From 30ac5f97644198250a97a6f1ceb57e1f65570e07 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 25 Jun 2020 12:56:26 -0400
Subject: [PATCH] ADding Suricata log compression

---
 salt/suricata/cron/surilogcompress |  6 ++++++
 salt/suricata/init.sls             | 15 +++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 salt/suricata/cron/surilogcompress

diff --git a/salt/suricata/cron/surilogcompress b/salt/suricata/cron/surilogcompress
new file mode 100644
index 000000000..b77c4d635
--- /dev/null
+++ b/salt/suricata/cron/surilogcompress
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Gzip the eve logs
+find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g |  head -n -1 |  cut -d $'\t' -f 2- | xargs nice gzip
+
+# TODO Add stats log
\ No newline at end of file
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 0f3d49bc3..03a5679eb 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -68,6 +68,21 @@ surirulesync:
     - user: 940
     - group: 940
 
+surilogscript:
+  file.managed:
+    - name: /usr/local/bin/surilogcompress
+    - source: salt://suricata/cron/surilogcompress
+    - mode: 755
+
+/usr/local/bin/surilogcompress:
+  cron.present:
+    - user: suricata
+    - minute: '17'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 suriconfigsync:
   file.managed:
     - name: /opt/so/conf/suricata/suricata.yaml