update index template priorities + explicity add datastream config options

rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices
remove unused close/delete configs on datastream index templates
2026-03-25 05:52:41 +01:00 · 2026-03-17 13:50:15 -05:00 · 2026-03-17 13:49:20 -05:00 · 2026-03-16 17:26:45 -05:00 · 2026-03-16 16:53:22 -05:00 · 2026-03-16 16:52:42 -05:00
16 changed files with 343 additions and 1167 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -33,7 +33,7 @@ body:
        - 2.4.200
        - 2.4.201
        - 2.4.210
-        - 3.0.0
+        - 2.4.211
        - Other (please provide detail below)
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/3-0.yml
+++ b/.github/DISCUSSION_TEMPLATE/3-0.yml
@@ -0,0 +1,177 @@
 body:
  - type: markdown
    attributes:
      value: |
        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
  - type: dropdown
    attributes:
      label: Version
      description: Which version of Security Onion are you asking about?
      options:
        -
        - 3.0.0
        - Other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Installation Method
      description: How did you install Security Onion?
      options:
        -
        - Security Onion ISO image
        - Cloud image (Amazon, Azure, Google)
        - Network installation on Oracle 9 (unsupported)
        - Other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Description
      description: >
        Is this discussion about installation, configuration, upgrading, or other?
      options:
        -
        - installation
        - configuration
        - upgrading
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Installation Type
      description: >
        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
      options:
        -
        - Import
        - Eval
        - Standalone
        - Distributed
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Location
      description: >
        Is this deployment in the cloud, on-prem with Internet access, or airgap?
      options:
        -
        - cloud
        - on-prem with Internet access
        - airgap
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Hardware Specs
      description: >
        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://securityonion.net/docs/hardware?
      options:
        -
        - Meets minimum requirements
        - Exceeds minimum requirements
        - Does not meet minimum requirements
        - other (please provide detail below)
    validations:
      required: true
  - type: input
    attributes:
      label: CPU
      description: How many CPU cores do you have?
    validations:
      required: true
  - type: input
    attributes:
      label: RAM
      description: How much RAM do you have?
    validations:
      required: true
  - type: input
    attributes:
      label: Storage for /
      description: How much storage do you have for the / partition?
    validations:
      required: true
  - type: input
    attributes:
      label: Storage for /nsm
      description: How much storage do you have for the /nsm partition?
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Network Traffic Collection
      description: >
        Are you collecting network traffic from a tap or span port?
      options:
        -
        - tap
        - span port
        - other (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Network Traffic Speeds
      description: >
        How much network traffic are you monitoring?
      options:
        -
        - Less than 1Gbps
        - 1Gbps to 10Gbps
        - more than 10Gbps
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Status
      description: >
        Does SOC Grid show all services on all nodes as running OK?
      options:
        -
        - Yes, all services on all nodes are running OK
        - No, one or more services are failed (please provide detail below)
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Salt Status
      description: >
        Do you get any failures when you run "sudo salt-call state.highstate"?
      options:
        -
        - Yes, there are salt failures (please provide detail below)
        - No, there are no failures
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Logs
      description: >
        Are there any additional clues in /opt/so/log/?
      options:
        -
        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
        - No, there are no additional clues
    validations:
      required: true
  - type: textarea
    attributes:
      label: Detail
      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
      placeholder: |-
        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: Guidelines
      options:
        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
          required: true
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -8,5 +8,12 @@
      "base": "172.17.0.0/24",
      "size": 24
    }
-  ]
+  ],
  "default-ulimits": {
      "nofile": {
        "Name": "nofile",
        "Soft": 1048576,
        "Hard": 1048576
      }
  }
 }
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -550,6 +550,22 @@ retry() {
        return $exitcode
 }
 rollover_index() {
  idx=$1
  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
  if [[ $exists -eq 200 ]]; then
    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
    if [[ $rollover -eq 200 ]]; then
      echo "Successfully triggered rollover for $idx..."
    else
      echo "Could not trigger rollover for $idx..."
