From 779bb91bf575887a8e4c68757e68ec7d7663d09c Mon Sep 17 00:00:00 2001
From: Ahmed Shawky <ahmedelantry@gmail.com>
Date: Tue, 22 Sep 2020 02:49:07 +0000
Subject: [PATCH] Add a logrotate config for Suricata

---
 Vagrant/bootstrap.sh | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh
index 59d7018..e93bfb7 100644
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -294,7 +294,7 @@ install_fleet_import_osquery_config() {
 
     # Don't log osquery INFO messages
     # Fix snapshot event formatting
-    fleetctl get options > /tmp/options.yaml
+    fleetctl get options >/tmp/options.yaml
     /usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.enroll_secret' 'enrollmentsecret'
     /usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' 'true'
     # Fleet 3.0 requires the "kind" to be "options" instead of "option"
@@ -468,6 +468,22 @@ install_suricata() {
     echo "Suricata attempted to start but is not running. Exiting"
     exit 1
   fi
+
+  cat >/etc/logrotate.d/suricata <<EOF
+/var/log/suricata/*.log /var/log/suricata/*.json
+{
+    hourly
+    rotate 0
+    missingok
+    nocompress
+    size=500M
+    sharedscripts
+    postrotate
+            /bin/kill -HUP \`cat /var/run/suricata.pid 2>/dev/null\` 2>/dev/null || true
+    endscript
+}
+EOF
+
 }
 
 test_suricata_prerequisites() {