Applications read their configuration from /opt/so/conf/
. However, please keep in mind that most config files are managed with :ref:`salt`, so if you manually modify those config files, your changes may be overwritten at the next Salt update.
Debug logs are stored in /opt/so/log/
.
:ref:`elastalert` and :ref:`suricata` rules are stored in /opt/so/rules/
.
Custom :ref:`salt` settings can be added to /opt/so/saltstack/local/
.
The vast majority of data is stored in /nsm/
.
:ref:`zeek` writes its protocol logs to /nsm/zeek/
.
:ref:`elasticsearch` stores its data in /nsm/elasticsearch/
.
:ref:`stenographer` stores full packet capture in /nsm/pcap/
.
:ref:`suricata` stores full packet capture in /nsm/pcap/
.