From 74ca4487de3698cab7b4338571a7bc042d0e0e64 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 18 Feb 2021 09:51:40 -0500
Subject: [PATCH] ensure at least 2 eve files are kept
 https://github.com/Security-Onion-Solutions/securityonion/issues/2989

---
 salt/suricata/cron/so-suricata-eve-clean | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean
index dcaef3109..a3cd6bc79 100644
--- a/salt/suricata/cron/so-suricata-eve-clean
+++ b/salt/suricata/cron/so-suricata-eve-clean
@@ -25,6 +25,9 @@ read lastPID < $lf
 echo $$ > $lf
 
 MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }}
+if [ "$MAXEVES" -lt 2 ]; then
+  MAXEVES=2
+fi
 
 # Find eve files and remove them
 NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)