    fi
  else
    echo "Could not find index $idx..."
  fi
 }
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -117,7 +117,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-case*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -129,8 +129,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
              lifecycle:
                name: so-case-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -141,14 +139,7 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
      policy:
        phases:
          hot:
            actions: {}
            min_age: 0ms
    so-common:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -212,7 +203,9 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - winlog-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-*-so*
@@ -272,7 +265,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-detection*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -284,8 +277,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
              lifecycle:
                name: so-detection-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -296,11 +287,6 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
      policy:
        phases:
          hot:
            actions: {}
            min_age: 0ms
    sos-backup:
      index_sorting: false
      index_template:
@@ -460,7 +446,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - endgame*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -508,8 +494,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-idh:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -566,8 +550,8 @@ elasticsearch:
        - common-dynamic-mappings
        ignore_missing_component_templates: []
        index_patterns:
-        - so-idh-*
+        - logs-idh-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -677,11 +661,13 @@ elasticsearch:
        - common-dynamic-mappings
        - winlog-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-import-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -736,7 +722,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-ip*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -751,19 +737,12 @@ elasticsearch:
              mapping:
                total_fields:
                  limit: 1500
              lifecycle:
                name: so-ip-mappings-logs
              number_of_replicas: 0
              number_of_shards: 1
              refresh_interval: 30s
              sort:
                field: '@timestamp'
                order: desc
      policy:
        phases:
          hot:
            actions: {}
            min_age: 0ms
    so-items:
      index_sorting: false
      index_template:
@@ -772,7 +751,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .items-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -851,8 +830,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-kratos:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -873,7 +850,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-kratos-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -921,8 +898,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-hydra:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -983,7 +958,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-hydra-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1038,7 +1013,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .lists-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1524,6 +1499,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.cloudbeat@custom
        index_patterns:
@@ -1759,6 +1737,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.heartbeat@custom
        index_patterns:
@@ -3018,8 +2999,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-logs-soc:
      close: 30
      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -3074,11 +3053,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-soc-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3668,10 +3649,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-logstash-default*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3971,8 +3955,8 @@ elasticsearch:
        - common-dynamic-mappings
        ignore_missing_component_templates: []
        index_patterns:
-        - logs-redis-default*
+        - logs-redis.log*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4083,11 +4067,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-strelka-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4197,11 +4183,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4311,11 +4299,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4425,11 +4415,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-syslog-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4541,11 +4533,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
          allow_custom_routing: false
          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-zeek-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -462,19 +462,14 @@ function add_sensor_to_minion() {
        echo "      lb_procs: '$CORECOUNT'"
        echo "suricata:"
        echo "  enabled: True "
        echo "  pcap:"
        echo "    enabled: True"
        if [[ $is_pcaplimit ]]; then
            echo "  pcap:"
            echo "    maxsize: $MAX_PCAP_SPACE"
        fi
        echo "  config:"
        echo "    af-packet:"
        echo "      threads: '$CORECOUNT'"
        echo "pcap:"
        echo "  enabled: True"
        if [[ $is_pcaplimit ]]; then
            echo "  config:"
            echo "    diskfreepercentage: $DFREEPERCENT"
        fi
        echo "  "
    } >> $PILLARFILE
    if [ $? -ne 0 ]; then
