diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean
new file mode 100644
index 000000000..b931eeea2
--- /dev/null
+++ b/salt/suricata/cron/so-suricata-eve-clean
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.. /usr/sbin/so-common
+
+APP=so-suricata-eve-clean
+lf=/tmp/$APP-pidLockFile
+# create empty lock file if none exists
+cat /dev/null >> $lf
+read lastPID < $lf
+# if lastPID is not null and a process with that pid exists , exit
+[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
+echo $$ > $lf
+
+MAXEVES={% salt['pillar.get']('suricata:cleanup:eve_json', 20) %}
+
+# Find eve files and remove them
+NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)
+while [ "$NUMEVES" -gt "$MAXEVES" ]; do
+  OLDESTEVE=$(find /nsm/suricata/ -type f -name "eve-*.json" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}')
+  rm -f $OLDESTEVE
+  NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)
+done
\ No newline at end of file
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 3de6e3568..708976cd9 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -177,6 +177,26 @@ disable_so-suricata_so-status.conf:
     - month: '*'
     - dayweek: '*'
 
+so-suricata-eve-clean:
+  file.managed:
+    - name: /usr/sbin/so-suricata-eve-clean
+    - user: root
+    - group: root
+    - file_mode: 755
+    - template: jinja
+    - source: salt://suricata/cron/so-suricata-eve-clean
+
+# Add eve clean cron
+clean_suricata_eve_files:
+  cron.present:
+    - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1
+    - user: root
+    - minute: '*/5'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 {% else %}
 
 {{sls}}_state_not_allowed: