Directory Structure¶

/opt/so/conf¶

Applications read their configuration from /opt/so/conf/. However, please keep in mind that most config files are managed with Salt, so if you manually modify those config files, your changes may be overwritten at the next Salt update.

/opt/so/log¶

Debug logs are stored in /opt/so/log/.

/opt/so/rules¶

ElastAlert and Suricata rules are stored in /opt/so/rules/.

/opt/so/saltstack/local¶

Custom Salt settings can be added to /opt/so/saltstack/local/.

/nsm¶

The vast majority of data is stored in /nsm/.

/nsm/zeek¶

Zeek writes its protocol logs to /nsm/zeek/.

/nsm/elasticsearch¶

Elasticsearch stores its data in /nsm/elasticsearch/.

/nsm/pcap¶

Stenographer stores full packet capture in /nsm/pcap/.

/nsm/wazuh¶

All Wazuh files are stored in /nsm/wazuh/. For convenience, we have placed symlinks for Wazuh config at /opt/so/conf/wazuh/ (linked to /nsm/wazuh/etc) and Wazuh rules at /opt/so/rules/hids/ (local_rules.xml links to /nsm/wazuh/etc/rules/local_rules.xml and ruleset links to /nsm/wazuh/ruleset).