--- a/salt/manager/tools/sbin/so-yaml.py
+++ b/salt/manager/tools/sbin/so-yaml.py
@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
    pieces = key.split(".", 1)
    if len(pieces) > 1:
-        if not pieces[0] in content:
+        if pieces[0] not in content or content[pieces[0]] is None:
            content[pieces[0]] = {}
        addKey(content[pieces[0]], pieces[1], value)
    elif key in content:
@@ -346,7 +346,12 @@ def get(args):
        print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
        return 2
-    print(yaml.safe_dump(output))
+    if isinstance(output, bool):
        print(str(output).lower())
    elif isinstance(output, (dict, list)):
        print(yaml.safe_dump(output).strip())
    else:
        print(output)
    return 0
--- a/salt/manager/tools/sbin/so-yaml_test.py
+++ b/salt/manager/tools/sbin/so-yaml_test.py
@@ -393,7 +393,7 @@ class TestRemove(unittest.TestCase):
            result = soyaml.get([filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
-            self.assertIn("45\n...", mock_stdout.getvalue())
+            self.assertEqual("45\n", mock_stdout.getvalue())
    def test_get_str(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
@@ -404,7 +404,18 @@ class TestRemove(unittest.TestCase):
            result = soyaml.get([filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
-            self.assertIn("hello\n...", mock_stdout.getvalue())
+            self.assertEqual("hello\n", mock_stdout.getvalue())
    def test_get_bool(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
            file = open(filename, "w")
            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
            file.close()
            result = soyaml.get([filename, "key2"])
            self.assertEqual(result, 0)
            self.assertEqual("false\n", mock_stdout.getvalue())
    def test_get_list(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -387,15 +387,13 @@ http {
 		error_page 429 = @error429;
 		location @error401 {
-			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
-			if ($request_uri ~* ^/(?!(^/api/.*))) {
+			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 			}
-			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;
--- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
+++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
@@ -29,7 +29,11 @@ sool9_{{host}}:
    hypervisor_host: {{host ~ "_" ~ role}}
  preflight_cmds:
    - |
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
+      {%- set hostnames = [MANAGERHOSTNAME] %}
      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
      {%-   do hostnames.append(URL_BASE) %}
      {%- endif %}
      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
    - |
      timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
        while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \
--- a/salt/salt/cloud/config.sls
+++ b/salt/salt/cloud/config.sls
@@ -14,6 +14,7 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
 {%     from 'vars/globals.map.jinja' import GLOBALS %}
 {%     if HYPERVISORS %}
 cloud_providers:
@@ -34,6 +35,7 @@ cloud_profiles:
        MANAGERHOSTNAME: {{ grains.host }}
        MANAGERIP: {{ pillar.host.mainip }}
        SALTVERSION: {{ SALTVERSION }}
        URL_BASE: {{ GLOBALS.url_base }}
    - template: jinja
    - makedirs: True
 {%     else %}
--- a/salt/salt/engines/master/virtual_node_manager.py
+++ b/salt/salt/engines/master/virtual_node_manager.py
@@ -805,11 +805,6 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                    return
                if size > 10000:  # 10TB reasonable maximum
                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
                    return
                log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
            except (ValueError, TypeError) as e:
                log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -1,6 +1,7 @@
 suricata:
  enabled: False
  pcap:
    enabled: "no"
    filesize: 1000mb
    maxsize: 25
    compression: "none"
@@ -141,8 +142,6 @@ suricata:
        enabled: "no"
      tls-store:
        enabled: "no"
      pcap-log:
        enabled: "no"
      alert-debug:
        enabled: "no"
      alert-prelude:
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -11,13 +11,18 @@
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
 {% if GLOBALS.pcap_engine in ["SURICATA"] %}
 {# initialize pcap-log in config.outputs since we dont put it in defaults #}
 {%   if 'pcap-log' not in SURICATAMERGED.config.outputs %}
 {%     do SURICATAMERGED.config.outputs.update({'pcap-log': {}}) %}
 {%   endif %}
 {%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
 {%   if PCAPBPF and PCAP_BPF_STATUS %}
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -22,6 +22,10 @@ suricata:
      title: Classifications
      helpLink: suricata.html
  pcap:
    enabled:
      description: Enables or disables the Suricata packet recording process.
      forcedType: bool
      helpLink: suricata.html
    filesize: 
      description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
      advanced: True
@@ -209,12 +213,6 @@ suricata:
              header:
                description: Header name where the actual IP address will be reported.
                helpLink: suricata.html
      pcap-log:
        enabled:
          description: This value is ignored by SO. pcapengine in globals takes precedence.
          readonly: True
          helpLink: suricata.html
          advanced: True        
    asn1-max-frames:
      description: Maximum nuber of asn1 frames to decode.
