Added by Timofey Titovets over 9 years ago. Updated about 9 years ago.
Description
Hi, i just want support thing something like:
filename: eve-alert-%{+xx.MM.dd}.json
I think this could be nice.
What about posix style strftime formatting: eve-alert-%y.%m.%d.
I'm going to guess that automatically rolling over the file at midnight would be desired behaviour as well when formatting the date this way?
Jason Ish wrote:
What about posix style strftime formatting: eve-alert-%y.%m.%d.
I'm going to guess that automatically rolling over the file at midnight would be desired behaviour as well when formatting the date this way?
Yes, it's okay.
Thanks.
Git master now has the ability to put dates in the eve log file names.
PR: https://github.com/inliniac/suricata/pull/2633
http://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#date-modifiers-in-filename
Its important to note that when using a naming scheme, Suricata will open new files as needed, with the new date but will not remove the old ones. That is up to you.