@@ -3510,8 +3405,6 @@ elasticsearch:
            min_age: 30d
    so-logs-windows_x_powershell:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-windows.powershell@package
@@ -3559,8 +3452,6 @@ elasticsearch:
            min_age: 30d
    so-logs-windows_x_powershell_operational:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-windows.powershell_operational@package
@@ -3608,8 +3499,6 @@ elasticsearch:
            min_age: 30d
    so-logs-windows_x_sysmon_operational:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-windows.sysmon_operational@package
@@ -3657,8 +3546,6 @@ elasticsearch:
            min_age: 30d
    so-logs-winlog_x_winlog:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - logs-winlog.winlog@package
@@ -3707,8 +3594,6 @@ elasticsearch:
            min_age: 30d
    so-logstash:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -3824,8 +3709,6 @@ elasticsearch:
            min_age: 30d
    so-metrics-endpoint_x_metadata:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - metrics-endpoint.metadata@package
@@ -3873,8 +3756,6 @@ elasticsearch:
            min_age: 30d
    so-metrics-endpoint_x_metrics:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - metrics-endpoint.metrics@package
@@ -3922,8 +3803,6 @@ elasticsearch:
            min_age: 30d
    so-metrics-endpoint_x_policy:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - metrics-endpoint.policy@package
@@ -3971,8 +3850,6 @@ elasticsearch:
            min_age: 30d
    so-metrics-fleet_server_x_agent_status:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - metrics@tsdb-settings
@@ -3997,8 +3874,6 @@ elasticsearch:
              number_of_replicas: 0
    so-metrics-fleet_server_x_agent_versions:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - metrics@tsdb-settings
@@ -4023,8 +3898,6 @@ elasticsearch:
              number_of_replicas: 0
    so-redis:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -4085,10 +3958,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
        - logs-redis.log@package
        - logs-redis.log@custom
        data_stream:
          allow_custom_routing: false
          hidden: false
-        ignore_missing_component_templates: []
+        ignore_missing_component_templates:
        - logs-redis.log@custom
        index_patterns:
        - logs-redis.log*
        priority: 501
@@ -4140,8 +4016,6 @@ elasticsearch:
            min_age: 30d
    so-strelka:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -4259,8 +4133,6 @@ elasticsearch:
            min_age: 30d
    so-suricata:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -4377,8 +4249,6 @@ elasticsearch:
            min_age: 30d
    so-suricata_x_alerts:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -4495,8 +4365,6 @@ elasticsearch:
            min_age: 30d
    so-syslog:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -4613,8 +4481,6 @@ elasticsearch:
            min_age: 30d
    so-zeek:
      index_sorting: false
      data_stream_lifecycle:
        data_retention: 90d
      index_template:
        composed_of:
        - agent-mappings
@@ -4,13 +4,6 @@ elasticsearch:
    forcedType: bool
    advanced: True
    helpLink: elasticsearch
  data_retention_method:
    description: Method for data retention. Options are ILM or DLM. For single node deployments and most distributed grid users, DLM will be the recommended option for simplified management. Those with more complex use cases may prefer ILM. The latter allows for more granular control, but requires more management overhead.
    options:
    - ILM
    - DLM
    forcedType: string
    global: True
  version:
    description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."
    readonly: True
@@ -20,7 +13,7 @@ elasticsearch:
    description: Specify the memory heap size in (m)egabytes for Elasticsearch.
    helpLink: elasticsearch
  index_clean:
-    description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, data is retained by the configured lifecycle settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations use lifecycle settings only.
+    description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
    forcedType: bool
    helpLink: elasticsearch
  vm:
@@ -146,21 +139,6 @@ elasticsearch:
    custom010: *pipelines
  index_settings:
    global_overrides:
      data_stream_lifecycle:
        data_retention:
          description: |
            The retention period for all data streams. Retention does not define the period that the data will be removed, but the minimum time period they will be kept.
            Use a number followed by a time unit, such as 7d. Leave blank for indefinite retention where supported.
            Configured retention period also affects the frequency of rolling over data streams.
              - If retention is less than or equal to 1 day, max_age will be 1 hour
              - If retention is less than or equal to 14 days, max_age will be 1 day
              - If retention is less than or equal to 90 days, max_age will be 7 days
              - If retention is greater than 90 days, max_age will be 30 days
          forcedType: string
          regex: ^$|^[0-9]{1,5}(?:d|h|m|s)$
          regexFailureMessage: Must be blank or a number followed by d, h, m, or s, such as 7d.
      index_template:
        template:
          settings:
@@ -333,28 +311,13 @@ elasticsearch:
              forcedType: string
              global: True
              helpLink: elasticsearch
-    so-logs: &dataStreamSettings
+    so-logs: &indexSettings
      index_sorting:
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
        forcedType: bool
        global: True
        advanced: True
        helpLink: elasticsearch
      data_stream_lifecycle:
        data_retention:
          description: |
            The retention period for this data stream. Retention does not define the period that the data will be removed, but the minimum time period it will be kept.
            Use a number followed by a time unit, such as 7d. Leave blank for indefinite retention where supported.
            Configured retention period also affects the frequency of rolling over this data stream.
              - If retention is less than or equal to 1 day, max_age will be 1 hour
              - If retention is less than or equal to 14 days, max_age will be 1 day
              - If retention is less than or equal to 90 days, max_age will be 7 days
              - If retention is greater than 90 days, max_age will be 30 days
          forcedType: string
          regex: ^$|^[0-9]{1,5}(?:d|h|m|s)$
          regexFailureMessage: Must be blank or a number followed by d, h, m, or s, such as 7d.
      index_template:
        index_patterns:
          description: Patterns for matching multiple indices or tables.
@@ -372,14 +335,6 @@ elasticsearch:
                global: True
                advanced: True
                helpLink: elasticsearch
              auto_expand_replicas:
                description: Automatically expand the number of replicas based on the number of data nodes in the cluster. This can help ensure high availability as the cluster scales up or down.
                forcedType: string
                regex: "^(0-[1-9]|1-[2-9]|2-[3-9]|3-[4-9]|4-[5-9]|5-[6-9]|6-[7-9]|7-[89]|8-9|[0-9]-all|false)$"
                regexFailureMessage: Must be in the format of "x-y" where x is minimum number of replicas and y is maximum number of replicas, or "0-all" to specify a minimum of 0 and no maximum, or "false" to disable automatic replica expansion.
