From 0dd2e51e83a8911fc3a15401a97c2e1c17f7ff90 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 6 Dec 2022 11:39:58 -0500
Subject: [PATCH] Ensure Suricata move events get picked up

---
 salt/strelka/filecheck/filecheck | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/salt/strelka/filecheck/filecheck b/salt/strelka/filecheck/filecheck
index 146625552..cd72eaffa 100644
--- a/salt/strelka/filecheck/filecheck
+++ b/salt/strelka/filecheck/filecheck
@@ -74,17 +74,21 @@ def process(filename, hizash):
 
 class CreatedEventHandler(FileSystemEventHandler):
     def on_created(self, event):
+        logging.info("File create detected: " + event.src_path)
         checksum(event.src_path)
 
+    def on_moved(self, event):
+        logging.info("File move detected: " + event.src_path + " -> " + event.dest_path)
+        checksum(event.dest_path)
+
 if __name__ == "__main__":
     logging.info("Starting filecheck")
 
-    checkexisting()
-
     event_handler =CreatedEventHandler()
 
     shutdown = False
     while not shutdown:
+        checkexisting()
         logging.info("Scheduling observer")
         observer = Observer()
         observer.schedule(event_handler, extract_path, recursive=True)