From dd1769fbefd60e862de82a5400f7b9b0bd69f4ea Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 5 Aug 2021 11:02:09 -0400
Subject: [PATCH 1/2] Only check for logscan on manager-type and import

---
 salt/filebeat/etc/filebeat.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 3c482e274..0c27e3c1b 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -112,6 +112,7 @@ filebeat.inputs:
       fields: ["source", "prospector", "input", "offset", "beat"]
   fields_under_root: true
 
+{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}
 - type: log
   paths:
     - /logs/logscan/alerts.log
@@ -124,6 +125,7 @@ filebeat.inputs:
   fields_under_root: true
   clean_removed: true
   close_removed: false
+{%- endif %}
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
   {%- if ZEEKVER != 'SURICATA' %}

From 3b01f6431e152d33349ae63645fe69dcc8ffd250 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 6 Aug 2021 09:43:58 -0400
Subject: [PATCH 2/2] Add logscan to logrotate config

---
 salt/common/files/log-rotate.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/common/files/log-rotate.conf b/salt/common/files/log-rotate.conf
index 061b76271..35c6fd724 100644
--- a/salt/common/files/log-rotate.conf
+++ b/salt/common/files/log-rotate.conf
@@ -22,6 +22,7 @@
 /opt/so/log/salt/so-salt-minion-check
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
+/opt/so/log/logscan/*.log
 {
     {{ logrotate_conf | indent(width=4) }}
 }