                global: True
                advanced: True
                helpLink: elasticsearch
              mapping:
                total_fields:
                  limit:
@@ -641,349 +596,65 @@ elasticsearch:
            global: True
            advanced: True
            helpLink: elasticsearch
-    so-logs-system_x_auth: *dataStreamSettings
+    so-logs-system_x_auth: *indexSettings
-    so-logs-system_x_syslog: *dataStreamSettings
+    so-logs-system_x_syslog: *indexSettings
-    so-logs-system_x_system: *dataStreamSettings
+    so-logs-system_x_system: *indexSettings
-    so-logs-system_x_application: *dataStreamSettings
+    so-logs-system_x_application: *indexSettings
-    so-logs-system_x_security: *dataStreamSettings
+    so-logs-system_x_security: *indexSettings
-    so-logs-windows_x_forwarded: *dataStreamSettings
+    so-logs-windows_x_forwarded: *indexSettings
-    so-logs-windows_x_powershell: *dataStreamSettings
+    so-logs-windows_x_powershell: *indexSettings
-    so-logs-windows_x_powershell_operational: *dataStreamSettings
+    so-logs-windows_x_powershell_operational: *indexSettings
-    so-logs-windows_x_sysmon_operational: *dataStreamSettings
+    so-logs-windows_x_sysmon_operational: *indexSettings
-    so-logs-winlog_x_winlog: *dataStreamSettings
+    so-logs-winlog_x_winlog: *indexSettings
-    so-logs-detections_x_alerts: *dataStreamSettings
+    so-logs-detections_x_alerts: *indexSettings
-    so-logs-http_endpoint_x_generic: *dataStreamSettings
+    so-logs-http_endpoint_x_generic: *indexSettings
-    so-logs-httpjson_x_generic: *dataStreamSettings
+    so-logs-httpjson_x_generic: *indexSettings
-    so-logs-osquery-manager-actions: *dataStreamSettings
+    so-logs-osquery-manager-actions: *indexSettings
-    so-logs-osquery-manager-action_x_responses: *dataStreamSettings
+    so-logs-osquery-manager-action_x_responses: *indexSettings
-    so-logs-osquery-manager_x_action_x_responses: *dataStreamSettings
+    so-logs-osquery-manager_x_action_x_responses: *indexSettings
-    so-logs-osquery-manager_x_result: *dataStreamSettings
+    so-logs-osquery-manager_x_result: *indexSettings
-    so-logs-elastic_agent_x_apm_server: *dataStreamSettings
+    so-logs-elastic_agent_x_apm_server: *indexSettings
-    so-logs-elastic_agent_x_auditbeat: *dataStreamSettings
+    so-logs-elastic_agent_x_auditbeat: *indexSettings
-    so-logs-elastic_agent_x_cloudbeat: *dataStreamSettings
+    so-logs-elastic_agent_x_cloudbeat: *indexSettings
-    so-logs-elastic_agent_x_endpoint_security: *dataStreamSettings
+    so-logs-elastic_agent_x_endpoint_security: *indexSettings
-    so-logs-endpoint_x_alerts: *dataStreamSettings
+    so-logs-endpoint_x_alerts: *indexSettings
-    so-logs-endpoint_x_events_x_api: *dataStreamSettings
+    so-logs-endpoint_x_events_x_api: *indexSettings
-    so-logs-endpoint_x_events_x_file: *dataStreamSettings
+    so-logs-endpoint_x_events_x_file: *indexSettings
-    so-logs-endpoint_x_events_x_library: *dataStreamSettings
+    so-logs-endpoint_x_events_x_library: *indexSettings
-    so-logs-endpoint_x_events_x_network: *dataStreamSettings
+    so-logs-endpoint_x_events_x_network: *indexSettings
-    so-logs-endpoint_x_events_x_process: *dataStreamSettings
+    so-logs-endpoint_x_events_x_process: *indexSettings
-    so-logs-endpoint_x_events_x_registry: *dataStreamSettings
+    so-logs-endpoint_x_events_x_registry: *indexSettings
-    so-logs-endpoint_x_events_x_security: *dataStreamSettings
+    so-logs-endpoint_x_events_x_security: *indexSettings
-    so-logs-elastic_agent_x_filebeat: *dataStreamSettings
+    so-logs-elastic_agent_x_filebeat: *indexSettings
-    so-logs-elastic_agent_x_fleet_server: *dataStreamSettings
+    so-logs-elastic_agent_x_fleet_server: *indexSettings
-    so-logs-elastic_agent_x_heartbeat: *dataStreamSettings
+    so-logs-elastic_agent_x_heartbeat: *indexSettings
-    so-logs-elastic_agent: *dataStreamSettings
+    so-logs-elastic_agent: *indexSettings
-    so-logs-elastic_agent_x_metricbeat: *dataStreamSettings
+    so-logs-elastic_agent_x_metricbeat: *indexSettings
-    so-logs-elastic_agent_x_osquerybeat: *dataStreamSettings
+    so-logs-elastic_agent_x_osquerybeat: *indexSettings
-    so-logs-elastic_agent_x_packetbeat: *dataStreamSettings
+    so-logs-elastic_agent_x_packetbeat: *indexSettings
-    so-logs-elasticsearch_x_server: *dataStreamSettings
+    so-logs-elasticsearch_x_server: *indexSettings
-    so-metrics-endpoint_x_metadata: *dataStreamSettings
+    so-metrics-endpoint_x_metadata: *indexSettings
-    so-metrics-endpoint_x_metrics: *dataStreamSettings
+    so-metrics-endpoint_x_metrics: *indexSettings
-    so-metrics-endpoint_x_policy: *dataStreamSettings
+    so-metrics-endpoint_x_policy: *indexSettings
-    so-metrics-nginx_x_stubstatus: *dataStreamSettings
+    so-metrics-nginx_x_stubstatus: *indexSettings
-    so-metrics-vsphere_x_datastore: *dataStreamSettings
+    so-metrics-vsphere_x_datastore: *indexSettings
-    so-metrics-vsphere_x_host: *dataStreamSettings
+    so-metrics-vsphere_x_host: *indexSettings
-    so-metrics-vsphere_x_virtualmachine: *dataStreamSettings
+    so-metrics-vsphere_x_virtualmachine: *indexSettings
-    so-common: *dataStreamSettings
+    so-case: *indexSettings
-    so-endgame: *dataStreamSettings
+    so-common: *indexSettings
-    so-idh: *dataStreamSettings
+    so-endgame: *indexSettings
-    so-suricata: *dataStreamSettings
+    so-idh: *indexSettings
-    so-suricata_x_alerts: *dataStreamSettings
+    so-suricata: *indexSettings
-    so-import: *dataStreamSettings
+    so-suricata_x_alerts: *indexSettings
-    so-kratos: *dataStreamSettings
+    so-import: *indexSettings
-    so-hydra: *dataStreamSettings
+    so-kratos: *indexSettings
-    so-kismet: *dataStreamSettings
+    so-hydra: *indexSettings
-    so-logstash: *dataStreamSettings
+    so-kismet: *indexSettings
-    so-redis: *dataStreamSettings
+    so-logstash: *indexSettings
-    so-strelka: *dataStreamSettings
+    so-redis: *indexSettings
-    so-syslog: *dataStreamSettings
+    so-strelka: *indexSettings
-    so-zeek: *dataStreamSettings
+    so-syslog: *indexSettings
-    # Managed SOC integration annotations are inserted below this line. Referencing '*dataStreamSettings'
+    so-zeek: *indexSettings
    so-case: &indexSettings
      index_sorting:
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
        forcedType: bool
        global: True
        advanced: True
        helpLink: elasticsearch
      index_template:
        index_patterns:
          description: Patterns for matching multiple indices or tables.
