From c4f57f09eefe47a8c859ef5894d170ef2f3fb5a0 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 2 Jan 2020 15:13:46 +0000
Subject: [PATCH] add Zeek clean script

---
 salt/bro/cron/zeek_clean | 34 ++++++++++++++++++++++++++++++++++
 salt/bro/init.sls        | 15 +++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 salt/bro/cron/zeek_clean

diff --git a/salt/bro/cron/zeek_clean b/salt/bro/cron/zeek_clean
new file mode 100644
index 000000000..9e3bc86dd
--- /dev/null
+++ b/salt/bro/cron/zeek_clean
@@ -0,0 +1,34 @@
+#!/bin/bash
+# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
+
+clean () {
+
+SENSOR_DIR='/nsm'
+CRIT_DISK_USAGE=90
+CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
+LOG="/nsm/bro/logs/zeek_clean.log"
+
+if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
+    while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
+        do
+                TODAY=$(date -u "+%Y-%m-%d")
+
+                # find the oldest Zeek logs directory and exclude today
+                OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | sort | grep -v $TODAY | head -n 1)
+                if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
+                then
+                        echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
+                        exit 0
+                else
+                        echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
+                        rm -rf /nsm/bro/logs/"$OLDEST_DIR"
+                fi
+
+
+    done
+else
+  echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
+fi
+}
+
+clean
diff --git a/salt/bro/init.sls b/salt/bro/init.sls
index 422e7fbf9..6a972cbe7 100644
--- a/salt/bro/init.sls
+++ b/salt/bro/init.sls
@@ -79,6 +79,21 @@ plcronscript:
     - source: salt://bro/cron/packetloss.sh
     - mode: 755
 
+zeekcleanscript:
+  file.managed:
+    - name: /usr/local/bin/zeek_clean
+    - source: salt://bro/cron/zeek_clean
+    - mode: 755
+
+/usr/local/bin/zeek_clean:
+  cron.present:
+    - user: root
+    - minute: '*'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
 /usr/local/bin/packetloss.sh:
   cron.present:
     - user: root