      helpLink: suricata.html
Author	SHA1	Message	Date
reyesj2	a52e5d0474	update index template priorities + explicity add datastream config options	2026-03-17 13:50:15 -05:00
reyesj2	1a943aefc5	rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices	2026-03-17 13:49:20 -05:00
reyesj2	eaf3f10adc	remove unused close/delete configs on datastream index templates	2026-03-16 17:26:45 -05:00
reyesj2	84f4e460f6	update index patterns	2026-03-16 16:53:22 -05:00
reyesj2	88841c9814	remove ilm configs from non-datastream indices	2026-03-16 16:52:42 -05:00
Josh Patterson	5b2def6fdd	Merge pull request #15618 from Security-Onion-Solutions/delta forcedType bool	2026-03-16 12:50:06 -04:00
Josh Patterson	9b6d29212d	forcedType bool	2026-03-16 12:46:25 -04:00
Josh Patterson	c1bff03b1c	Merge pull request #15615 from Security-Onion-Solutions/delta initialize pcap-log	2026-03-14 20:33:28 -04:00
Josh Patterson	b00f113658	initialize pcap-log	2026-03-14 19:45:50 -04:00
Jason Ertel	7dcd923ebf	Merge pull request #15612 from Security-Onion-Solutions/jertel/wip API errors will no longer redirect	2026-03-13 17:04:51 -04:00
Jason Ertel	1fcd8a7c1a	API errors will no longer redirect	2026-03-13 16:53:38 -04:00
Mike Reeves	a9196348ab	Merge pull request #15609 from Security-Onion-Solutions/moresoup Moresoup	2026-03-13 16:16:35 -04:00
Mike Reeves	12dec366e0	Fix so-yaml get to output booleans in YAML format and add bool test	2026-03-13 15:58:47 -04:00
Mike Reeves	1713f6af76	Fix so-yaml tests to match scalar output without document end marker	2026-03-13 15:53:53 -04:00
Mike Reeves	7f4adb70bd	Fix so-yaml get to print scalar values without YAML document end marker	2026-03-13 15:34:04 -04:00
Mike Reeves	e2483e4be0	Fix so-yaml addKey crash when intermediate key has None value	2026-03-13 15:22:29 -04:00
Mike Reeves	322c0b8d56	Move pcap.enabled under suricata.pcap.enabled in so-minion	2026-03-13 15:14:19 -04:00
Mike Reeves	81c1d8362d	Fix pcap migration to strip yaml document end marker from so-yaml output	2026-03-13 15:09:37 -04:00
Mike Reeves	d1156ee3fd	Merge pull request #15608 from Security-Onion-Solutions/moresoup Improve soup version checks and migrate pcap to suricata	2026-03-13 14:59:57 -04:00
Mike Reeves	18f971954b	Improve soup version checks and migrate pcap pillar to suricata Consolidate version checks to use regex patterns for 2.4.21X and 3.x versions. Add migrate_pcap_to_suricata to move pcap.enabled to suricata.pcap.enabled in minion and pcap pillar files during upgrade.	2026-03-13 14:54:23 -04:00
Josh Patterson	e55ac7062c	Merge pull request #15574 from Security-Onion-Solutions/delta pcap cleanup state. enable/disable pcap for suricata in soc	2026-03-13 14:54:06 -04:00
Josh Patterson	c178eada22	Merge pull request #15595 from Security-Onion-Solutions/TOoSmOotH-patch-5 Update version check to include 2.4.211	2026-03-13 14:32:59 -04:00
Doug Burks	92213e302f	Merge pull request #15603 from Security-Onion-Solutions/dougburks-patch-1 Remove version 3.0.0 from 2.4 discussion template	2026-03-13 10:53:24 -04:00
Doug Burks	72193b0249	Remove version 3.0.0 from 2.4 discussion template	2026-03-13 10:51:25 -04:00
Mike Reeves	066d7106b0	Merge pull request #15599 from Security-Onion-Solutions/TOoSmOotH-patch-6 Add version 2.4.211 to discussion template	2026-03-13 10:49:12 -04:00
