diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean
index dcaef3109..a3cd6bc79 100644
--- a/salt/suricata/cron/so-suricata-eve-clean
+++ b/salt/suricata/cron/so-suricata-eve-clean
@@ -25,6 +25,9 @@ read lastPID < $lf
 echo $$ > $lf
 
 MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }}
+if [ "$MAXEVES" -lt 2 ]; then
+  MAXEVES=2
+fi
 
 # Find eve files and remove them
 NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)