Applications read their configuration from /opt/so/conf/. However, please keep in mind that most config files are managed with :ref:`salt`, so if you manually modify those config files, your changes may be overwritten at the next Salt update.
Debug logs are stored in /opt/so/log/.
:ref:`elastalert` and :ref:`suricata` rules are stored in /opt/so/rules/.
Custom :ref:`salt` settings can be added to /opt/so/saltstack/local/.
The vast majority of data is stored in /nsm/.
:ref:`zeek` writes its protocol logs to /nsm/zeek/.
:ref:`elasticsearch` stores its data in /nsm/elasticsearch/.
:ref:`stenographer` stores full packet capture in /nsm/pcap/.
:ref:`suricata` stores full packet capture in /nsm/pcap/.