From 79adf2012a60ab5fc171208153b3cee27b7f10e2 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 4 Jun 2020 10:43:24 -0400
Subject: [PATCH] Fix log rotate on Suricata

---
 salt/filebeat/etc/filebeat.yml        | 2 +-
 salt/suricata/files/suricata.yaml     | 4 ++--
 salt/suricata/files/suricataMETA.yaml | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 0f72b8dcd..da116cf2c 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -123,7 +123,7 @@ filebeat.inputs:
 
   - type: log
     paths:
-      - /suricata/eve.json
+      - /suricata/eve*.json
     fields:
       module: suricata
       dataset: common
diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml
index c87c75447..28e5b4bcf 100644
--- a/salt/suricata/files/suricata.yaml
+++ b/salt/suricata/files/suricata.yaml
@@ -95,8 +95,8 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: /nsm/eve.json
-      rotate-interval: day
+      filename: /nsm/eve-%Y-%m-%d-%H:%M.json
+      rotate-interval: hour
       
       #prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
diff --git a/salt/suricata/files/suricataMETA.yaml b/salt/suricata/files/suricataMETA.yaml
index 964d3fab7..61e3be6ec 100644
--- a/salt/suricata/files/suricataMETA.yaml
+++ b/salt/suricata/files/suricataMETA.yaml
@@ -95,7 +95,7 @@ outputs:
   - eve-log:
       enabled: yes
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: /nsm/eve.json
+      filename: /nsm/eve-%Y-%m-%d-%H:%M.json
       rotate-interval: hour
       
       #prefix: "@cee: " # prefix to prepend to each log entry