From 95df18c545f8ffe603e68ee0b716ca456a355084 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 18 Feb 2021 10:45:20 -0500
Subject: [PATCH] limit eve logs and gz files based on days

---
 salt/suricata/cron/so-suricata-eve-clean | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean
index a3cd6bc79..71bfbd95c 100644
--- a/salt/suricata/cron/so-suricata-eve-clean
+++ b/salt/suricata/cron/so-suricata-eve-clean
@@ -24,15 +24,9 @@ read lastPID < $lf
 [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
 echo $$ > $lf
 
-MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }}
-if [ "$MAXEVES" -lt 2 ]; then
-  MAXEVES=2
+MAXDAYS={{ salt['pillar.get']('suricata:cleanup:eve_json', 7) }}
+if [ "$MAXDAYS" -lt 1 ]; then
+  MAXDAYS=1
 fi
 
-# Find eve files and remove them
-NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)
-while [ "$NUMEVES" -gt "$MAXEVES" ]; do
-  OLDESTEVE=$(find /nsm/suricata/ -type f -name "eve-*.json" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}')
-  rm -f $OLDESTEVE
-  NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)
-done
\ No newline at end of file
+find /nsm/suricata/ -type f -mtime +$MAXDAYS -name 'eve-*.json*' -execdir rm -- '{}' \;
\ No newline at end of file