          forcedType: "[]string"
          multiline: True
          global: True
          advanced: True
          helpLink: elasticsearch
        template:
          settings:
            index:
              number_of_replicas:
                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
                forcedType: int
                global: True
                advanced: True
                helpLink: elasticsearch
              auto_expand_replicas:
                description: Automatically expand the number of replicas based on the number of data nodes in the cluster. This can help ensure high availability as the cluster scales up or down.
                forcedType: string
                regex: "^(0-[1-9]|1-[2-9]|2-[3-9]|3-[4-9]|4-[5-9]|5-[6-9]|6-[7-9]|7-[89]|8-9|[0-9]-all|false)$"
                regexFailureMessage: Must be in the format of "x-y" where x is minimum number of replicas and y is maximum number of replicas, or "0-all" to specify a minimum of 0 and no maximum, or "false" to disable automatic replica expansion.
                global: True
                advanced: True
                helpLink: elasticsearch
              mapping:
                total_fields:
                  limit:
                    description: Max number of fields that can exist on a single index. Larger values will consume more resources.
                    global: True
                    advanced: True
                    helpLink: elasticsearch
              refresh_interval:
                description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
                global: True
                advanced: True
                helpLink: elasticsearch
              number_of_shards:
                description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                global: True
                advanced: True
                helpLink: elasticsearch
              sort:
                field:
                  description: The field to sort by. Must set index_sorting to True.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
                order:
                  description: The order to sort by. Must set index_sorting to True.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
          mappings:
            _meta:
              package:
                name:
                  description: Meta settings for the mapping.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              managed_by:
                  description: Meta settings for the mapping.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              managed:
                  description: Meta settings for the mapping.
                  forcedType: bool
                  global: True
                  advanced: True
                  helpLink: elasticsearch
        composed_of:
          description: The index template is composed of these component templates.
          forcedType: "[]string"
          global: True
          advanced: True
          helpLink: elasticsearch
        priority:
          description: The priority of the index template.
          forcedType: int
          global: True
          advanced: True
          helpLink: elasticsearch
      policy:
        phases:
          hot:
            min_age:
              description: Minimum age of index. This determines when the index should be moved to the hot tier.
              global: True
              advanced: True
              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              rollover:
                max_age:
                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
                max_primary_shard_size:
                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              shrink:
                method:
                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
                  options:
                  - COUNT
                  - SIZE
                  global: True
                  advanced: True
                  forcedType: string
                number_of_shards:
                  title: shard count
                  description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
                  global: True
                  forcedType: int
                  advanced: True
                max_primary_shard_size:
                  title: max shard size
                  description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
                  regex: ^[0-9]+(?:gb|tb|pb)$
                  global: True
                  forcedType: string
                  advanced: True
                allow_write_after_shrink:
                  description: Allow writes after shrink.
                  global: True
                  forcedType: bool
                  default: False
                  advanced: True
              forcemerge:
                max_num_segments:
                  description: Reduce the number of segments in each index shard and clean up deleted documents.
                  global: True
                  forcedType: int
                  advanced: True
                index_codec:
                  title: compression
                  description: Use higher compression for stored fields at the cost of slower performance.
                  forcedType: bool
                  global: True
                  default: False
                  advanced: True
          warm:
            min_age:
              description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
              regex: ^[0-9]{1,5}d$
              forcedType: string
              global: True
              advanced: True
              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
                  description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              rollover:
                max_age:
                  description: Maximum age of index.  Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
                max_primary_shard_size:
                  description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              shrink:
                method:
                  description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size.
                  options:
                  - COUNT
                  - SIZE
                  global: True
                  advanced: True
                number_of_shards:
                  title: shard count
                  description: Desired shard count. Note that this value is only used when the shrink method selected is 'COUNT'.
                  global: True
                  forcedType: int
                  advanced: True
                max_primary_shard_size:
                  title: max shard size
                  description: Desired shard size in gb/tb/pb eg. 100gb. Note that this value is only used when the shrink method selected is 'SIZE'.
                  regex: ^[0-9]+(?:gb|tb|pb)$
                  global: True
                  forcedType: string
                  advanced: True
                allow_write_after_shrink:
                  description: Allow writes after shrink.
                  global: True
                  forcedType: bool
                  default: False
                  advanced: True
              forcemerge:
                max_num_segments:
                  description: Reduce the number of segments in each index shard and clean up deleted documents.
                  global: True
                  forcedType: int
                  advanced: True
                index_codec:
                  title: compression
                  description: Use higher compression for stored fields at the cost of slower performance.
                  forcedType: bool
                  global: True
                  default: False
                  advanced: True
              allocate:
                number_of_replicas:
                  description: Set the number of replicas. Remains the same as the previous phase by default.
                  forcedType: int
                  global: True
                  advanced: True
          cold:
            min_age:
              description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier.  While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
              regex: ^[0-9]{1,5}d$
              forcedType: string
              global: True
              advanced: True
              helpLink: elasticsearch
            actions:
              set_priority:
                priority:
                  description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
                  forcedType: int
                  global: True
                  advanced: True
                  helpLink: elasticsearch
              allocate:
                number_of_replicas:
                  description: Set the number of replicas. Remains the same as the previous phase by default.
                  forcedType: int
                  global: True
                  advanced: True
          delete:
            min_age:
              description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
              regex: ^[0-9]{1,5}d$
              forcedType: string
              global: True
              advanced: True
              helpLink: elasticsearch
        _meta:
          package:
            name:
              description: Meta settings for the mapping.
              global: True
              advanced: True
              helpLink: elasticsearch
          managed_by:
            description: Meta settings for the mapping.
            global: True
            advanced: True
            helpLink: elasticsearch
          managed:
            description: Meta settings for the mapping.
            forcedType: bool
            global: True
            advanced: True
            helpLink: elasticsearch
    sos-backup: *indexSettings
    so-detection: *indexSettings
    so-assistant-chat: *indexSettings
    so-assistant-session: *indexSettings
    so-metrics-fleet_server_x_agent_status: &fleetMetricsSettings
      index_sorting:
        description: Sorts the index by event time, at the cost of additional processing resource consumption.
@@ -5,7 +5,6 @@
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
 {% set DEFAULT_GLOBAL_OVERRIDES = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings.pop('global_overrides') %}
 {% set DATA_RETENTION_METHOD = salt['pillar.get']('elasticsearch:data_retention_method', ELASTICSEARCHDEFAULTS.elasticsearch.get('data_retention_method', 'ILM')) %}
 {% set PILLAR_GLOBAL_OVERRIDES = {} %}
 {% set ES_INDEX_PILLAR = salt['pillar.get']('elasticsearch:index_settings', {}) %}
@@ -62,25 +61,15 @@
 {% if ALL_ADDON_SETTINGS_ORIG.keys() | length > 0 %}
 {%   for index in ALL_ADDON_SETTINGS_ORIG.keys() %}
 {%     do ALL_ADDON_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ALL_ADDON_SETTINGS_ORIG[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %}
 {#     Explicitly excluding addon indices from ES_INDEX_SETTINGS_ORIG
         When manager.soc_managed_annotations runs, new entries are added to the salt/elasticsearch/defaults.yaml file to support 'revert to default' functionality.
