Feature #1323
closedautomated eve.json rotation
Description
Right now .pcap files are rotated by suricata after reaching configurable limit but eve.json grows eternally unless external tool is involved. Would be nice to get rid of such inconsistency and have configuration option to rotate eve.json the same way .pcap files are rotated.
Updated by Peter Manev over 9 years ago
You can achieve the same with logrotate - it actually offers much more flexibility.
Updated by god lol over 9 years ago
Yes, that's what I use as a workaround but I really would prefer to have self-contained configuration for suricata. This way if I'm migrating from host A to host B I could move only /etc/suricata without bothering with bunch of external configs.
Updated by Andreas Herz over 8 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Jason Ish almost 6 years ago
- Effort set to medium
- Difficulty set to medium
This comes up every so often. A common example is unified2 logging, where the size is limited, and filenames are suffixed with a timestamp.
Note that we're close. Time based rotation can be done, http://suricata.readthedocs.io/en/suricata-4.0.4/output/eve/eve-json-output.html#output-eve-rotate. Still this doesn't do any cleanup.
We should decide if cleanup should be a feature of Suricata, or if its not, by design. Then we can close out this issue and have an answer for future requests of the same nature.
Updated by Philippe Antoine about 3 years ago
- Status changed from New to Closed