Hello,
I want to rotate the eve.json file. I have set the rotation-interval in eve-log in suricata.yaml(and it works properly) but I would like to set a maximum number of files that should be stored, so that the oldest one is deleted when the limit is reached.
I have seen that there is “max-files” option but for pcap-log. Is there no option to do this?
Hi Mikel, welcome to our community!
The example log rotate script provided with Suricata is set to go through 5 daily rotations before being removed.
If you need further customization beyond this, a solution for your platform (linux? windows? freebsd?) will be needed.
We offer a working usable configuration for logrotate which meets many workflow needs. Further customization requires a solution fitted to your needs and deployment. There is much content re: logrotate on the interenet.