diff --git a/salt/strelka/filecheck/filecheck b/salt/strelka/filecheck/filecheck
index d91c75900..146625552 100644
--- a/salt/strelka/filecheck/filecheck
+++ b/salt/strelka/filecheck/filecheck
@@ -31,24 +31,32 @@ extract_path = cfg["filecheck"]["extract_path"]
 historypath = cfg["filecheck"]["historypath"]
 strelkapath = cfg["filecheck"]["strelkapath"]
 logfile = cfg["filecheck"]["logfile"]
+recycle_secs = cfg["filecheck"].get("recycle_secs", 300)
 
 logging.basicConfig(filename=logfile, filemode='w', format='%(asctime)s - %(message)s', datefmt='%d-%b-%y %H:%M:%S', level=logging.INFO)
 
 def checkexisting():
-    for file in os.listdir(extract_path):
-        filename = os.path.join(extract_path, file)
-        logging.info("Processing existing file " + filename)
-        checksum(filename) 
+    logging.info("Checking for existing files");
+    for root, dirs, files in os.walk(extract_path):
+        for file in files:
+            try:
+                path = os.path.join(root, file)
+                filename = os.path.join(extract_path, path)
+                checksum(filename) 
+            except Exception as err:
+                logging.error("Failed to process file: " + file)
 
 def checksum(filename):
-    with open(filename, 'rb') as afile:
-        shawnuff = hashlib.sha1()
-        buf = afile.read(8192)
-        while len(buf) > 0:
-            shawnuff.update(buf)
+    if os.path.isfile(filename) and "/tmp/" not in filename:
+        with open(filename, 'rb') as afile:
+            logging.info("Processing file: " + filename)
+            shawnuff = hashlib.sha1()
             buf = afile.read(8192)
-        hizash=shawnuff.hexdigest()
-        process(filename, hizash)
+            while len(buf) > 0:
+                shawnuff.update(buf)
+                buf = afile.read(8192)
+            hizash=shawnuff.hexdigest()
+            process(filename, hizash)
 
 def process(filename, hizash):
     if os.path.exists(historypath + hizash):
@@ -66,25 +74,31 @@ def process(filename, hizash):
 
 class CreatedEventHandler(FileSystemEventHandler):
     def on_created(self, event):
-        filename = event.src_path
-        logging.info("Found new file")
-        checksum(filename)
+        checksum(event.src_path)
 
 if __name__ == "__main__":
+    logging.info("Starting filecheck")
 
     checkexisting()
+
     event_handler =CreatedEventHandler()
 
-    observer = Observer()
+    shutdown = False
+    while not shutdown:
+        logging.info("Scheduling observer")
+        observer = Observer()
+        observer.schedule(event_handler, extract_path, recursive=True)
+        observer.start()
+        try:
+            time.sleep(recycle_secs)
+        except KeyboardInterrupt:
+            logging.warn("User requested shutdown")
+            shutdown = True
 
-    logging.info("Starting filecheck")
-    observer.schedule(event_handler, extract_path, recursive=True)
-    observer.start()
-    try:
-        while True:
-            time.sleep(1)
-    except KeyboardInterrupt:
         observer.stop()
-    observer.join()
+        observer.join()
+
+        if not shutdown:
+            logging.info("Recycling observer to pick up new subdirectories")
 
     logging.info("Exiting filecheck")
diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
index 24be1852a..b372e6f6c 100644
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -24,6 +24,12 @@
 {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %}
 {% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %}
 
+{% if ENGINE == "SURICATA" %}
+  {% set filecheck_runas = 'suricata' %}
+{% else %}
+  {% set filecheck_runas = 'socore' %}
+{% endif %}
+
 {% if grains['os'] != 'CentOS' %}     
 strelkapkgs:
   pkg.installed:
@@ -125,6 +131,7 @@ strelkaunprocessed:
     - name: /nsm/strelka/unprocessed
     - user: 939
     - group: 939
+    - mode: 775
     - makedirs: True
 
 # Check to see if Strelka frontend port is available
@@ -138,6 +145,7 @@ filecheck_logdir:
     - name: /opt/so/log/strelka
     - user: 939
     - group: 939
+    - mode: 775
     - makedirs: True
     
 filecheck_history:
@@ -145,6 +153,7 @@ filecheck_history:
     - name: /nsm/strelka/history
     - user: 939
     - group: 939
+    - mode: 775
     - makedirs: True
 
 filecheck_conf:
@@ -164,7 +173,7 @@ filecheck_script:
 filecheck_run:
   cron.present:
     - name: 'ps -ef | grep filecheck | grep -v grep || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
-    - user: socore
+    - user: {{ filecheck_runas }}
 
 filcheck_history_clean:
   cron.present:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index d6333c65a..cef56bdb1 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -44,6 +44,13 @@ suricata:
     - home: /nsm/suricata
     - createhome: False
 
+socoregroupwithsuricata:
+  group.present:
+    - name: socore
+    - gid: 939
+    - addusers:
+      - suricata
+
 suridir:
   file.directory:
     - name: /opt/so/conf/suricata