         Subsequent map renders will then incorrectly include 'integration X' in 'ES_INDEX_SETTINGS_ORIG' due to being in the defaults.yaml file. #}
 {%     if index in ES_INDEX_SETTINGS_ORIG.keys() %}
 {%       do ES_INDEX_SETTINGS_ORIG.pop(index) %}
 {%     endif %}
 {%   endfor %}
 {% endif %}
 {% set ES_INDEX_SETTINGS = {} %}
-{% macro create_final_index_template(DEFINED_SETTINGS, GLOBAL_OVERRIDES, FINAL_INDEX_SETTINGS, EXCLUDE_INDICES=[]) %}
+{% macro create_final_index_template(DEFINED_SETTINGS, GLOBAL_OVERRIDES, FINAL_INDEX_SETTINGS) %}
 {% do GLOBAL_OVERRIDES.update(salt['defaults.merge'](GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %}
 {% for index, settings in GLOBAL_OVERRIDES.items() %}
 {%   if index in EXCLUDE_INDICES %}
 {%     continue %}
 {%   endif %}
 {#   prevent this action from being performed on custom defined indices. #}
 {#   the custom defined index is not present in either of the dictionaries and fails to reder. #}
 {%   if index in DEFINED_SETTINGS and index in GLOBAL_OVERRIDES %}
@@ -106,17 +95,6 @@
 {%     if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
 {%       do settings.index_template.template.settings.index.pop('sort') %}
 {%     endif %}
 {%     if DATA_RETENTION_METHOD == 'DLM' and settings.index_template.data_stream is defined and settings.data_stream_lifecycle is defined %}
 {%       if settings.data_stream_lifecycle.data_retention is defined and settings.data_stream_lifecycle.data_retention %}
 {%         do settings.index_template.template.update({'lifecycle': {'data_retention': settings.data_stream_lifecycle.data_retention}}) %}
 {%       else %}
 {%         do settings.index_template.template.update({'lifecycle': {}}) %}
 {%       endif %}
 {%       if settings.index_template.template.settings.index.lifecycle is not defined %}
 {%         do settings.index_template.template.settings.index.update({'lifecycle': {}}) %}
 {%       endif %}
 {%       do settings.index_template.template.settings.index.lifecycle.update({'prefer_ilm': false}) %}
 {%     endif %}
 {%   endif %}
 {# advanced ilm actions #}
@@ -172,19 +150,10 @@
 {% endfor %}
 {% endmacro %}
-{# Exclude addon integrations from final ES_INDEX_SETTINGS #}
+{{ create_final_index_template(ES_INDEX_SETTINGS_ORIG, ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_SETTINGS) }}
-{{ create_final_index_template(ES_INDEX_SETTINGS_ORIG, ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_SETTINGS, ALL_ADDON_SETTINGS_ORIG.keys() | list ) }}
+{{ create_final_index_template(ALL_ADDON_SETTINGS_ORIG, ALL_ADDON_SETTINGS_GLOBAL_OVERRIDES, ALL_ADDON_SETTINGS) }}
 {# Exclude SO managed indices, otherwise ALL_ADDON_SETTINGS will include pillar values
  of core integrations without merging defaults, resulting in an overlapping, but bad index template being generated. #}
 {{ create_final_index_template(ALL_ADDON_SETTINGS_ORIG, ALL_ADDON_SETTINGS_GLOBAL_OVERRIDES, ALL_ADDON_SETTINGS, ES_INDEX_SETTINGS_ORIG.keys() | list ) }}
 {% set SO_MANAGED_INDICES = [] %}
 {% for index, settings in ES_INDEX_SETTINGS.items() %}
 {%   do SO_MANAGED_INDICES.append(index) %}
-{% endfor %}
+{% endfor %}
 {% set ADDON_INDICES = [] %}
 {% for index, settings in ALL_ADDON_SETTINGS.items() %}
 {%   do ADDON_INDICES.append(index) %}
 {% endfor %}
@@ -125,6 +125,14 @@ load_component_templates() {
    done
 }
 check_elasticsearch_responsive() {
    # Cannot load templates if Elasticsearch is not responding.
    #  NOTE: Slightly faster exit w/ failure than previous "retry 240 1" if there is a problem with Elasticsearch the
    #    script should exit sooner rather than hang at the 'so-elasticsearch-templates' salt state.
    retry 3 15 "so-elasticsearch-query / --output /dev/null --fail" ||
        fail "Elasticsearch is not responding. Please review Elasticsearch logs /opt/so/log/elasticsearch/securityonion.log for more details. Additionally, consider running so-elasticsearch-troubleshoot."
 }
 index_templates_exist() {
    local templates_dir="$1"
@@ -1,178 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
 {%- set DATA_RETENTION_METHOD = salt['pillar.get']('elasticsearch:data_retention_method', ELASTICSEARCHDEFAULTS.elasticsearch.get('data_retention_method', 'ILM')) %}
 ELASTICSEARCH_TEMPLATES_DIR="${ELASTICSEARCH_TEMPLATES_DIR:-/opt/so/conf/elasticsearch/templates}"
 TEMPLATE_DIRS=(
    "${ELASTICSEARCH_TEMPLATES_DIR}/index"
    "${ELASTICSEARCH_TEMPLATES_DIR}/addon-index"
 )
 DATA_RETENTION_METHOD=$(cat <<'EOF'
 {{ DATA_RETENTION_METHOD }}
 EOF
 )
 DLM_FAILURES=0
 DLM_FAILURE_NAMES=()
 if [[ "$DATA_RETENTION_METHOD" != "DLM" && "$DATA_RETENTION_METHOD" != "ILM" ]]; then
    echo "Unsupported data retention method $DATA_RETENTION_METHOD. Expected DLM or ILM."
    exit 1
 fi
 validate_template_file() {
    local template_file="$1"
    if ! jq -e 'type == "object" and (.data_stream == null or (.data_stream | type == "object")) and (.template.lifecycle == null or (.template.lifecycle | type == "object")) and (.template.lifecycle.data_retention == null or (.template.lifecycle.data_retention | type == "string"))' >/dev/null 2>&1 "$template_file"; then
        echo "Invalid index template JSON: $template_file"
        return 1
    fi
 }
 is_data_stream_template() {
    jq -e '.data_stream | type == "object"' >/dev/null 2>&1 "$1"
 }
 has_data_stream_lifecycle() {
    jq -e '.template.lifecycle | type == "object"' >/dev/null 2>&1 "$1"
 }
 get_data_retention() {
    jq -r '.template.lifecycle.data_retention // ""' "$1"
 }
 find_template_file() {
    local template="$1"
    local template_dir
    local template_file
    for template_dir in "${TEMPLATE_DIRS[@]}"; do
        template_file="${template_dir}/${template}-template.json"
        if [[ -f "$template_file" ]]; then
            echo "$template_file"
            return 0
        fi
    done
    return 1
 }
 set_data_stream_lifecycle() {
    local data_stream="$1"
    local data_retention="$2"
    local body
    local output
    if [[ -n "$data_retention" ]]; then
        if jq -e --arg data_stream "$data_stream" --arg data_retention "$data_retention" '.data_streams[]? | select(.name == $data_stream and .lifecycle.enabled == true and .lifecycle.data_retention == $data_retention)' >/dev/null 2>&1 <<< "$data_streams"; then
            echo "DLM lifecycle already set for $data_stream with data_retention $data_retention, skipping."
