trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add a logrotate config for Suricata

Browse Source
This commit is contained in:
Ahmed Shawky
2020-09-22 02:49:07 +00:00
parent bae5572a6c
commit 779bb91bf5
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Vagrant/bootstrap.sh
View File

@@ -294,7 +294,7 @@ install_fleet_import_osquery_config() {
# Don't log osquery INFO messages # Don't log osquery INFO messages
# Fix snapshot event formatting # Fix snapshot event formatting
fleetctl get options > /tmp/options.yaml fleetctl get options >/tmp/options.yaml
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.enroll_secret' 'enrollmentsecret' /usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.enroll_secret' 'enrollmentsecret'
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' 'true' /usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' 'true'
# Fleet 3.0 requires the "kind" to be "options" instead of "option" # Fleet 3.0 requires the "kind" to be "options" instead of "option"
@@ -468,6 +468,22 @@ install_suricata() {
echo "Suricata attempted to start but is not running. Exiting" echo "Suricata attempted to start but is not running. Exiting"
exit 1 exit 1
fi fi
cat >/etc/logrotate.d/suricata <<EOF
/var/log/suricata/*.log /var/log/suricata/*.json
{
hourly
rotate 0
missingok
nocompress
size=500M
sharedscripts
postrotate
/bin/kill -HUP \`cat /var/run/suricata.pid 2>/dev/null\` 2>/dev/null || true
endscript
}
EOF
} }
test_suricata_prerequisites() { test_suricata_prerequisites() {