From a4d5f5825647b785d2f29ec78607ffdaab580dc1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 10:33:47 -0500 Subject: [PATCH 1/2] fix surilogcompress --- salt/suricata/cron/surilogcompress | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/cron/surilogcompress b/salt/suricata/cron/surilogcompress index b77c4d635..4fe43bbee 100644 --- a/salt/suricata/cron/surilogcompress +++ b/salt/suricata/cron/surilogcompress @@ -1,6 +1,6 @@ #!/bin/bash # Gzip the eve logs -find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2- | xargs nice gzip +find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2 | xargs nice gzip # TODO Add stats log \ No newline at end of file From 95df18c545f8ffe603e68ee0b716ca456a355084 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 10:45:20 -0500 Subject: [PATCH 2/2] limit eve logs and gz files based on days --- salt/suricata/cron/so-suricata-eve-clean | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean index a3cd6bc79..71bfbd95c 100644 --- a/salt/suricata/cron/so-suricata-eve-clean +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -24,15 +24,9 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }} -if [ "$MAXEVES" -lt 2 ]; then - MAXEVES=2 +MAXDAYS={{ salt['pillar.get']('suricata:cleanup:eve_json', 7) }} +if [ "$MAXDAYS" -lt 1 ]; then + MAXDAYS=1 fi -# Find eve files and remove them -NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) -while [ "$NUMEVES" -gt "$MAXEVES" ]; do - OLDESTEVE=$(find /nsm/suricata/ -type f -name "eve-*.json" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}') - rm -f $OLDESTEVE - NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) -done \ No newline at end of file +find /nsm/suricata/ -type f -mtime +$MAXDAYS -name 'eve-*.json*' -execdir rm -- '{}' \; \ No newline at end of file