            return 0
        fi
    elif jq -e --arg data_stream "$data_stream" '.data_streams[]? | select(.name == $data_stream and .lifecycle.enabled == true and (.lifecycle.data_retention == null))' >/dev/null 2>&1 <<< "$data_streams"; then
        echo "DLM lifecycle already set for $data_stream with indefinite retention, skipping."
        return 0
    fi
    if [[ -n "$data_retention" ]]; then
        body=$(jq -cn --arg data_retention "$data_retention" '{data_retention: $data_retention}')
    else
        # Setting indefinite retention
        body='{}'
    fi
    if ! output=$(so-elasticsearch-query "_data_stream/${data_stream}/_lifecycle" -XPUT -d "$body" --retry 3 --retry-delay 5 --fail); then
        echo "Failed to set data stream lifecycle for $data_stream."
        echo "$output"
        return 1
    fi
    if [[ -n "$data_retention" ]]; then
        echo "Set DLM lifecycle for $data_stream with data_retention $data_retention."
    else
        echo "Set DLM lifecycle for $data_stream with indefinite retention."
    fi
 }
 disable_data_stream_lifecycle() {
    local data_stream="$1"
    local body='{"enabled":false}'
    local output
    if ! jq -e --arg data_stream "$data_stream" '.data_streams[]? | select(.name == $data_stream and .lifecycle != null and .lifecycle.enabled != false)' >/dev/null 2>&1 <<< "$data_streams"; then
        # No action needed
        return 0
    fi
    if ! output=$(so-elasticsearch-query "_data_stream/${data_stream}/_lifecycle" -XPUT -d "$body" --retry 3 --retry-delay 5 --fail); then
        echo "Failed to disable data stream lifecycle for $data_stream."
        echo "$output"
        return 1
    fi
    echo "Disabled DLM lifecycle for $data_stream."
 }
 process_data_stream() {
    local data_stream="$1"
    local data_retention="$2"
    if [[ "$DATA_RETENTION_METHOD" == "DLM" ]]; then
        set_data_stream_lifecycle "$data_stream" "$data_retention"
    else
        disable_data_stream_lifecycle "$data_stream"
    fi
 }
 check_elasticsearch_responsive
 if ! data_streams=$(so-elasticsearch-query "_data_stream?format=json" --retry 3 --retry-delay 5 --fail); then
    echo "Failed to retrieve data streams."
    exit 1
 fi
 while read -r data_stream_config; do
    data_stream=$(jq -r '.name' <<< "$data_stream_config")
    template=$(jq -r '.template' <<< "$data_stream_config")
    if ! template_file=$(find_template_file "$template"); then
        echo "Skipping $data_stream: index template file not found for $template."
        continue
    fi
    validate_template_file "$template_file" || exit 1
    if ! is_data_stream_template "$template_file"; then
        echo "Skipping $data_stream: $template_file is not a data stream template."
        continue
    fi
    if [[ "$DATA_RETENTION_METHOD" == "DLM" ]] && ! has_data_stream_lifecycle "$template_file"; then
        echo "Skipping $data_stream: $template_file does not define data stream lifecycle."
        continue
    fi
    data_retention=$(get_data_retention "$template_file")
    if ! process_data_stream "$data_stream" "$data_retention"; then
        DLM_FAILURES=$((DLM_FAILURES + 1))
        DLM_FAILURE_NAMES+=("$data_stream")
    fi
 done < <(jq -c '.data_streams[]' <<< "$data_streams")
 if [[ $DLM_FAILURES -eq 0 ]]; then
    echo "Data stream lifecycle updates completed successfully."
 else
    echo "Encountered $DLM_FAILURES failure(s) updating data stream lifecycle:"
    for failed_data_stream in "${DLM_FAILURE_NAMES[@]}"; do
        echo "  - $failed_data_stream"
    done
    exit 1
 fi
@@ -103,7 +103,7 @@ kratos:
  config:
    session:
      lifespan: 
-        description: Defines the length of a login session before it will timeout, and require a new login.
+        description: Defines the length of a login session.
        global: True
        helpLink: kratos
      whoami:
@@ -16,35 +16,40 @@
 {%       endif %}
 {%     endfor %}
 {%   endfor %}
 {%   set soc_annotation_lines = [] %}
 {%   set defaults_lines = [] %}
 {%   for k in matched_integration_names %}
 {%     do soc_annotation_lines.append('    ' ~ k ~ ': *dataStreamSettings') %}
 {%     do defaults_lines.append('    ' ~ k ~ ':') %}
 {%     set defaults_yaml = salt['slsutil.serialize']('yaml', ADDON_INTEGRATION_DEFAULTS[k], default_flow_style=False).strip() %}
 {%     for line in defaults_yaml.splitlines() %}
 {%       do defaults_lines.append('      ' ~ line) %}
 {%     endfor %}
 {%   endfor %}
 {%   set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %}
-manage_soc_annotations:
+{{   es_soc_annotations }}:
-  file.blockreplace:
+     file.serialize:
-    - name: {{ es_soc_annotations }}
+       - dataset:
-    - marker_start: '    # START managed SOC integration annotations'
+           {% set data = salt['file.read'](es_soc_annotations) | load_yaml %}
-    - marker_end: '    # END managed SOC integration annotations'
+           {% set es = data.get('elasticsearch', {}) %}
-    - content: {{ soc_annotation_lines | join('\n') | tojson }}
+           {% set index_settings = es.get('index_settings', {}) %}
-    - insert_after_match: '^    # Managed SOC integration annotations are inserted below this line\.'
