Deleting Old Zeek Logs from the AC-Hunter System

The following steps will delete any Zeek logs older than 4 days on the AC-Hunter system. Note that this will not delete any AC-Hunter databases, just the raw Zeek log files that were imported. It will also not delete them from your actual sensors, just the copies that were sent to the AC-Hunter system, so if you ever needed them again you could manually copy them from the originals on your Zeek sensors.

To see what files would be deleted by this command, you can run the following under the “dataimport” account on your AC-Hunter server (run “sudo su – dataimport” if you’re not already logged in as that user, and then run):

find "/opt/zeek/remotelogs/" -type f -mtime +4 -print0 | xargs -0 -r -n 20 echo

To set up a daily automatic delete, add the following line to /etc/cron.d/delete_old_zeek_logs . Example command, though you can feel free to use any editor you like:

sudo vi /etc/cron.d/delete_old_zeek_logs

Everything from “0 3” to “-f'” is one line. Please be especially careful when typing the path “/opt/zeek/remotelogs/” and make sure there are no spaces between the first and last slash. The quotes on this line (before find and after dash-f) are single quotes (below the double quotes on a US keyboard) and we use double quotes around the log directory.

0 3 * * * dataimport /bin/bash -c 'find "/opt/zeek/remotelogs/" -type f -mtime +4 -print0 | xargs -0 -r -n 20 rm -f'

Run both of the following:

sudo service cron reload 2>/dev/null
sudo service crond reload 2>/dev/null

Side note: You should not reduce the +4 in the above command; if you deleted logs that were 1, 2, or 3 days old, you’d run the risk of deleting files that zeek_log_transport would then have to copy over again (it sends any new files from the previous 3 days worth of logs every time it runs).

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=860