Doug Burks	589de8e361	Update discussion template by removing unsupported options Removed unsupported network installation options for Red Hat, Ubuntu, and Debian.	2026-03-13 10:48:15 -04:00
Doug Burks	914cd8b611	Add discussion template for Security Onion 3.0	2026-03-12 13:52:41 -04:00
Doug Burks	845290595e	Delete .github/DISCUSSION_TEMPLATE/3.0.yml	2026-03-12 13:52:14 -04:00
Doug Burks	544b60d111	Add discussion template for version 3.0	2026-03-12 13:51:27 -04:00
Mike Reeves	aa0787b0ff	Add version 2.4.211 to discussion template	2026-03-12 13:11:43 -04:00
Mike Reeves	89f144df75	Remove upgrade instructions for 2.4 branch Removed outdated instructions for upgrading to the latest 2.4 branch.	2026-03-11 16:05:06 -04:00
Mike Reeves	cfccbe2bed	Update version check to include 2.4.211	2026-03-11 15:59:23 -04:00
Josh Patterson	3dd9a06d67	Merge pull request #15591 from Security-Onion-Solutions/temp-3dev-merge remove 10T virtual disk limit. URL_BASE to vm hosts file	2026-03-11 15:54:08 -04:00
Josh Patterson	4bfe9039ed	Merge pull request #15594 from Security-Onion-Solutions/temp/ulimit-cherry-pick set container ulimits to default	2026-03-11 14:49:36 -04:00
Josh Patterson	75cddbf444	set container ulimits to default	2026-03-11 14:46:29 -04:00
Josh Patterson	89b18341c5	add URL_BASE to vm hosts file	2026-03-11 12:29:13 -04:00
Josh Patterson	90137f7093	remove 10T limit for virtual disk	2026-03-11 12:29:10 -04:00
Josh Patterson	480187b1f5	Merge pull request #15575 from Security-Onion-Solutions/stenoclean cleanup steno. sensor run pcap.cleanup	2026-03-10 16:14:22 -04:00
Josh Patterson	0360d4145c	sensors run pcap.cleanup state	2026-03-10 15:58:26 -04:00
Mike Reeves	2bec5afcdd	Merge pull request #15567 from Security-Onion-Solutions/soupupdates Refactor upgrade functions and version checks	2026-03-10 15:14:17 -04:00
Mike Reeves	4539024280	Add minimum version check and fix function call syntax in soup Require at least Security Onion 2.4.210 before allowing upgrade. Fix determine_elastic_agent_upgrade() call syntax (remove parens).	2026-03-10 15:05:52 -04:00
Josh Patterson	398bd0c1da	Update VERSION	2026-03-10 15:00:19 -04:00
Mike Reeves	91759587f5	Update version numbers for upgrade scripts	2026-03-10 14:58:43 -04:00
Mike Reeves	bc9841ea8c	Refactor upgrade functions and remove unused code Removed deprecated functions and updated version checks for upgrades.	2026-03-10 14:45:40 -04:00
Josh Patterson	32241faf55	cleanup steno	2026-03-10 14:02:28 -04:00
Mike Reeves	685e22bd68	soup cleanup	2026-03-10 11:58:06 -04:00
Josh Patterson	88de779ff7	revert to salt 3006.19	2026-03-10 11:31:56 -04:00
Josh Patterson	d452694c55	enable/disable suricata pcap	2026-03-10 11:30:24 -04:00
Josh Patterson	7fba8ac2b4	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-10 11:24:44 -04:00
Mike Reeves	d78a5867b8	Refactor upgrade functions and version checks Removed redundant upgrade functions and streamlined version checks.	2026-03-09 17:10:18 -04:00
Josh Patterson	6809a40257	Merge remote-tracking branch 'origin/delta' into delta	2026-03-05 16:40:02 -05:00
Josh Patterson	cea55a72c3	upgrade salt 3006.23	2026-03-05 16:35:15 -05:00
Jason Ertel	e38a4a21ee	version for delta	2026-03-05 11:52:51 -05:00