+           {% set input = index_settings.get('so-logs', {}) %}
-    - append_if_not_found: False
+           {% for k in matched_integration_names %}
-    - show_changes: True
+           {%   do index_settings.update({k: input}) %}
           {% endfor %}
           {% for k in addon_integration_keys %}
           {%   if k not in matched_integration_names and k in index_settings %}
           {%     do index_settings.pop(k) %}
           {%   endif %}
           {% endfor %}
           {{ data }}
 {#   Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #}
 {%   set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %}
 {{   es_defaults }}:
-  file.blockreplace:
+     file.serialize:
-    - marker_start: '    # START managed SOC integration defaults'
+       - dataset:
-    - marker_end: '    # END managed SOC integration defaults'
+           {% set data = salt['file.read'](es_defaults) | load_yaml %}
-    - content: {{ defaults_lines | join('\n') | tojson }}
+           {% set es = data.get('elasticsearch', {}) %}
-    - insert_after_match: '^  index_settings:$'
+           {% set index_settings = es.get('index_settings', {}) %}
-    - append_if_not_found: False
+           {% for k in matched_integration_names %}
-    - show_changes: True
+           {%   set input = ADDON_INTEGRATION_DEFAULTS[k] %}
-{% endif %}
+           {%     do index_settings.update({k: input})%}
           {% endfor %}
           {% for k in addon_integration_keys %}
           {%   if k not in matched_integration_names and k in index_settings %}
           {%     do index_settings.pop(k) %}
           {%   endif %}
           {% endfor %}
           {{ data }}
 {% endif %}
@@ -31,13 +31,11 @@ sync_es_users:
      - http: wait_for_kratos
      - file: so-user.lock # require so-user.lock file to be missing
-# we dont want this added too early in setup, so the onlyif gates on the
+# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
-# /opt/so/state/setup-complete marker. The marker is written by
+# is in the minion config. That line is added before the final highstate during setup
 # mark_setup_complete in setup/so-functions just before the final setup
 # highstate (and by an upgrade-path state for systems set up under the old gate).
 so-user_sync:
  cron.present:
    - user: root
    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
    - identifier: so-user_sync
-    - onlyif: "test -e /opt/so/state/setup-complete"
+    - onlyif: "grep -x 'startup_states: highstate' /etc/salt/minion"
@@ -188,6 +188,13 @@ airgap_update_dockers() {
  fi
 }
 backup_old_states_pillars() {
 	tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_default_states_pillars.tar.gz /opt/so/saltstack/default/
 	tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_local_states_pillars.tar.gz /opt/so/saltstack/local/
 }
 update_registry() {
  docker stop so-dockerregistry
  docker rm so-dockerregistry
@@ -363,9 +370,8 @@ preupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if changes are needed."
-    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0
+    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
    [[ "$INSTALLEDVERSION" == "3.0.0" ]] && up_to_3.1.0
    [[ "$INSTALLEDVERSION" == "3.1.0" ]] && up_to_3.2.0
    true
 }
@@ -375,7 +381,6 @@ postupgrade_changes() {
    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
    [[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
    [[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
    true
 }
@@ -737,98 +742,6 @@ post_to_3.1.0() {
 ### 3.1.0 End ###
 ### 3.2.0 Scripts ###
 bootstrap_so_soc_database() {
  # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh
  # and runs automatically only on a fresh data directory. Hosts upgrading from
  # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block
  # added in 3.2 never fires. Re-run the script explicitly; it's idempotent.
  echo "Bootstrapping so_soc database via init-db.sh."
  # The postgres image has no USER directive, so `docker exec` defaults to
  # root, and the container env intentionally omits POSTGRES_USER (the upstream
  # entrypoint defaults it transiently during first-init only). Recreate both
  # so psql inside init-db.sh resolves the connect user correctly.
  local exec_cmd="docker exec -u postgres -e POSTGRES_USER=postgres so-postgres bash /docker-entrypoint-initdb.d/init-db.sh"
  if ! /usr/sbin/so-postgres-wait; then
    FINAL_MESSAGE_QUEUE+=("WARNING: so-postgres was not ready during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd")
    return 0
  fi
  if ! $exec_cmd; then
    FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd")
    return 0
  fi
  echo "so_soc bootstrap complete."
 }
 # Existing grids should keep ILM unless an admin explicitly opts in to DLM.
 pin_elasticsearch_data_retention_method() {
  local elasticsearch_file=/opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls
  mkdir -p "$(dirname "$elasticsearch_file")"
  [[ -f "$elasticsearch_file" ]] || touch "$elasticsearch_file"
  if so-yaml.py get -r "$elasticsearch_file" elasticsearch.data_retention_method >/dev/null 2>&1; then
    echo "elasticsearch.data_retention_method already set; leaving as-is."
    return 0
  fi
  echo "Pinning existing grid to ILM data retention."
  so-yaml.py add "$elasticsearch_file" elasticsearch.data_retention_method ILM
  chown socore:socore "$elasticsearch_file"
 }
 # Addes auto_expand_replicas setting to .kibana_streams index template
 #
 # In Kibana 9.3.3 the auto_expand_replicas setting was not added to the .kibana_streams index template. Causing single node deployments to be stuck in yellow state (unable to assign replica). Here we update the template in place using the so_kibana system user (system managed index template) to include the auto_expand_replicas setting
 #
 # Reference: https://github.com/elastic/kibana/issues/263048
 kibana_backport_streams_index_template() {
    local current_template updated_template
    current_template=$(so-elasticsearch-query "_index_template/.kibana_streams" --retry 3 --retry-delay 5 --fail)
    if [[ -z "$current_template" ]]; then
        echo "Unable to retrieve current .kibana_streams index template, skipping backport."
        return 0
    fi
    updated_template=$(jq '.index_templates[0].index_template | .template.settings += {"index.auto_expand_replicas": "0-1"} | del(.created_date_millis, .modified_date_millis)' <<< "$current_template")
    if ! kibana_user_pass=$(/usr/sbin/so-yaml.py get -r /opt/so/saltstack/local/pillar/elasticsearch/auth.sls elasticsearch.auth.users.so_kibana_user.pass); then
        echo "Unable to retrieve so_kibana_user password, skipping .kibana_streams index template backport."
        return 0
    fi
    if ! so-elasticsearch-query "_index_template/.kibana_streams" -XPUT -d "$updated_template" -u "so_kibana:$kibana_user_pass" --retry 3 --retry-delay 5 --fail; then
        echo "Unable to automatically update .kibana_streams index template"
        return 0
    fi
    ## NOTE: Should really add a check here for existing .kibana_streams index and then update its config in place
 }
 up_to_3.2.0() {
  fix_logstash_0013_lumberjack_pipeline_name
  pin_elasticsearch_data_retention_method
  INSTALLEDVERSION=3.2.0
 }
 post_to_3.2.0() {
  bootstrap_so_soc_database
  # Including agent regen script here since it was missed in post_to_3.1.0
  echo "Regenerating Elastic Agent Installers"
  /sbin/so-elastic-agent-gen-installers
  kibana_backport_streams_index_template
  POSTVERSION=3.2.0
 }
 ### 3.2.0 End ###
 repo_sync() {
  echo "Sync the local repo."
@@ -1615,7 +1528,13 @@ EOF
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
-    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
+    if [[ "$INSTALLEDVERSION" == "3.1.0" ]] ; then
       # Do not remove this fix_logstash_0013_lumberjack_pipeline_name in future hotfixes without first validating older
       #  installs referencing "so/0013_input_lumberjack_fleet.conf" via pillar are upgradable
       fix_logstash_0013_lumberjack_pipeline_name
    else
        echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
    fi
 }
 failed_soup_restore_items() {
@@ -1687,13 +1606,13 @@ main() {
  echo "Verifying we have the latest soup script."
  verify_latest_update_script
  echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
  verify_es_version_compatibility
  echo "Let's see if we need to update Security Onion."
  upgrade_check
  upgrade_space
  echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
  verify_es_version_compatibility
  echo "Checking for Salt Master and Minion updates."
  upgrade_check_salt
  set -e
@@ -1713,8 +1632,7 @@ main() {
    echo "Applying $HOTFIXVERSION hotfix"
    # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
    if [[ ! "$MINION_ROLE" == "import" ]]; then
-        echo "Running so-config-backup script."
