This script will delete the oldest Zeek log files until disk usage is under a given threshold (default 90% used).
Place the script in your path (e.g. /usr/local/bin/zeek_log_clean.sh).
sudo curl -o /usr/local/bin/zeek_log_clean.sh https://raw.githubusercontent.com/activecm/zeek-log-clean/main/zeek_log_clean.sh && sudo chmod +x /usr/local/bin/zeek_log_clean.shThe recommended use is to automate running of the script with cron. The following command will configure this.
echo "* * * * * root flock -n /tmp/zeek-log-clean /usr/local/bin/zeek_log_clean.sh" | sudo tee /etc/cron.d/zeek-log-cleanYou can run the script ad hoc.
zeek_log_clean.shThe script will attempt to find the correct location of your zeek log files automatically. You can also pass in the location.
zeek_log_clean.sh --dir /opt/zeek/logsThe script will delete files until the disk usage is under 90% by default. You can set a different threshold.
zeek_log_clean.sh --threshold 80If rita is available, the script will also attempt to delete the corresponding RITA dataset. You can disable this behavior.
zeek_log_clean.sh --no-remove-ritaClone the repo and run the included test.sh script inside a VM. The user you run the script as must have sudo privileges.