From 23933b62da3f2f0cf3c3cd3cca815a3ee31cc748 Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Fri, 3 Oct 2014 21:38:59 -0400
Subject: Remove pcap logs over configured max_files limit.

---
 config/suricata/suricata_check_cron_misc.inc | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'config/suricata/suricata_check_cron_misc.inc')

diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc
index d275c5a7..eb1ba2d0 100644
--- a/config/suricata/suricata_check_cron_misc.inc
+++ b/config/suricata/suricata_check_cron_misc.inc
@@ -97,6 +97,10 @@ function suricata_check_dir_size_limit($suricataloglimitsize) {
 			log_error(gettext("[Suricata] Deleting any rotated log files for {$value['descr']} ({$if_real})..."));
 			unlink_if_exists("{$suricata_log_dir}/*.log.*");
 
+			// Cleanup any rotated pcap logs
+			log_error(gettext("[Suricata] Deleting any rotated pcap log files for {$value['descr']} ({$if_real})..."));
+			unlink_if_exists("{$suricata_log_dir}/log.pcap.*");
+
 			// Check for any captured stored files and clean them up
 			unlink_if_exists("{$suricata_log_dir}/files/*");
 
@@ -221,6 +225,7 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] ==
 		    $config['installedpackages']['suricata']['config'][0]['file_store_retention'] > 0) {
 			$now = time();
 			$files = glob("{$suricata_log_dir}/files/file.*");
+			$prune_count = 0;
 			foreach ($files as $f) {
 				if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['file_store_retention'] * 3600)) {
 					$prune_count++;
@@ -231,6 +236,25 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] ==
 				log_error(gettext("[Suricata] File Store cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/files/..."));
 			unset($files);
 		}
+
+		// Prune any pcap log files over configured limit
+		$files = glob("{$suricata_log_dir}/log.pcap.*");
+		if (count($files) > $value['max_pcap_log_files']) {
+			$over = count($files) - $value['max_pcap_log_files'];
+			$remove_files = array();
+			while ($over > 0) {
+				$remove_files[] = array_shift($files);
+				$over--;
+			}
+			$prune_count = 0;
+			foreach ($remove_files as $f) {
+				$prune_count++;
+				unlink_if_exists($f);
+			}
+			if ($prune_count > 0)
+				log_error(gettext("[Suricata] Packet Capture log cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/..."));
+			unset($files, $remove_files);
+		}
 	}
 }
 
-- 
cgit v1.2.3