+      backup_old_states_pillars
        /sbin/so-config-backup
    fi
    copy_new_files
    create_local_directories "/opt/so/saltstack/default"
@@ -1770,8 +1688,8 @@ main() {
    # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
    if [[ ! "$MINION_ROLE" == "import" ]]; then
      echo ""
-      echo "Running so-config-backup script."
+      echo "Creating snapshots of default and local Salt states and pillars and saving to /nsm/backup/"
-      /sbin/so-config-backup
+      backup_old_states_pillars
    fi
    echo ""
@@ -17,7 +17,6 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
        END IF;
    END
    \$\$;
    GRANT ALL ON SCHEMA public TO "$SO_POSTGRES_USER";
    GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$SO_POSTGRES_USER";
    -- Lock the SOC database down at the connect layer; PUBLIC gets CONNECT
    -- by default, which would let per-minion telegraf roles open sessions
@@ -32,4 +31,4 @@ EOSQL
 # only ensures the shared database exists on first initialization.
 if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_telegraf'" | grep -q 1; then
    psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_telegraf"
-fi
+fi
@@ -18,12 +18,26 @@ include:
 {% set TG_OUT = TELEGRAFMERGED.output | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}
 # docker_container.running returns as soon as the container starts, but on
 # first-init docker-entrypoint.sh starts a temporary postgres with
 # `listen_addresses=''` to run /docker-entrypoint-initdb.d scripts, then
 # shuts it down before exec'ing the real CMD. A default pg_isready check
 # (Unix socket) passes during that ephemeral phase and races the shutdown
 # with "the database system is shutting down". Checking TCP readiness on
 # 127.0.0.1 only succeeds after the final postgres binds the port.
 postgres_wait_ready:
  cmd.run:
-    - name: /usr/sbin/so-postgres-wait
+    - name: |
        for i in $(seq 1 60); do
          if docker exec so-postgres pg_isready -h 127.0.0.1 -U postgres -q 2>/dev/null; then
            exit 0
          fi
          sleep 2
        done
        echo "so-postgres did not accept TCP connections within 120s" >&2
        exit 1
    - require:
      - docker_container: so-postgres
      - file: postgres_sbin
 # Ensure the shared Telegraf database exists. init-db.sh only runs on a
 # fresh data dir, so hosts upgraded onto an existing /nsm/postgres volume
@@ -1,32 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 # Wait for the so-postgres container to accept TCP connections.
 #
 # docker_container.running returns as soon as the container starts, but on
 # first-init docker-entrypoint.sh starts a temporary postgres with
 # `listen_addresses=''` to run /docker-entrypoint-initdb.d scripts, then
 # shuts it down before exec'ing the real CMD. A default pg_isready check
 # (Unix socket) passes during that ephemeral phase and races the shutdown
 # with "the database system is shutting down". Checking TCP readiness on
 # 127.0.0.1 only succeeds after the final postgres binds the port.
 #
 # Usage: so-postgres-wait [iterations] [sleep_seconds]
 # Default: 60 iterations, 2s sleep (~120s total).
 ITERATIONS=${1:-60}
 SLEEP_SECONDS=${2:-2}
 for i in $(seq 1 "$ITERATIONS"); do
  if docker exec so-postgres pg_isready -h 127.0.0.1 -U postgres -q 2>/dev/null; then
    exit 0
  fi
  sleep "$SLEEP_SECONDS"
 done
 echo "so-postgres did not accept TCP connections within $((ITERATIONS * SLEEP_SECONDS))s" >&2
 exit 1
@@ -1,5 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if GLOBALS.os == 'OEL' %}
+{# OL10 test path uses public repos; skip the SO repo state (which removes public repos and points at /nsm/repo) #}
 {% if GLOBALS.os == 'OEL' and GLOBALS.os_version|int == 9 %}
 include:
  - repo.client.oracle
 {% endif %}
@@ -1,31 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 # Manages /etc/systemd/system/so-boot-highstate.service, a Type=oneshot
 # RemainAfterExit=yes unit that runs `salt-call state.highstate` exactly once
 # per system boot. Replaces the legacy `startup_states: highstate` minion
 # config, which fired on every salt-minion service restart (causing a redundant
 # highstate whenever a highstate itself restarted salt-minion).
 include:
  - systemd.reload
 so_boot_highstate_unit_file:
  file.managed:
    - name: /etc/systemd/system/so-boot-highstate.service
    - source: salt://salt/service/so-boot-highstate.service
    - onchanges_in:
      - module: systemd_reload
 # Only enable once setup is complete. Until then the gate file is missing and
 # the unit's own ConditionPathExists would no-op it anyway -- this just keeps
 # `systemctl is-enabled` honest for the sync_es_users gate.
 so_boot_highstate_service:
  service.enabled:
    - name: so-boot-highstate.service
    - onlyif: test -e /opt/so/state/setup-complete
    - require:
      - file: so_boot_highstate_unit_file
      - module: systemd_reload
@@ -17,7 +17,6 @@ include:
  - repo.client
  - salt.mine_functions
  - salt.minion.service_file
  - salt.minion.boot_highstate
 {% if GLOBALS.is_manager %}
  - ca.signing_policy
 {% endif %}
@@ -81,33 +80,11 @@ set_log_levels:
      - "log_level: info"
      - "log_level_logfile: info"
-# startup_states: highstate caused a full highstate to run on every
+enable_startup_states:
-# salt-minion service start, including the restart triggered when a highstate
+  file.uncomment:
 # itself modified the minion config (beacons, mine, unit file). Replaced by
 # so-boot-highstate.service (managed in salt.minion.boot_highstate), which
 # runs once per system boot only. Strip the line from /etc/salt/minion on
 # upgrade; both the commented and uncommented forms historically existed.
 remove_startup_states:
  file.line:
    - name: /etc/salt/minion
-    - match: 'startup_states: highstate'
+    - regex: '^startup_states: highstate$'
