Project

General

Profile

Actions

Support #3114

closed

Forcing size limitation on eve.json file

Added by Jesus Padro about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I am attempting to have a Splunk Forwarder manage the events that are sent to our Data Lake. I enabled eve.json to be created. Problem is that it grows continuously. I would like to ask if perhaps there may be a method for adding a size limitation within the suricata config file so that once the limit is reached it automatically rolls over. This way the Splunk watcher does not have to ingest the entire file while it is looking for event_type : alert.

Thanks
Jesus


Related issues 1 (1 open0 closed)

Is duplicate of Suricata - Feature #2107: eve: rotate log output based on sizeNewCommunity TicketActions
Actions #1

Updated by Victor Julien about 5 years ago

  • Status changed from New to Closed

Duplicate of #2107

Actions #2

Updated by Victor Julien about 5 years ago

  • Is duplicate of Feature #2107: eve: rotate log output based on size added
Actions

Also available in: Atom PDF