Feature #1323
closed
automated eve.json rotation
Added by god lol almost 10 years ago.
Updated over 3 years ago.
Description
Right now .pcap files are rotated by suricata after reaching configurable limit but eve.json grows eternally unless external tool is involved. Would be nice to get rid of such inconsistency and have configuration option to rotate eve.json the same way .pcap files are rotated.
You can achieve the same with logrotate - it actually offers much more flexibility.
- Tracker changed from Bug to Feature
Yes, that's what I use as a workaround but I really would prefer to have self-contained configuration for suricata. This way if I'm migrating from host A to host B I could move only /etc/suricata without bothering with bunch of external configs.
- Assignee set to Anonymous
- Target version set to TBD
- Effort set to medium
- Difficulty set to medium
This comes up every so often. A common example is unified2 logging, where the size is limited, and filenames are suffixed with a timestamp.
Note that we're close. Time based rotation can be done, http://suricata.readthedocs.io/en/suricata-4.0.4/output/eve/eve-json-output.html#output-eve-rotate. Still this doesn't do any cleanup.
We should decide if cleanup should be a feature of Suricata, or if its not, by design. Then we can close out this issue and have an answer for future requests of the same nature.
- Assignee set to Community Ticket
- Status changed from New to Closed
Also available in: Atom
PDF