Actions
Support #3114
closedForcing size limitation on eve.json file
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
I am attempting to have a Splunk Forwarder manage the events that are sent to our Data Lake. I enabled eve.json to be created. Problem is that it grows continuously. I would like to ask if perhaps there may be a method for adding a size limitation within the suricata config file so that once the limit is reached it automatically rolls over. This way the Splunk watcher does not have to ingest the entire file while it is looking for event_type : alert.
Thanks
Jesus
Actions