CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 11:12:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

limit eve logs and gz files based on days

Browse Source
This commit is contained in:
m0duspwnens
2021-02-18 10:45:20 -05:00
parent a4d5f58256
commit 95df18c545
1 changed files with 4 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
salt/suricata/cron/so-suricata-eve-clean
View File

@@ -24,15 +24,9 @@ read lastPID < $lf
[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit
echo $$ > $lf echo $$ > $lf
MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }} MAXDAYS={{ salt['pillar.get']('suricata:cleanup:eve_json', 7) }}
if [ "$MAXEVES" -lt 2 ]; then if [ "$MAXDAYS" -lt 1 ]; then
MAXEVES=2 MAXDAYS=1
fi fi
# Find eve files and remove them find /nsm/suricata/ -type f -mtime +$MAXDAYS -name 'eve-*.json*' -execdir rm -- '{}' \;
NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)
while [ "$NUMEVES" -gt "$MAXEVES" ]; do
OLDESTEVE=$(find /nsm/suricata/ -type f -name "eve-*.json" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}')
rm -f $OLDESTEVE
NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l)
done