-    - mode: delete
+    - unless: pgrep so-setup
 # Upgrade-path bridge: systems that already passed setup under the old gate
 # (`grep -x 'startup_states: highstate' /etc/salt/minion`) get a /opt/so/state/setup-complete
 # marker so so-boot-highstate.service can be enabled and the so-user_sync cron
 # in sync_es_users.sls keeps installing. Setup-in-progress systems instead get
 # the marker from `mark_setup_complete` in setup/so-functions at the right
 # moment. `replace: false` means we never overwrite a marker once written.
 mark_setup_complete_for_upgrades:
  file.managed:
    - name: /opt/so/state/setup-complete
    - replace: false
    - makedirs: True
    - onlyif: "grep -qx 'startup_states: highstate' /etc/salt/minion"
    - require_in:
      - file: remove_startup_states
      - service: so_boot_highstate_service
 {% endif %}
@@ -1,14 +0,0 @@
 [Unit]
 Description=Security Onion boot-time highstate (runs once per boot)
 After=salt-minion.service network-online.target docker.service
 Wants=network-online.target docker.service
 Requires=salt-minion.service
 ConditionPathExists=/opt/so/state/setup-complete
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/bin/salt-call state.highstate -l info queue=True
 [Install]
 WantedBy=multi-user.target
@@ -8,6 +8,11 @@ set_role_grain:
    - name: role
    - value: so-{{ grains.id.split("_") | last }}
 set_highstate:
  file.append:
    - name: /etc/salt/minion
    - text: 'startup_states: highstate'
 enable_salt_minion:
  service.enabled:
    - name: salt-minion
@@ -1519,16 +1519,6 @@ soc:
              serviceAccountJSON: ""
              serviceAccountLocation: ""
              healthTimeoutSeconds: 5
        onionconfig:
          saltstackDir: /opt/so/saltstack
          bypassEnabled: false
        postgres:
          host: ""
          port: 5432
          sslMode: "allow"
          database: securityonion
          user: ""
          password: ""
        salt:
          queueDir: /opt/sensoroni/queue
          timeoutMs: 45000
@@ -16,14 +16,6 @@
 {% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %}
 {% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %}
 {% if not SOCMERGED.config.server.modules.postgres.host %}
 {%   do SOCMERGED.config.server.modules.postgres.update({'host': GLOBALS.manager}) %}
 {% endif %}
 {% if not SOCMERGED.config.server.modules.postgres.password %}
 {%   do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', '')}) %}
 {%   do SOCMERGED.config.server.modules.postgres.update({'user': salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres')}) %}
 {% endif %}
 {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
 {% if SOCMERGED.config.server.modules.cases != 'soc' %}
 {%   do SOCMERGED.config.server.modules.elastic.update({'casesEnabled': false}) %}
@@ -453,42 +453,6 @@ soc:
            description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
            global: True
            advanced: True
        onionconfig:
          saltstackDir:
            description: Root directory containing the SaltStack tree that SOC reads and writes configuration from. Should not be changed under normal circumstances.
            global: True
            advanced: True
          bypassEnabled:
            description: When enabled, errors encountered while reading the SaltStack pillar tree (missing files, unreadable directories, etc.) are logged but do not prevent SOC from starting or serving settings. Intended for advanced troubleshooting and recovery scenarios when the pillar tree is partially unreadable.
            global: True
            advanced: True
            forcedType: bool
        postgres:
          host:
            description: Hostname or IP address of the PostgreSQL server used by SOC. Defaults to the manager hostname.
            global: True
            advanced: True
          port:
            description: Port of the PostgreSQL server used by SOC.
            global: True
            advanced: True
          sslMode:
            description: "Use encrypted connections to the PostgreSQL server. Must be one of the following values: disable, allow, prefer, require, verify-ca, verify-full.  Defaults to allow."
            global: True
            advanced: True
          database:
            description: Database used by SOC to authenticate to the PostgreSQL server.
            global: True
            advanced: True
          user:
            description: Username used by SOC to authenticate to the PostgreSQL server.
            global: True
            advanced: True
          password:
            description: Password used by SOC to authenticate to the PostgreSQL server.
            global: True
            sensitive: True
            advanced: True
        salt:
          longRelayTimeoutMs:
            description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI.
@@ -854,7 +818,6 @@ soc:
          description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
          global: True
          advanced: True
          multiline: True
          forcedType: "[]{}"
        exportNodeId:
          description: The node ID on which export jobs will be executed.
@@ -31,6 +31,7 @@
    'so_model': INIT.GRAINS.get('sosmodel',''),
    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
    'os': INIT.GRAINS.os,
    'os_version': INIT.GRAINS.osmajorrelease,
    'os_family': INIT.GRAINS.os_family,
    'application_urls': {},
    'manager_roles': [
@@ -539,19 +539,16 @@ configure_minion() {
 		"  x509_v2: true"\
 		"log_level: info"\
 		"log_level_logfile: info"\
-		"log_file: /opt/so/log/salt/minion" >> "$minion_config"
+		"log_file: /opt/so/log/salt/minion"\
 		"#startup_states: highstate" >> "$minion_config"
 }
-mark_setup_complete() {
+checkin_at_boot() {
-	# Writes the setup-complete marker. Salt's so-boot-highstate.service
+	local minion_config=/etc/salt/minion
 	# (boot-time oneshot) and the so-user_sync cron gate in
 	# salt/manager/sync_es_users.sls both key off this file.
 	local marker=/opt/so/state/setup-complete
-	info "Marking setup as complete"
+	info "Enabling checkin at boot"
-	mkdir -p "$(dirname "$marker")"
+	sed -i 's/#startup_states: highstate/startup_states: highstate/' "$minion_config"
 	touch "$marker"
 }
 check_requirements() {
@@ -906,14 +903,14 @@ detect_cloud() {
 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then
 		OS=oracle
-		OSVER=9
+		OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+")
 		is_oracle=true
 		is_rpm=true
 		is_supported=true
 	else
-		info "This OS is not supported. Security Onion requires Oracle Linux 9."
+		info "This OS is not supported. Security Onion requires Oracle Linux 9 or 10."
 		fail_setup
 	fi
@@ -1786,6 +1783,15 @@ ensure_pyyaml() {
 # - securityonion/salt/salt/minion.defaults.yaml
 securityonion_repo() {
 	if [[ "$OSVER" == "10" ]]; then
 		# TEST PATH: Oracle Linux 10 uses the public OL10 + EPEL + Docker CE repos.
 		# Keep the stock /etc/yum.repos.d/* in place, skip the SO mirror and local reposync.
 		gpg_rpm_import
 		logCmd "dnf -y install oracle-epel-release-el10"
 		logCmd "dnf -y config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo"
 		logCmd "dnf repolist"
 		return
 	fi
 	# Remove all the current repos
 	logCmd "dnf -v clean all"
 	logCmd "mkdir -vp /root/oldrepos"
@@ -1880,12 +1886,19 @@ saltify() {
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
 	# Normally Salt packages come from the SO mirror, so -r disables the bootstrap's own repo setup.
 	# On the OL10 test path there is no SO mirror, so let bootstrap configure the public Salt repo.
 	local saltrepoflag="-r"
 	if [[ "$OSVER" == "10" ]]; then
 		saltrepoflag=""
 	fi
 	if [[ $waitforstate ]]; then
 		# install all for a manager
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -M -X stable $SALTVERSION" || fail_setup
 	else
 		# just a minion
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -X stable $SALTVERSION" || fail_setup
 	fi
 	salt_install_module_deps
@@ -792,7 +792,7 @@ if ! [[ -f $install_opt_file ]]; then
 			error "Failed to run so-elastic-fleet-setup"
 			fail_setup
 		fi
-		mark_setup_complete
+		checkin_at_boot
 		set_initial_firewall_access
        initialize_elasticsearch_indices "so-case so-casehistory so-assistant-session so-assistant-chat"
 		# run a final highstate before enabling scheduled highstates.